npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm update unexpectedly deleting dependencies that are installed both as prod and dev

What I Wanted to Do

Run npm update to update a dependency to be installed as both prod and dev dependency (in this case aws-sdk). I would expect package.json which has dependency listed in both places to be honored, with both version specifiers being updated.

What Happened Instead

If there is a version update available for the package, I am getting:

npm notice save aws-sdk is being moved from dependencies to devDependencies

And package.json is updated with new version only in devDependencies with the production dependency removed.

If no update is available, for this package, then everything works normally.

Reproduction Steps

  "name": "test",
  "version": "1.0.0",
  "description": "test",
  "license": "ISC",
  "dependencies": {
    "aws-sdk": "2.450.0"
  "devDependencies": {
    "aws-sdk": "2.450.0"

Note the fixed versions which represent an older version of the package.


It should be noted that this problem was not encountered using earlier version of npm 6.X (sorry I don’t know exact version I was on before recent update to node 12 and npm 6.9)

Platform Info

$ npm --versions
  'dialogue-services': '1.0.0',
  npm: '6.9.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  llhttp: '1.1.1',
  modules: '72',
  napi: '4',
  nghttp2: '1.38.0',
  node: '12.1.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '',
  zlib: '1.2.11'
$ node -p process.platform

(Moved to #support)

Packages should be listed under either dependencies or devDependencies, but not both. The dependencies are installed both in production and for local development and testing.

To specify the packages your project depends on, you must list them as "dependencies" or "devDependencies" in your package’s package.json file.

See docs:

I know that is typical usage and perhaps I have been taking advantage of undocumented / unsupported behavior over the last year or two that has now been “corrected”. Our use case was to to perform only=dev installs for creating Docker images for Our CI environment and only=prod for production application Docker images from same repo. In both cases, we use the AWS SDK in our code.

I guess we will just have to live with installing both prod and dev dependencies in our CI images. Thanks for your time in replying.