npm update --depth 2+ updates primary dependency beyond range


(Jorrit Schippers) #1

What I Wanted to Do

Update dependencies of my dependencies using npm update --depth 999. The bug also appears with depth 2.

What Happened Instead

One of my primary dependencies was updated beyond the semver range specified.

Reproduction Steps

  1. npm init
  2. npm install jquery@2 ion-rangeslider
  3. npm update --depth 2

Now jquery is updated to 3.3.1 in my package.json, which should not happen.

Details

After step 2 package.json looks like:

{
"dependencies": {
    "ion-rangeslider": "^2.2.0",
    "jquery": "^2.2.4"
  }
}

After step 3 it looks like:

{
  "dependencies": {
    "ion-rangeslider": "^2.2.0",
    "jquery": "^3.3.1"
  }
}

Platform Info

$ npm --versions
{ jqupdate2: '1.0.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.9.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '6.8.275.24-node.14',
  zlib: '1.2.11' }
$ node -p process.platform
win32