See issue here:

facebook/react#2811

tl;dr

An app requires a package version that reads 7001.0001.0000 but when npm downloads the package, it will cache the package as 7001.1.0 (which will also imprint the version field in the package's package.json as 7001.1.0 instead of 7001.0001.0000) resulting in a mismatch.

engineStrict won't be used in npm 3+. Use the config setting engine-strict instead.

https://docs.npmjs.com/files/package.json#enginestrict

Looks like this will install in npm:

git://github.com/lapwinglabs/x-ray#058b096f

but safestart expects:

git://github.com/lapwinglabs/x-ray.git#058b096f30493b30588b62d1ff48b241628e94ed

Once the .git suffix is added, it works fine. Not sure if this is a common case, but it took me a bit to figure out.

If I install a package from github, like

npm i -S Rich-Harris/regl#es-modules

then I get the following mismatch error:

expected: github:rich-harris/regl#es-modules, got: rich-harris/regl#es-modules

Changing index.js like this seems to work, but maybe I've misunderstood the problem?

- expectedVersion = expectedVersion.replace(/^git\+https/, 'git')
+ expectedVersion = expectedVersion.replace(/^git\+https/, 'git').replace('github:', '')

Would be great if this checked devDependencies and maybe peerDependencies - that way you could include this in build config files.

Probably makes sense for it to be an option rather than the default, e.g

require( 'safestart' )( __dirname, { dev: true });

If I get time this week I'll try and send a PR, if you don't beat me to it