npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm update doesn't update package.json for github modules with semver

What I Wanted to Do

  1. I ran npm update mygithubmodule and I expected that the version number in the package.json would be updated similarly to how the version number updates for modules published to npm when using semver.

  2. Running npm install when a branch is specified without commit or semver is specified will result in package-lock.json being reverted to an old version of the module if user already has the module in node_modules.

What Happened Instead

  1. I ran npm update mygithubmodule, the appropriate module version was installed to node_modules and package-lock.json version property was updated to the latest semver correct version with sha.

package.json was not updated; expected it to update from

“mygithubmodule”: “git+^1.1.1”


“mygithubmodule”: “git+^1.1.2”

  1. Specified git repo only in package.json

“mygithubmodule”: “git+”

Run npm update on one machine, package-lock.json has sha updated correctly. If another user pulls the changes and runs npm install, but has an existing version of the module in the node_modules directory then package-lock.json is “downgraded” to the version that is already installed. I would instead expect the module version specified in package-lock.json to be installed.

Reproduction Steps

I have created a repo demonstrating the issue. Comments have been added to each commit to try and further illustrate the issue.

Platform Info

$ npm --versions

        risops: '1.0.0',
        npm: '6.1.0',
        ares: '1.13.0',
        cldr: '32.0',                                                                                                                                          44,12          38%244   http_parser: '2.7.0',
        icu: '60.1',
        modules: '59',247   nghttp2: '1.25.0',                                                                                                                                     229,1          96%
        node: '9.2.0',
        openssl: '1.0.2m',
        tz: '2017c',
        unicode: '10.0',252   uv: '1.16.1',
        v8: '6.2.414.44-node.11',
        zlib: '1.2.11' 

$ node -p process.platform

This is a great report! Thanks for the detailed repro!

This should be fixable by modifying npm outdated, which is the thing that currently sits under update. If you can get outdated to give you the right semver range back, then it should just work from there. This is where you would start:

You should then be able to use fetchPackageMetadata (look in lib/install/deps.js for an example on how to call it), and do something similar to what this is doing, if the parsed object in that function above has a gitRange field (so the original requested git version was a semver range).

I think that’s probably a good place to start. I’ll tag this so folks know that we’d love a patch for this, and I’m willing to answer any questions someone might have about the stuff above. I might also be completely wrong about this approach but we’ll figure it out! :slight_smile:

I found that npm update didn’t update package.json for regular modules (npm, not GitHub).