The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Re-installing npm package doesn't pull in newer version dependencies of it
What I Wanted to Do
I wanted to re-install a package, and when re-installing it I wanted it to pull in fresh and latest versions of it’s own dependencies.
What Happened Instead
Re-installing a package, does not refresh the dependencies it pulls in.
npm install: https://github.com/jsheroes/jsheroes.io
- It has a transitive dependency
firstname.lastname@example.org brings in
email@example.com(note that the autodll module has this dep definition for it in the lockfile:
- I would like to re-install that transitive dependency so that it brings in newer lodash versions
I tried to get it un-installed and re-installed again but it didn’t help and it still pulls in
npm uninstall firstname.lastname@example.org && npm install email@example.com
How should I go about updating a transitive dep and pull new versions of its own dependencies?
I also tried plain installing it again
npm install autodll-webpack-plugin@latest
As well as:
npm update autodll-webpack-plugin --depth 9999
Yet none of these pulls in a newer version of lodash than
At this point, I’m not sure if this is a npm cli bug or due to the dependency resolution logic where some other dependency is pinning down the use of
firstname.lastname@example.org. Happy to learn what goes in there.
$ npm --versions 'jsheroes.io': '1.0.0', npm: '6.7.0', ares: '1.14.0', cldr: '33.1', http_parser: '2.8.0', icu: '62.1', modules: '64', napi: '3', nghttp2: '1.34.0', node: '10.13.0', openssl: '1.1.0i', tz: '2018e', unicode: '11.0', uv: '1.23.2', v8: '6.8.275.32-node.36', zlib: '1.2.11' } $ node -p process.platform darwin
Some information, but not a solution to updating your
lodash transitive dependency.
Installing a package will only pull in fresh versions of its dependencies if a compatible version is not already present:
Many of your installed packages depend on
lodash, which you can see by running:
npm ls lodash
I thought this looked like the right command for the job, but it does nothing:
npm update --depth=9999 lodash
Note, if you were chasing audit warnings then a fast and easy option is:
npm audit fix
Thanks, but I use snyk to remediate vulnerabilities.
There’s actually quite a nasty bug with
npm audit fix that is pulling in older versions of the package instead of the new one, and it completely breaks things.
Possibly related: Installing package does not use latest available transitive dependencies