npm update --depth 2+ updates primary dependency beyond range


(Jorrit Schippers) #1

What I Wanted to Do

Update dependencies of my dependencies using npm update --depth 999. The bug also appears with depth 2.

What Happened Instead

One of my primary dependencies was updated beyond the semver range specified.

Reproduction Steps

  1. npm init
  2. npm install jquery@2 ion-rangeslider
  3. npm update --depth 2

Now jquery is updated to 3.3.1 in my package.json, which should not happen.


After step 2 package.json looks like:

"dependencies": {
    "ion-rangeslider": "^2.2.0",
    "jquery": "^2.2.4"

After step 3 it looks like:

  "dependencies": {
    "ion-rangeslider": "^2.2.0",
    "jquery": "^3.3.1"

Platform Info

$ npm --versions
{ jqupdate2: '1.0.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.9.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

(Kat Marchán) #2

Ugh. This seems like such an annoying bug. The good news is we’re already planning on rewriting npm update for npm@7 and it’ll hopefully catch a lot of these hiccups. Can you check back in once npm@7 is out to make sure we covered this?

Thanks for the readable, concise report!

(system) #3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.