npm update --depth command no longer working correctly (v6.9.0)

What I Wanted to Do

I wanted to run npm update command to update a dependency (module-B) which is being pulled in by a direct dependency of my app (module-A)

So the dependency graph looks like:
App
–> Module-A
–> Module-B
My app has a package-lock file.

To update the dependency I ran the following commands:

  1. npm i
  2. npm update --depth 1 module-B

I expected the package-lock.json will get updated with an updated version of module-B
(The version of module-B in package-lock.json is v2.1.0. The new published version is v2.2.0)
Module-A has a dependency specified as: “module-B”:^2.0.0

What Happened Instead

npm did not update the dependency. The command just returned w/o any output or modification.

Same command works as expected with v6.4.1

Reproduction Steps

I think this should be reproducible for any scenario similar to the one described above.
I have created a small public repo with a lock file. If any of the nested dependencies get a new version, I’ll link the repo here to reproduce the issue.

Details

Platform Info

$ npm --versions
{ npm: '6.9.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }

$ node -p process.platform
darwin```

Probably related: npm outdated --depth 9999 also fails to report any outdated dependencies past the first level.

This problem seems to have started with v6.6.0. Works as expected in v6.5.0 as well.

I found that I can not update sub-dependencies using npm update --depth 999 nested-package which is suggested by the doc and npm audit. It it related to this issue?

I am also experiencing all of the issues mentioned by others. depth is ignored for “update” and “outdated” from 6.5.0 and forward, and exact commands that are suggested by npm audit simply does nothing.

Example: Path = grunt-kss > kss > handlebars
“Run npm update handlebars --depth 3 to resolve 1 vulnerability”

npm update handlebars --depth 3
(no output at all, nothing changes)

npm update handlebars --depth 3 --dd
Output:
“npm info it worked if it ends with ok
npm verb cli [ ‘/Users/–redacted–/.nvm/versions/node/v10.16.0/bin/node’,
npm verb cli ‘/Users/–redacted–/.nvm/versions/node/v10.16.0/bin/npm’,
npm verb cli ‘update’,
npm verb cli ‘handlebars’,
npm verb cli ‘–depth’,
npm verb cli ‘3’,
npm verb cli ‘–dd’ ]
npm info using npm@6.9.0
npm info using node@v10.16.0
npm verb npm-session c66f8f7a25a3cfce
npm verb update computing outdated modules to update
npm verb exit [ 0, true ]
npm timing npm Completed in 2075ms
npm info ok”

I am using nvm, node 10.16.0 and I am on mac.

Irrelevant side note: I would also like to note that this type of issue-tracking is extremely frustrating. PLEASE use a proper issue tracker.

Its possible to work around this by deleting node_modules and package-lock.json and then doing npm i

I’m still experiencing this issue in 6.10.1.

Sub-dependencies are referenced with ^x.x.x, and although they are only at a minor version, patch versions should be able to be updated.

For now I have worked around this by installing the sub dependency into my project at a specific version, or running upgrade, and then uninstalling it.

E.g.

Cannot upgrade from axios 0.18.0 to 0.18.1 without running:

npm i axios@0.18.1 -S
npm un axios

Edit: uninstalling does not work. I’ve had to keep a dependency on axios.

1 Like

The workaround (deleting node_modules/etc) does not work for many of us because we cannot blindly update all packages without introducing significant risk because so many packages would update at once… The previous ability to update with --depth allowed finer grained control so you could update packages in a controlled manner.

2 Likes