npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Installing package does not use latest available transitive dependencies

What I Wanted to Do

Install nyc@13.3.0 in an empty test project. Expected all transitive dependencies to be up to date.

What Happened Instead

handlebars@4.1.0 was installed, even though v4.1.2 should have been (unless I’m missing something here):

➜ npm ls handlebars                   
npmtest@1.0.0 /home/crowley/work/uniq/npmtest
└─┬ nyc@13.3.0
  └─┬ istanbul-reports@2.1.1
    └── handlebars@4.1.0 
➜ npm view handlebars
handlebars@4.1.2 | MIT | deps: 4 | versions: 48
4.0-patch: 4.0.14  latest: 4.1.2      legacy: 3.0.6      

published 3 days ago by knappi <>
➜ grep handlebars node_modules/nyc/node_modules/istanbul-reports/package.json 
    "handlebars": "^4.1.0"

Reproduction Steps

npm init --yes && npm i nyc@13

Platform Info

$ npm --versions
{ npmtest: '1.0.0',
  npm: '6.9.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.3',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

nyc lists istanbul-reports under its bundleDependencies, so I think you get the version packaged with nyc rather than npm looking up the latest matching version. i.e. handlebars is not a transitive dependency

(To check I deleted istanbul-reports from bundleDependencies and deleted the installed version of handlebars, reinstalled from the empty test project, and got handlebars@4.1.2 as you expected.)

Ooh, that would explain it. Didn’t know about bundledDependencies yet (and it seems they removed those entirely in nyc@14). Thanks!