npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Can't update `tar`

What I Wanted to Do

I wanted to upgrade tar, because npm install keeps complaining it has security problems.

What Happened Instead

I did npm audit, and it said there were problems because tar@2.2.1 is installed, so I did npm audit fix, and it claimed it fixed the problem. Then I did npm install, and it complained because tar@2.2.1 is still installed and still in my package-lock.json. So then I did the nuclear option and did rm -rf node_modules pacakge-lock.json && npm install, and it still installed 2.2.1.

The dependency that keeps installing tar@2.2.1 is node-gyp@3.8.0, and it wants:

"tar": "^2.0.0",

It should be installing 2.2.2, since it’s available.

The complete dependency tree for tar is:

└─┬ semantic-release@15.13.12
  └─┬ @semantic-release/npm@5.1.7
    └─┬ npm@6.9.0
      ├─┬ node-gyp@3.8.0
      │ └── tar@2.2.1
      ├─┬ pacote@9.5.0
      │ └── tar@4.4.8  deduped
      └── tar@4.4.8

So, quite ironically, npm is indirectly the package causing me grief. -_-

I ended up having to use Github’s new dependabot acquisition to upgrade tar.

Reproduction Steps

mkdir newpacakge
cd newpacakge
npm init
npm install semantic-release
npm audit
npm audit fix
npm install

Platform Info

$ npm --versions
{ tt: '1.0.0',
  npm: '6.9.0',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.14.1',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }

$ node -p process.platform

Ah, apparently this is because npm uses bundledDependencies, which for some undocumented reason prevents me from upgrading said dependencies.

More discussion here: