The actual behavior of the
npm update command is nowhere near accurately described by the documentation here: https://docs.npmjs.com/cli/update
Consider the first line:
“This command will update all the packages listed to the latest version (specified by the tag config), respecting semver.”
This is true if, and only if, the following condition is present:
npm install (or
npm ci) has already been run, and
node_modules contains the node modules.
If the above condition is not present - even if the
package-lock.json are out of date -
npm update will not do anything.
This matters, and is very confusing to users. It is entirely reasonable to think that a person would pull a new repo - knowing it has an out-of-date
package-lock.json - and attempt to update that old dependency list before installing outdated dependencies. Indeed - I do this almost every day in my current job. (Or at least I was trying to, until I figured out this very non-intuitive behavior.)
The documentation should be updated to make this behavior clear. It should perhaps say:
“This command will update all the packages listed to the latest version (specified by the tag config), respecting semver, provided the outdated dependencies have already been installed.”