`npm update` doesn't save package.json


(Dan Dascalescu) #1

What I Wanted to Do

I wanted to update the direct dependencies in this project. Per https://docs.npmjs.com/cli/update, npm should change package.json, and update "preact": "^8.2.6" to "preact": "^8.2.9":

As of npm@5.0.0, the npm update will change package.json to save the new version as the minimum required dependency.

What Happened Instead

package.json was not modified.

Reproduction Steps

  1. git clone https://github.com/dandv/preact-breaks-apollo-when-mutating-state
  2. cd preact-breaks-apollo-when-mutating-state
  3. grep preact\" package.json # “preact”: “^8.2.6”,
  4. npm update
  5. grep preact\" package.json # still “preact”: “^8.2.6”,


npm update ends with this output, showing it did find preact 8.2.9:

+ graphql-tag@2.9.2
+ apollo-boost@0.1.11
+ react-apollo@2.1.9
+ preact@8.2.9
+ graphql@0.13.2
+ preact-router@2.6.1
+ preact-compat@3.18.0
added 1430 packages from 851 contributors and audited 10875 packages in 19.498s

Platform Info

$ npm --versions
{ 'preact-default-apollo': '0.0.0',
  npm: '6.2.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.11.0',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.50',
  zlib: '1.2.11' }

$ node -p process.platform

npm update doesn't update package.json for github modules with semver
(Kat Marchán) #2

That’s… really weird. Considering we have an RFC that’s proposing this behavior.

Clearly, update is weird.

(Kat Marchán) #3

Ah ok, I get it.

This didn’t change preact because nothing was actually updated. We did an initial install, which installed the latest matching range (which is 8.2.9), and so when the update step kicks in, it’s already at the latest, so we don’t register any modification. Furthermore, that update is only recognized when you already have the old version in node_modules. In contrast, try doing your repro but doing npm install preact@8.2.6 (or use a package-lock.json) before doing the npm update and you’ll notice the difference there.

I’m going to say this is definitely a bug, and I think the proper way forward is to move to the behavior in the update RFC, which seems to match the actual expectations folks have for this command, and will also iron out weird technical corner cases like this one.

Thanks for the thorough bug report. I know update is hella confusing and just does bullshit like this all the time. I’m looking forward to this command finally being what people actually expect it to be.

(Brandon Dudek) #4

Thanks for the explanation! :slight_smile:

Is there a bug that we can track?

(Kat Marchán) #5

I would watch the RFC for ratification/implementation.

(Dan Dascalescu) #6

Pardon my confusion… so how can I save the updated version numbers to package.json? I’ve just into this problem again, this time with devDependencies on this repo @ 5e9ecd8294746e84596db4f02e9670dc1d78b791. Again, clone, install, then npm update --save-dev shows old package versions:

+ babel-plugin-transform-es2015-modules-commonjs@6.26.2
+ eslint-plugin-import@2.14.0
+ eslint-config-airbnb-base@11.3.2
+ babel-cli@6.26.0
+ eslint-plugin-jest@20.0.3
+ eslint@4.19.1
+ jest@21.2.1

I resorted to using npm-check, updating the version numbers by hand in package.json, then running npm install. However, a lot of people assume that npm update --save-dev does the same thing -