npm update --depth 2+ updates primary dependency beyond range

cli
priority:medium
triaged

(Jorrit Schippers) #1

What I Wanted to Do

Update dependencies of my dependencies using npm update --depth 999. The bug also appears with depth 2.

What Happened Instead

One of my primary dependencies was updated beyond the semver range specified.

Reproduction Steps

  1. npm init
  2. npm install jquery@2 ion-rangeslider
  3. npm update --depth 2

Now jquery is updated to 3.3.1 in my package.json, which should not happen.

Details

After step 2 package.json looks like:

{
"dependencies": {
    "ion-rangeslider": "^2.2.0",
    "jquery": "^2.2.4"
  }
}

After step 3 it looks like:

{
  "dependencies": {
    "ion-rangeslider": "^2.2.0",
    "jquery": "^3.3.1"
  }
}

Platform Info

$ npm --versions
{ jqupdate2: '1.0.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.9.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '6.8.275.24-node.14',
  zlib: '1.2.11' }
$ node -p process.platform
win32

(Kat Marchán) #2

Ugh. This seems like such an annoying bug. The good news is we’re already planning on rewriting npm update for npm@7 and it’ll hopefully catch a lot of these hiccups. Can you check back in once npm@7 is out to make sure we covered this?

Thanks for the readable, concise report!