cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] `npm update` only edits package-lock.json, not package.json

Open adamlui opened this issue 1 year ago • 8 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

When running npm update from a project's root, only the package-lock.json gets edited

Expected Behavior

When running npm update, both the package.json + package-lock.json should be edited

Steps To Reproduce

  1. Run npm update in any package root
  2. Inspect package.json to oberve no changes made when update is found

Environment

  • npm: 10.2.4
  • Node.js: 21.6.2
  • OS Name: Windows 10 Home 22H2
  • System Model Name: HP Notebook 15-AY011NR
  • npm config: "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\adaaaam\\AppData\\Roaming\\npm"

; "user" config from C:\Users\adaaaam\.npmrc

//registry.npmjs.org/:_authToken = (protected)

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v21.6.2
; npm local prefix = e:\kudoai\kudoai.com
; npm version = 10.2.4
; cwd = e:\kudoai\kudoai.com
; HOME = C:\Users\adaaaam
; Run `npm config ls -l` to show all defaults.

adamlui avatar Feb 17 '24 22:02 adamlui

This is the documented behaviour. Try adding --save.

https://docs.npmjs.com/cli/v10/commands/npm-update

Note that by default npm update will not update the semver values of direct dependencies in your project package.json. If you want to also update values in package.json you can run: npm update --save (or add the save=true option to a configuration file to make that the default behavior).

shadowspawn avatar Feb 19 '24 03:02 shadowspawn

Hey @shadowspawn thanks for the info, npm update --save also isn't updating package.json

image

The bug appears to be affecting dependabot's behavior too: https://github.com/dependabot/dependabot-core/issues/9071

Sometimes dependabot updates both files: Bump @adamlui/scss-to-css from 1.1.1 to 1.2.0 Bump @adamlui/minify.js from 1.0.1 to 1.0.2

...and sometimes it doesn't: Bump @adamlui/scss-to-css from 1.0.1 to 1.2.0 Bump sass from 1.70.0 to 1.71.0 in /scss-to-css

adamlui avatar Feb 19 '24 06:02 adamlui

Wait nvm those were sub-dependencies and my main ones were already up-to-date, I tested down-bumping then --save worked to edit both files. But do you know if Dependabot's glitched behavior is due to a npm cli bug?

adamlui avatar Feb 19 '24 06:02 adamlui

Also if a user is using --save and sub-dependencies are being bumped, shouldn't it be expected they want the sub-dependency's package.json' to save this new tree?

adamlui avatar Feb 19 '24 06:02 adamlui

I am seeing two behaviors from my workflow and maybe this is related. I am using node@20 and [email protected]

--save works with the npm update command, however, if I set save=true in my .npmrc file, it does not pick up the setting. And --save doesn't work for workspaces. e.g. npm update prettier --save -w my_workspace_1 will only update package-lock file.

Toxiapo avatar Apr 11 '24 14:04 Toxiapo

I'm having a very similar issue, if I run npm up --save some dependencies are getting updated in package.json but some don't.

In this example if you run npm up --save - vite will be updated but vitest wont. They both get updated in package-lock.json as they should.

https://raw.githubusercontent.com/HristoKolev/vite-workshop/e0079a98e32ef069ca20e66c9223836132a37d1b/package.json https://raw.githubusercontent.com/HristoKolev/vite-workshop/e0079a98e32ef069ca20e66c9223836132a37d1b/package-lock.json

  • npm: 10.2.4
  • Node.js: v20.11.0
  • OS Name: Windows 11 Pro
  • npm config:
; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.11.0
; npm local prefix = C:\Users\hristo
; npm version = 10.2.4
; cwd = C:\Users\hristo
; HOME = C:\Users\hristo
; Run `npm config ls -l` to show all defaults.

HristoKolev avatar Apr 14 '24 20:04 HristoKolev

I also found this behavior surprising. Instead of npm update <package> I now use npm install <package>@<version> to make sure the package json is updated but it's less conveniant because I need to look up the version first.

ChristophP avatar May 20 '24 08:05 ChristophP

In my case npm update --save does update (some!!!!!) packages but not others. I'm using version 10.8.0 on MacOS Sonoma 14.5 with node 20.11.1

Repro steps using an Angular app as sample project:

  1. Install angular cli if not already in place > npm install -g @angular/cli
  2. Create an empty angular app > ng new my-app and selecy any option in the setup wizard (will not affect the result)
  3. Move to the new working folder > cd my-app
  4. Check the created package.json > it should reference tslib: ^2.3.0 as dependency
  5. Check the actual installed version of tslib and zone.js > npm list and look for tslib and zone.js
  6. Eventually, for the sake of the issue, force the proper tslib version > npm install [email protected]
  7. Eventually, for the sake of the issue, force the proper zone.js version > npm install [email protected]
  8. Check all dependencies for tslib allow for latest version of tslib (2.6.2 at this moment) > npm list tslib
  9. Run npm update --save
  10. Check your package.json file and notice that zone.js version is up to date but tslib is not
  11. Check the actual installed version of tslib and zone.js are BOTH up to date > npm list and look for tslib and zone.js

enrij avatar May 23 '24 09:05 enrij