Re-installing npm package doesn't pull in newer version dependencies of it

What I Wanted to Do

I wanted to re-install a package, and when re-installing it I wanted it to pull in fresh and latest versions of it’s own dependencies.

What Happened Instead

Re-installing a package, does not refresh the dependencies it pulls in.

Reproduction Steps

  1. Clone and build the javascript project with npm install: https://github.com/jsheroes/jsheroes.io
  2. It has a transitive dependency autodll-webpack-plugin@0.4.2 which brings in lodash@4.17.5 (note that the autodll module has this dep definition for it in the lockfile: lodash@^4.17.4)
  3. I would like to re-install that transitive dependency so that it brings in newer lodash versions

Details

I tried to get it un-installed and re-installed again but it didn’t help and it still pulls in lodash@4.17.5

npm uninstall autodll-webpack-plugin@0.4.2 && npm install autodll-webpack-plugin@0.4.2

How should I go about updating a transitive dep and pull new versions of its own dependencies?

I also tried plain installing it again

npm install autodll-webpack-plugin@latest

As well as:

npm update autodll-webpack-plugin --depth 9999

Yet none of these pulls in a newer version of lodash than lodash@4.17.5

At this point, I’m not sure if this is a npm cli bug or due to the dependency resolution logic where some other dependency is pinning down the use of lodash@4.17.5. Happy to learn what goes in there.

Platform Info

$ npm --versions
 'jsheroes.io': '1.0.0',
  npm: '6.7.0',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.13.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.36',
  zlib: '1.2.11' }

$ node -p process.platform
darwin

Some information, but not a solution to updating your lodash transitive dependency.

Installing a package will only pull in fresh versions of its dependencies if a compatible version is not already present:

https://docs.npmjs.com/cli/install.html#algorithm

Many of your installed packages depend on lodash, which you can see by running:

npm ls lodash

I thought this looked like the right command for the job, but it does nothing: :slightly_frowning_face:

npm update --depth=9999 lodash

Note, if you were chasing audit warnings then a fast and easy option is:

npm audit fix

Thanks, but I use snyk to remediate vulnerabilities.

There’s actually quite a nasty bug with npm audit fix that is pulling in older versions of the package instead of the new one, and it completely breaks things.

Possibly related: Installing package does not use latest available transitive dependencies

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.