npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm update --depth 2+ updates primary dependency beyond range

What I Wanted to Do

Update dependencies of my dependencies using npm update --depth 999. The bug also appears with depth 2.

What Happened Instead

One of my primary dependencies was updated beyond the semver range specified.

Reproduction Steps

  1. npm init
  2. npm install jquery@2 ion-rangeslider
  3. npm update --depth 2

Now jquery is updated to 3.3.1 in my package.json, which should not happen.


After step 2 package.json looks like:

"dependencies": {
    "ion-rangeslider": "^2.2.0",
    "jquery": "^2.2.4"

After step 3 it looks like:

  "dependencies": {
    "ion-rangeslider": "^2.2.0",
    "jquery": "^3.3.1"

Platform Info

$ npm --versions
{ jqupdate2: '1.0.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.9.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

Ugh. This seems like such an annoying bug. The good news is we’re already planning on rewriting npm update for npm@7 and it’ll hopefully catch a lot of these hiccups. Can you check back in once npm@7 is out to make sure we covered this?

Thanks for the readable, concise report!