npm update unexpectedly deleting dependencies that are installed both as prod and dev

(Mike Brant) #1

What I Wanted to Do

Run npm update to update a dependency to be installed as both prod and dev dependency (in this case aws-sdk). I would expect package.json which has dependency listed in both places to be honored, with both version specifiers being updated.

What Happened Instead

If there is a version update available for the package, I am getting:

npm notice save aws-sdk is being moved from dependencies to devDependencies

And package.json is updated with new version only in devDependencies with the production dependency removed.

If no update is available, for this package, then everything works normally.

Reproduction Steps

  • Create package.json as follows
  "name": "test",
  "version": "1.0.0",
  "description": "test",
  "license": "ISC",
  "dependencies": {
    "aws-sdk": "2.450.0"
  "devDependencies": {
    "aws-sdk": "2.450.0"

Note the fixed versions which represent an older version of the package.

  • run npm install. Install should work with warning about dependency being both prod and dev,
  • Update package.json to add ^ to version specifiers for dependency in both locations
  • run npm update. You should get npm notice save aws-sdk is being moved from dependencies to devDependencies since the package will update to 2.451 or higher.


It should be noted that this problem was not encountered using earlier version of npm 6.X (sorry I don’t know exact version I was on before recent update to node 12 and npm 6.9)

Platform Info

$ npm --versions
  'dialogue-services': '1.0.0',
  npm: '6.9.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  llhttp: '1.1.1',
  modules: '72',
  napi: '4',
  nghttp2: '1.38.0',
  node: '12.1.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '',
  zlib: '1.2.11'
$ node -p process.platform
(John Gee) #2

(Moved to #support)

Packages should be listed under either dependencies or devDependencies, but not both. The dependencies are installed both in production and for local development and testing.

To specify the packages your project depends on, you must list them as "dependencies" or "devDependencies" in your package’s package.json file.

See docs:

(Mike Brant) #3

I know that is typical usage and perhaps I have been taking advantage of undocumented / unsupported behavior over the last year or two that has now been “corrected”. Our use case was to to perform only=dev installs for creating Docker images for Our CI environment and only=prod for production application Docker images from same repo. In both cases, we use the AWS SDK in our code.

I guess we will just have to live with installing both prod and dev dependencies in our CI images. Thanks for your time in replying.

1 Like