npm update --depth command no longer working correctly (v6.9.0)

What I Wanted to Do

I wanted to run npm update command to update a dependency (module-B) which is being pulled in by a direct dependency of my app (module-A)

So the dependency graph looks like:
App
–> Module-A
–> Module-B
My app has a package-lock file.

To update the dependency I ran the following commands:

  1. npm i
  2. npm update --depth 1 module-B

I expected the package-lock.json will get updated with an updated version of module-B
(The version of module-B in package-lock.json is v2.1.0. The new published version is v2.2.0)
Module-A has a dependency specified as: β€œmodule-B”:^2.0.0

What Happened Instead

npm did not update the dependency. The command just returned w/o any output or modification.

Same command works as expected with v6.4.1

Reproduction Steps

I think this should be reproducible for any scenario similar to the one described above.
I have created a small public repo with a lock file. If any of the nested dependencies get a new version, I’ll link the repo here to reproduce the issue.

Details

Platform Info

$ npm --versions
{ npm: '6.9.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }

$ node -p process.platform
darwin```

Probably related: npm outdated --depth 9999 also fails to report any outdated dependencies past the first level.

This problem seems to have started with v6.6.0. Works as expected in v6.5.0 as well.

I found that I can not update sub-dependencies using npm update --depth 999 nested-package which is suggested by the doc and npm audit. It it related to this issue?

I am also experiencing all of the issues mentioned by others. depth is ignored for β€œupdate” and β€œoutdated” from 6.5.0 and forward, and exact commands that are suggested by npm audit simply does nothing.

Example: Path = grunt-kss > kss > handlebars
β€œRun npm update handlebars --depth 3 to resolve 1 vulnerability”

npm update handlebars --depth 3
(no output at all, nothing changes)

npm update handlebars --depth 3 --dd
Output:
β€œnpm info it worked if it ends with ok
npm verb cli [ β€˜/Users/–redacted–/.nvm/versions/node/v10.16.0/bin/node’,
npm verb cli β€˜/Users/–redacted–/.nvm/versions/node/v10.16.0/bin/npm’,
npm verb cli β€˜update’,
npm verb cli β€˜handlebars’,
npm verb cli β€˜β€“depth’,
npm verb cli β€˜3’,
npm verb cli β€˜β€“dd’ ]
npm info using npm@6.9.0
npm info using node@v10.16.0
npm verb npm-session c66f8f7a25a3cfce
npm verb update computing outdated modules to update
npm verb exit [ 0, true ]
npm timing npm Completed in 2075ms
npm info ok”

I am using nvm, node 10.16.0 and I am on mac.

Irrelevant side note: I would also like to note that this type of issue-tracking is extremely frustrating. PLEASE use a proper issue tracker.

Its possible to work around this by deleting node_modules and package-lock.json and then doing npm i

I’m still experiencing this issue in 6.10.1.

Sub-dependencies are referenced with ^x.x.x, and although they are only at a minor version, patch versions should be able to be updated.

For now I have worked around this by installing the sub dependency into my project at a specific version, or running upgrade, and then uninstalling it.

E.g.

Cannot upgrade from axios 0.18.0 to 0.18.1 without running:

npm i axios@0.18.1 -S
npm un axios

Edit: uninstalling does not work. I’ve had to keep a dependency on axios.

1 Like

The workaround (deleting node_modules/etc) does not work for many of us because we cannot blindly update all packages without introducing significant risk because so many packages would update at once… The previous ability to update with --depth allowed finer grained control so you could update packages in a controlled manner.

2 Likes

I’ve got the same thing:

package.json
{
  "name": "t",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "eslint": "^6.1.0"
  }
}
package-lock.json

I have removed the integrity field from every dependency so that I don’t hit the post character limit
All the outputs in this post were taken on the original package-lock.json, before the integrity field was removed.

{
  "name": "t",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "@babel/code-frame": {
      "version": "7.5.5",
      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.5.5.tgz",
      "requires": {
        "@babel/highlight": "^7.0.0"
      }
    },
    "@babel/highlight": {
      "version": "7.5.0",
      "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.5.0.tgz",
      "requires": {
        "chalk": "^2.0.0",
        "esutils": "^2.0.2",
        "js-tokens": "^4.0.0"
      }
    },
    "acorn": {
      "version": "6.2.1",
      "resolved": "https://registry.npmjs.org/acorn/-/acorn-6.2.1.tgz",
    },
    "acorn-jsx": {
      "version": "5.0.1",
      "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.0.1.tgz",
    },
    "ajv": {
      "version": "6.10.2",
      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz",
      "requires": {
        "fast-deep-equal": "^2.0.1",
        "fast-json-stable-stringify": "^2.0.0",
        "json-schema-traverse": "^0.4.1",
        "uri-js": "^4.2.2"
      }
    },
    "ansi-escapes": {
      "version": "3.2.0",
      "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-3.2.0.tgz",
    },
    "ansi-regex": {
      "version": "4.1.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
    },
    "ansi-styles": {
      "version": "3.2.1",
      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz",
      "requires": {
        "color-convert": "^1.9.0"
      }
    },
    "argparse": {
      "version": "1.0.10",
      "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz",
      "requires": {
        "sprintf-js": "~1.0.2"
      }
    },
    "astral-regex": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-1.0.0.tgz",
    },
    "balanced-match": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
    },
    "brace-expansion": {
      "version": "1.1.11",
      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
      "requires": {
        "balanced-match": "^1.0.0",
        "concat-map": "0.0.1"
      }
    },
    "callsites": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
    },
    "chalk": {
      "version": "2.4.2",
      "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
      "requires": {
        "ansi-styles": "^3.2.1",
        "escape-string-regexp": "^1.0.5",
        "supports-color": "^5.3.0"
      }
    },
    "chardet": {
      "version": "0.7.0",
      "resolved": "https://registry.npmjs.org/chardet/-/chardet-0.7.0.tgz",
    },
    "cli-cursor": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-2.1.0.tgz",
      "requires": {
        "restore-cursor": "^2.0.0"
      }
    },
    "cli-width": {
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/cli-width/-/cli-width-2.2.0.tgz",
    },
    "color-convert": {
      "version": "1.9.3",
      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz",
      "requires": {
        "color-name": "1.1.3"
      }
    },
    "color-name": {
      "version": "1.1.3",
      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz",
    },
    "concat-map": {
      "version": "0.0.1",
      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
    },
    "cross-spawn": {
      "version": "6.0.5",
      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz",
      "requires": {
        "nice-try": "^1.0.4",
        "path-key": "^2.0.1",
        "semver": "^5.5.0",
        "shebang-command": "^1.2.0",
        "which": "^1.2.9"
      }
    },
    "deep-is": {
      "version": "0.1.3",
      "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.3.tgz",
    },
    "doctrine": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz",
      "requires": {
        "esutils": "^2.0.2"
      }
    },
    "emoji-regex": {
      "version": "7.0.3",
      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-7.0.3.tgz",
    },
    "escape-string-regexp": {
      "version": "1.0.5",
      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz",
    },
    "eslint": {
      "version": "6.1.0",
      "resolved": "https://registry.npmjs.org/eslint/-/eslint-6.1.0.tgz",
      "requires": {
        "@babel/code-frame": "^7.0.0",
        "ajv": "^6.10.0",
        "chalk": "^2.1.0",
        "cross-spawn": "^6.0.5",
        "debug": "^4.0.1",
        "doctrine": "^3.0.0",
        "eslint-scope": "^5.0.0",
        "eslint-utils": "^1.3.1",
        "eslint-visitor-keys": "^1.0.0",
        "espree": "^6.0.0",
        "esquery": "^1.0.1",
        "esutils": "^2.0.2",
        "file-entry-cache": "^5.0.1",
        "functional-red-black-tree": "^1.0.1",
        "glob-parent": "^5.0.0",
        "globals": "^11.7.0",
        "ignore": "^4.0.6",
        "import-fresh": "^3.0.0",
        "imurmurhash": "^0.1.4",
        "inquirer": "^6.4.1",
        "is-glob": "^4.0.0",
        "js-yaml": "^3.13.1",
        "json-stable-stringify-without-jsonify": "^1.0.1",
        "levn": "^0.3.0",
        "lodash": "^4.17.14",
        "minimatch": "^3.0.4",
        "mkdirp": "^0.5.1",
        "natural-compare": "^1.4.0",
        "optionator": "^0.8.2",
        "progress": "^2.0.0",
        "regexpp": "^2.0.1",
        "semver": "^6.1.2",
        "strip-ansi": "^5.2.0",
        "strip-json-comments": "^3.0.1",
        "table": "^5.2.3",
        "text-table": "^0.2.0",
        "v8-compile-cache": "^2.0.3"
      },
      "dependencies": {
        "debug": {
          "version": "4.1.1",
          "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
          "requires": {
            "ms": "^2.1.1"
          }
        },
        "semver": {
          "version": "6.3.0",
          "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
        }
      }
    },
    "eslint-scope": {
      "version": "5.0.0",
      "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-5.0.0.tgz",
      "requires": {
        "esrecurse": "^4.1.0",
        "estraverse": "^4.1.1"
      }
    },
    "eslint-utils": {
      "version": "1.4.0",
      "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.4.0.tgz",
      "requires": {
        "eslint-visitor-keys": "^1.0.0"
      }
    },
    "eslint-visitor-keys": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-1.0.0.tgz",
    },
    "espree": {
      "version": "6.0.0",
      "resolved": "https://registry.npmjs.org/espree/-/espree-6.0.0.tgz",
      "requires": {
        "acorn": "^6.0.7",
        "acorn-jsx": "^5.0.0",
        "eslint-visitor-keys": "^1.0.0"
      }
    },
    "esprima": {
      "version": "4.0.1",
      "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
    },
    "esquery": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.0.1.tgz",
      "requires": {
        "estraverse": "^4.0.0"
      }
    },
    "esrecurse": {
      "version": "4.2.1",
      "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.2.1.tgz",
      "requires": {
        "estraverse": "^4.1.0"
      }
    },
    "estraverse": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.2.0.tgz",
    },
    "esutils": {
      "version": "2.0.3",
      "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
    },
    "external-editor": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/external-editor/-/external-editor-3.1.0.tgz",
      "requires": {
        "chardet": "^0.7.0",
        "iconv-lite": "^0.4.24",
        "tmp": "^0.0.33"
      }
    },
    "fast-deep-equal": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-2.0.1.tgz",
    },
    "fast-json-stable-stringify": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.0.0.tgz",
    },
    "fast-levenshtein": {
      "version": "2.0.6",
      "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz",
    },
    "figures": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/figures/-/figures-2.0.0.tgz",
      "requires": {
        "escape-string-regexp": "^1.0.5"
      }
    },
    "file-entry-cache": {
      "version": "5.0.1",
      "resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-5.0.1.tgz",
      "requires": {
        "flat-cache": "^2.0.1"
      }
    },
    "flat-cache": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/flat-cache/-/flat-cache-2.0.1.tgz",
      "requires": {
        "flatted": "^2.0.0",
        "rimraf": "2.6.3",
        "write": "1.0.3"
      }
    },
    "flatted": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/flatted/-/flatted-2.0.1.tgz",
    },
    "fs.realpath": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
    },
    "functional-red-black-tree": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/functional-red-black-tree/-/functional-red-black-tree-1.0.1.tgz",
    },
    "glob": {
      "version": "7.1.4",
      "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.4.tgz",
      "requires": {
        "fs.realpath": "^1.0.0",
        "inflight": "^1.0.4",
        "inherits": "2",
        "minimatch": "^3.0.4",
        "once": "^1.3.0",
        "path-is-absolute": "^1.0.0"
      }
    },
    "glob-parent": {
      "version": "5.0.0",
      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.0.0.tgz",
      "requires": {
        "is-glob": "^4.0.1"
      }
    },
    "globals": {
      "version": "11.12.0",
      "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
    },
    "has-flag": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
    },
    "iconv-lite": {
      "version": "0.4.24",
      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
      "requires": {
        "safer-buffer": ">= 2.1.2 < 3"
      }
    },
    "ignore": {
      "version": "4.0.6",
      "resolved": "https://registry.npmjs.org/ignore/-/ignore-4.0.6.tgz",
    },
    "import-fresh": {
      "version": "3.1.0",
      "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.1.0.tgz",
      "requires": {
        "parent-module": "^1.0.0",
        "resolve-from": "^4.0.0"
      }
    },
    "imurmurhash": {
      "version": "0.1.4",
      "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
    },
    "inflight": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
      "requires": {
        "once": "^1.3.0",
        "wrappy": "1"
      }
    },
    "inherits": {
      "version": "2.0.4",
      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
    },
    "inquirer": {
      "version": "6.5.0",
      "resolved": "https://registry.npmjs.org/inquirer/-/inquirer-6.5.0.tgz",
      "requires": {
        "ansi-escapes": "^3.2.0",
        "chalk": "^2.4.2",
        "cli-cursor": "^2.1.0",
        "cli-width": "^2.0.0",
        "external-editor": "^3.0.3",
        "figures": "^2.0.0",
        "lodash": "^4.17.12",
        "mute-stream": "0.0.7",
        "run-async": "^2.2.0",
        "rxjs": "^6.4.0",
        "string-width": "^2.1.0",
        "strip-ansi": "^5.1.0",
        "through": "^2.3.6"
      }
    },
    "is-extglob": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
    },
    "is-fullwidth-code-point": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-2.0.0.tgz",
    },
    "is-glob": {
      "version": "4.0.1",
      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.1.tgz",
      "requires": {
        "is-extglob": "^2.1.1"
      }
    },
    "is-promise": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-2.1.0.tgz",
    },
    "isexe": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
    },
    "js-tokens": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
    },
    "js-yaml": {
      "version": "3.13.1",
      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.1.tgz",
      "requires": {
        "argparse": "^1.0.7",
        "esprima": "^4.0.0"
      }
    },
    "json-schema-traverse": {
      "version": "0.4.1",
      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
    },
    "json-stable-stringify-without-jsonify": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz",
    },
    "levn": {
      "version": "0.3.0",
      "resolved": "https://registry.npmjs.org/levn/-/levn-0.3.0.tgz",
      "requires": {
        "prelude-ls": "~1.1.2",
        "type-check": "~0.3.2"
      }
    },
    "lodash": {
      "version": "4.17.15",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
    },
    "mimic-fn": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-1.2.0.tgz",
    },
    "minimatch": {
      "version": "3.0.4",
      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
      "requires": {
        "brace-expansion": "^1.1.7"
      }
    },
    "minimist": {
      "version": "0.0.8",
      "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz",
    },
    "mkdirp": {
      "version": "0.5.1",
      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
      "requires": {
        "minimist": "0.0.8"
      }
    },
    "ms": {
      "version": "2.1.2",
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
    },
    "mute-stream": {
      "version": "0.0.7",
      "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-0.0.7.tgz",
    },
    "natural-compare": {
      "version": "1.4.0",
      "resolved": "https://registry.npmjs.org/natural-compare/-/natural-compare-1.4.0.tgz",
    },
    "nice-try": {
      "version": "1.0.5",
      "resolved": "https://registry.npmjs.org/nice-try/-/nice-try-1.0.5.tgz",
    },
    "once": {
      "version": "1.4.0",
      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
      "requires": {
        "wrappy": "1"
      }
    },
    "onetime": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/onetime/-/onetime-2.0.1.tgz",
      "requires": {
        "mimic-fn": "^1.0.0"
      }
    },
    "optionator": {
      "version": "0.8.2",
      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.8.2.tgz",
      "requires": {
        "deep-is": "~0.1.3",
        "fast-levenshtein": "~2.0.4",
        "levn": "~0.3.0",
        "prelude-ls": "~1.1.2",
        "type-check": "~0.3.2",
        "wordwrap": "~1.0.0"
      }
    },
    "os-tmpdir": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz",
    },
    "parent-module": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
      "requires": {
        "callsites": "^3.0.0"
      }
    },
    "path-is-absolute": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
    },
    "path-key": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/path-key/-/path-key-2.0.1.tgz",
    },
    "prelude-ls": {
      "version": "1.1.2",
      "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.1.2.tgz",
    },
    "progress": {
      "version": "2.0.3",
      "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz",
    },
    "punycode": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.1.1.tgz",
    },
    "regexpp": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-2.0.1.tgz",
    },
    "resolve-from": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
    },
    "restore-cursor": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-2.0.0.tgz",
      "requires": {
        "onetime": "^2.0.0",
        "signal-exit": "^3.0.2"
      }
    },
    "rimraf": {
      "version": "2.6.3",
      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.6.3.tgz",
      "requires": {
        "glob": "^7.1.3"
      }
    },
    "run-async": {
      "version": "2.3.0",
      "resolved": "https://registry.npmjs.org/run-async/-/run-async-2.3.0.tgz",
      "requires": {
        "is-promise": "^2.1.0"
      }
    },
    "rxjs": {
      "version": "6.5.2",
      "resolved": "https://registry.npmjs.org/rxjs/-/rxjs-6.5.2.tgz",
      "requires": {
        "tslib": "^1.9.0"
      }
    },
    "safer-buffer": {
      "version": "2.1.2",
      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
    },
    "semver": {
      "version": "5.7.0",
      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.0.tgz",
    },
    "shebang-command": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-1.2.0.tgz",
      "requires": {
        "shebang-regex": "^1.0.0"
      }
    },
    "shebang-regex": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-1.0.0.tgz",
    },
    "signal-exit": {
      "version": "3.0.2",
      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.2.tgz",
    },
    "slice-ansi": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-2.1.0.tgz",
      "requires": {
        "ansi-styles": "^3.2.0",
        "astral-regex": "^1.0.0",
        "is-fullwidth-code-point": "^2.0.0"
      }
    },
    "sprintf-js": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz",
    },
    "string-width": {
      "version": "2.1.1",
      "resolved": "https://registry.npmjs.org/string-width/-/string-width-2.1.1.tgz",
      "requires": {
        "is-fullwidth-code-point": "^2.0.0",
        "strip-ansi": "^4.0.0"
      },
      "dependencies": {
        "ansi-regex": {
          "version": "3.0.0",
          "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
        },
        "strip-ansi": {
          "version": "4.0.0",
          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-4.0.0.tgz",
          "requires": {
            "ansi-regex": "^3.0.0"
          }
        }
      }
    },
    "strip-ansi": {
      "version": "5.2.0",
      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-5.2.0.tgz",
      "requires": {
        "ansi-regex": "^4.1.0"
      }
    },
    "strip-json-comments": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.0.1.tgz",
    },
    "supports-color": {
      "version": "5.5.0",
      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
      "requires": {
        "has-flag": "^3.0.0"
      }
    },
    "table": {
      "version": "5.4.5",
      "resolved": "https://registry.npmjs.org/table/-/table-5.4.5.tgz",
      "requires": {
        "ajv": "^6.10.2",
        "lodash": "^4.17.14",
        "slice-ansi": "^2.1.0",
        "string-width": "^3.0.0"
      },
      "dependencies": {
        "string-width": {
          "version": "3.1.0",
          "resolved": "https://registry.npmjs.org/string-width/-/string-width-3.1.0.tgz",
          "requires": {
            "emoji-regex": "^7.0.1",
            "is-fullwidth-code-point": "^2.0.0",
            "strip-ansi": "^5.1.0"
          }
        }
      }
    },
    "text-table": {
      "version": "0.2.0",
      "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz",
    },
    "through": {
      "version": "2.3.8",
      "resolved": "https://registry.npmjs.org/through/-/through-2.3.8.tgz",
    },
    "tmp": {
      "version": "0.0.33",
      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz",
      "requires": {
        "os-tmpdir": "~1.0.2"
      }
    },
    "tslib": {
      "version": "1.10.0",
      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.10.0.tgz",
    },
    "type-check": {
      "version": "0.3.2",
      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.3.2.tgz",
      "requires": {
        "prelude-ls": "~1.1.2"
      }
    },
    "uri-js": {
      "version": "4.2.2",
      "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.2.2.tgz",
      "requires": {
        "punycode": "^2.1.0"
      }
    },
    "v8-compile-cache": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.1.0.tgz",
    },
    "which": {
      "version": "1.3.1",
      "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz",
      "requires": {
        "isexe": "^2.0.0"
      }
    },
    "wordwrap": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-1.0.0.tgz",
    },
    "wrappy": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
    },
    "write": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/write/-/write-1.0.3.tgz",
      "requires": {
        "mkdirp": "^0.5.1"
      }
    }
  }
}

                       === npm audit security report ===

# Run  npm update eslint-utils --depth 2  to resolve 1 vulnerability
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Critical      β”‚ Arbitrary Code Execution                                     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Package       β”‚ eslint-utils                                                 β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Dependency of β”‚ eslint                                                       β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Path          β”‚ eslint > eslint-utils                                        β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ More info     β”‚ https://npmjs.com/advisories/1118                            β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜


found 1 critical severity vulnerability in 176 scanned packages
  run `npm audit fix` to fix 1 of them.

Running suggested command via wsl (with --verbose):

npm info it worked if it ends with ok
npm verb cli [
npm verb cli   '/home/g-rath/.nodenv/versions/12.4.0/bin/node',
npm verb cli   '/home/g-rath/.nodenv/versions/12.4.0/bin/npm',
npm verb cli   'update',
npm verb cli   'eslint-utils',
npm verb cli   '--depth',
npm verb cli   '2',
npm verb cli   '--verbose'
npm verb cli ]
npm info using npm@6.11.2
npm info using node@v12.4.0
npm verb npm-session 81f8c4d6fb5084a9
npm verb update computing outdated modules to update
npm verb exit [ 0, true ]
npm timing npm Completed in 917ms
npm info ok

Running suggested command via cmd (with --verbose):

 info it worked if it ends with ok
npm verb cli [ 'C:\\nodejs\\node.exe',
npm verb cli   'C:\\Users\\G-Rath\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js',
npm verb cli   'update',
npm verb cli   'eslint-utils',
npm verb cli   '--depth',
npm verb cli   '2',
npm verb cli   '--verbose' ]
npm info using npm@6.11.2
npm info using node@v10.15.3
npm verb npm-session fb854829d3d17a46
npm verb update computing outdated modules to update
npm verb exit [ 0, true ]
npm timing npm Completed in 1039ms
npm info ok

Running npm audit fix --verbose via wsl:

npm info it worked if it ends with ok
npm verb cli [
npm verb cli   '/home/g-rath/.nodenv/versions/12.4.0/bin/node',
npm verb cli   '/home/g-rath/.nodenv/versions/12.4.0/bin/npm',
npm verb cli   'audit',
npm verb cli   'fix',
npm verb cli   '--verbose'
npm verb cli ]
npm info using npm@6.11.2
npm info using node@v12.4.0
npm verb npm-session d75c2c8322fb2731
npm timing audit submit Completed in 578ms
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/audits 581ms
npm timing audit body Completed in 3ms
npm verb audit installing [ 'eslint>eslint-utils@1.4.2' ]
npm timing stage:loadCurrentTree Completed in 334ms
npm timing stage:loadIdealTree:cloneCurrentTree Completed in 2ms
npm timing stage:loadIdealTree:loadShrinkwrap Completed in 165ms
npm http fetch GET 304 https://registry.npmjs.org/eslint-utils 86ms (from cache)
npm timing stage:loadIdealTree:loadAllDepsIntoIdealTree Completed in 260ms
npm timing stage:loadIdealTree Completed in 481ms
npm timing stage:generateActionsToTake Completed in 27ms
npm verb correctMkdir /home/g-rath/.npm/_locks correctMkdir not in flight; initializing
npm verb lock using /home/g-rath/.npm/_locks/staging-061c593ded4c196d.lock for /c/Users/G-Rath/workspace/projects-ackama/t/node_modules/.staging
npm timing action:extract Completed in 46ms
npm info lifecycle eslint-utils@1.4.0~preuninstall: eslint-utils@1.4.0
npm info lifecycle eslint-utils@1.4.0~uninstall: eslint-utils@1.4.0
npm verb unbuild rmStuff eslint-utils@1.4.0 from /c/Users/G-Rath/workspace/projects-ackama/t/node_modules
npm info lifecycle eslint-utils@1.4.0~postuninstall: eslint-utils@1.4.0
npm timing action:unbuild Completed in 8ms
npm timing action:remove Completed in 15ms
npm timing action:finalize Completed in 9ms
npm timing action:refresh-package-json Completed in 57ms
npm info lifecycle eslint-utils@1.4.2~preinstall: eslint-utils@1.4.2
npm timing action:preinstall Completed in 3ms
npm info linkStuff eslint-utils@1.4.2
npm timing action:build Completed in 3ms
npm info lifecycle eslint-utils@1.4.2~install: eslint-utils@1.4.2
npm timing action:install Completed in 3ms
npm info lifecycle eslint-utils@1.4.2~postinstall: eslint-utils@1.4.2
npm timing action:postinstall Completed in 2ms
npm verb unlock done using /home/g-rath/.npm/_locks/staging-061c593ded4c196d.lock for /c/Users/G-Rath/workspace/projects-ackama/t/node_modules/.staging
npm timing stage:executeActions Completed in 224ms
npm timing stage:rollbackFailedOptional Completed in 1ms
npm timing stage:runTopLevelLifecycles Completed in 1092ms
npm verb saving []
npm verb shrinkwrap skipping write for package.json because there were no changes.
npm info lifecycle undefined~preshrinkwrap: undefined
npm info lifecycle undefined~shrinkwrap: undefined
npm info lifecycle undefined~postshrinkwrap: undefined
npm WARN t@1.0.0 No description
npm WARN t@1.0.0 No repository field.

updated 1 package in 1.235s
fixed 1 of 1 vulnerability in 176 scanned packages
npm verb exit [ 0, true ]
npm timing npm Completed in 2459ms
npm info ok

Running npm update eslint-utils --depth 2 --verbose on WSL w/ npm 5.10.0:

npm info it worked if it ends with ok
npm WARN npm npm does not support Node.js v12.4.0
npm WARN npm You should probably upgrade to a newer version of node as we
npm WARN npm can't make any promises that npm will work with this version.
npm WARN npm Supported releases of Node.js are the latest release of 4, 6, 7, 8, 9, 10.
npm WARN npm You can find the latest version at https://nodejs.org/
npm verb cli [
npm verb cli   '/home/g-rath/.nodenv/versions/12.4.0/bin/node',
npm verb cli   '/home/g-rath/.nodenv/versions/12.4.0/bin/npm',
npm verb cli   'update',
npm verb cli   'eslint-utils',
npm verb cli   '--depth',
npm verb cli   '2',
npm verb cli   '--verbose'
npm verb cli ]
npm info using npm@5.10.0
npm info using node@v12.4.0
npm verb npm-session 207b0346c5195795
npm verb update computing outdated modules to update
npm verb request uri https://registry.npmjs.org/eslint-utils
npm verb request no auth needed
npm info attempt registry request try #1 at 6:39:26 PM
npm verb request id 06775069e43b8daa
npm http request GET https://registry.npmjs.org/eslint-utils
npm http 200 https://registry.npmjs.org/eslint-utils
npm verb headers {
npm verb headers   date: 'Sat, 24 Aug 2019 06:39:27 GMT',
npm verb headers   'content-type': 'application/json',
npm verb headers   'transfer-encoding': 'chunked',
npm verb headers   connection: 'keep-alive',
npm verb headers   'set-cookie': [
npm verb headers     '__cfduid=de0f40a2d123a044148b610824b5006231566628767; ' +
npm verb headers       'expires=Sun, 23-Aug-20 06:39:27 GMT; path=/; domain=.npmjs.org; ' +
npm verb headers       'HttpOnly'
npm verb headers   ],
npm verb headers   'cf-cache-status': 'HIT',
npm verb headers   'cache-control': 'max-age=300',
npm verb headers   'cf-ray': '50b354428c6d6561-SYD',
npm verb headers   age: '128',
npm verb headers   etag: 'W/"d13d85759599cb74ca039f754f74152b"',
npm verb headers   'expect-ct': 'max-age=604800, ' +
npm verb headers     'report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"',
npm verb headers   'last-modified': 'Tue, 20 Aug 2019 10:30:02 GMT',
npm verb headers   vary: 'accept-encoding, accept',
npm verb headers   'x-amz-meta-rev': '11-c020839cdb2176f05fff6c725277f133',
npm verb headers   server: 'cloudflare',
npm verb headers   'content-encoding': 'gzip'
npm verb headers }
npm verb exit [ 0, true ]
npm timing npm Completed in 1525ms
npm info ok

I’ve opened a PR to fix this - it seems that depth was being clobbered to 0 if it was truthy.

3 Likes

@G-Rath 's PR was merged and released as 6.11.3. Many thanks @G-Rath!

1 Like