[BUG] npm update not updating package.json

[basickarl]

npm update does not update and write to package.json

node v12.14.1
npm v6.13.4
windows 10 pro 64-bit 1903 build 18362.592

Delete node_modules directory and package-lock.json, open cmd.exe and run the following:

C:\Users\karl\Development\langurama>npm install
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated connect@2.30.2: connect 2.x series is deprecated
npm WARN deprecated json3@3.3.2: Please use the native JSON object instead of JSON 3
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()

> grpc@1.24.2 install C:\Users\karl\Development\langurama\node_modules\grpc
> node-pre-gyp install --fallback-to-build --library=static_library

node-pre-gyp WARN Using request for node-pre-gyp https download
[grpc] Success: "C:\Users\karl\Development\langurama\node_modules\grpc\src\node\extension_binary\node-v72-win32-x64-unknown\grpc_node.node" is installed via remote

> node-sass@4.13.1 install C:\Users\karl\Development\langurama\node_modules\node-sass
> node scripts/install.js

Cached binary found at C:\Users\karl\AppData\Roaming\npm-cache\node-sass\4.13.1\win32-x64-72_binding.node

> protobufjs@6.8.8 postinstall C:\Users\karl\Development\langurama\node_modules\protobufjs
> node scripts/postinstall


> node-sass@4.13.1 postinstall C:\Users\karl\Development\langurama\node_modules\node-sass
> node scripts/build.js

Binary found at C:\Users\karl\Development\langurama\node_modules\node-sass\vendor\win32-x64-72\binding.node
Testing binary
Binary is fine

> cypress@3.2.0 postinstall C:\Users\karl\Development\langurama\node_modules\cypress
> node index.js --exec install

Installing Cypress (version: 3.2.0)

 √  Downloaded Cypress
 √  Unzipped Cypress
 √  Finished Installation C:\Users\karl\AppData\Local\Cypress\Cache\3.2.0

You can now open Cypress by running: node_modules\.bin\cypress open

https://on.cypress.io/installing-cypress

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN notsup Unsupported engine for amqplib@0.5.1: wanted: {"node":">=0.8 <6 || ^6"} (current: {"node":"12.14.1","npm":"6.13.4"})
npm WARN notsup Not compatible with your version of node/npm: amqplib@0.5.1
npm WARN notsup Unsupported engine for dissolve@0.3.3: wanted: {"node":"~0.10.0"} (current: {"node":"12.14.1","npm":"6.13.4"})
npm WARN notsup Not compatible with your version of node/npm: dissolve@0.3.3
npm WARN @lasso/marko-taglib@1.0.10 requires a peer of lasso-marko@>=2.4.0 but none is installed. You must install peer dependencies yourself.
npm WARN langurama@0.1.0 No license field.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.11 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.11: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 1955 packages from 810 contributors and audited 889081 packages in 446.948s

20 packages are looking for funding
  run `npm fund` for details

found 41 vulnerabilities (21 low, 3 moderate, 15 high, 2 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

C:\Users\karl\Development\langurama>npm update

C:\Users\karl\Development\langurama>npm outdated
Package                          Current  Wanted   Latest  Location
@babel/core                        7.4.3   7.4.3    7.8.3  langurama
@babel/plugin-transform-runtime    7.4.3   7.4.3    7.8.3  langurama
@babel/runtime                     7.4.3   7.4.3    7.8.3  langurama
@google-cloud/pubsub              0.28.1  0.28.1    1.3.0  langurama
@lasso/marko-taglib               1.0.10  1.0.10   1.0.15  langurama
amqplib                            0.5.1   0.5.1    0.5.5  langurama
bragi                              0.1.3   0.1.3    0.1.9  langurama
browser-refresh                    1.7.1   1.7.1    1.7.3  langurama
cypress                            3.2.0   3.2.0    3.8.2  langurama
eslint                            5.16.0  5.16.0    6.8.0  langurama
eslint-config-standard            12.0.0  12.0.0   14.1.0  langurama
eslint-plugin-import              2.16.0  2.16.0   2.20.0  langurama
eslint-plugin-node                 8.0.1   8.0.1   11.0.0  langurama
eslint-plugin-promise              4.1.1   4.1.1    4.2.1  langurama
eslint-plugin-standard             4.0.0   4.0.0    4.0.1  langurama
geoip-lite                         1.2.0   1.2.0    1.4.0  langurama
gm                                1.23.0  1.23.0   1.23.1  langurama
jwt-simple                         0.5.1   0.5.1    0.5.6  langurama
lasso                              3.2.3   3.2.3    3.3.1  langurama
lasso-marko                        2.3.0   2.3.0    2.4.8  langurama
marko                             4.16.9  4.16.9  4.18.34  langurama
mongodb                            3.1.1   3.1.1    3.5.1  langurama
passport-linkedin-oauth2           1.5.0   1.5.0    2.0.0  langurama
redux                              4.0.0   4.0.0    4.0.5  langurama
redux-logger                       3.0.0   3.0.0    3.0.6  langurama
redux-promise-middleware           6.1.0   6.1.0    6.1.2  langurama
redux-thunk                        2.2.0   2.2.0    2.3.0  langurama
request-promise-native             1.0.7   1.0.7    1.0.8  langurama
sass-lint                         1.12.1  1.12.1   1.13.1  langurama
socket.io                          2.1.1   2.1.1    2.3.0  langurama
socket.io-client                   2.1.1   2.1.1    2.3.0  langurama

I'm expecting the contents of package.json to be updated.

Here is my package.json:

{
    "name": "langurama",
    "version": "0.1.0",
    "description": "Langurama",
    "author": "Karl Morrison <karl@langurama.com>",
    "main": "application/server/index.js",
    "repository": {
        "type": "git",
        "url": "git+ssh://git@bitbucket.org/basickarl/langurama.git"
    },
    "type": "module",
    "engine": "12.14",
    "scripts": {
        "style": "npx prettier --check \"**/*.*\"",
        "style_fix": "npx prettier --write \"**/*.*\"",
        "lint": "npx eslint .",
        "------------": "",
        "setup_install_l": "NODE_PATH=\"$(pwd)\" sudo apt-get install -y graphicsmagick && npm install && npm rebuild node-sass",
        "setup_install_w": "",
        "setup_config_l": "NODE_ENV=development NODE_PATH=\"$(pwd)\" node application/tasks/generate_config.js",
        "setup_config_w": "cmd.exe /C \"set NODE_ENV=development && set NODE_PATH=.&& node application/tasks/generate_config.js\"",
        "setup_start_db_l_w": "docker pull mongo && docker run --name langurama -d -p 27017:27017 mongo",
        "setup_config_db_l_w": "mongo langurama application/tasks/setup_mongodb.js",
        "setup_pop_l--needfixing": "NODE_PATH=\"$(pwd)\" node application/tasks/populate_database.js",
        "setup_pop_w--needfixing": "cmd.exe /C \"set NODE_ENV=development && set NODE_PATH=.&& node application/tasks/populate_database.js",
        "drop_db_l_w--needfixing": "mongo langurama application/tasks/drop_mongodb.js",
        "dev_l": "NODE_ENV=development NODE_PATH=\"$(pwd)\" browser-refresh --nolazy --inspect=9229 application/server.js",
        "dev_w": "cmd.exe /C \"set NODE_ENV=development && set NODE_PATH=.&& browser-refresh --nolazy --inspect=9229 application/index.js\"",
        "dev_inspect_l": "NODE_ENV=development NODE_PATH=\"$(pwd)\" node --nolazy --inspect-brk=9229 application/server.js",
        "test_l": "NODE_ENV=test NODE_PATH=\"$(pwd)\" npx cypress",
        "start_l": "NODE_ENV=development NODE_PATH=\"$(pwd)\" node application/server.js",
        "lint_l_w": "node_modules/.bin/eslint ."
    },
    "devDependencies": {
        "@babel/plugin-transform-runtime": "7.4.3",
        "browser-refresh": "1.7.1",
        "cross-env": "6.0.3",
        "cypress": "3.2.0",
        "dotenv-extended": "2.7.1",
        "eslint": "5.16.0",
        "eslint-config-prettier": "6.9.0",
        "eslint-config-standard": "12.0.0",
        "eslint-plugin-import": "2.16.0",
        "eslint-plugin-node": "8.0.1",
        "eslint-plugin-promise": "4.1.1",
        "eslint-plugin-standard": "4.0.0",
        "jest": "24.9.0",
        "prettier": "1.19.1",
        "run-script-os": "1.0.7",
        "sass-lint": "1.12.1",
        "shelljs": "0.8.3"
    },
    "dependencies": {
        "@babel/core": "7.4.3",
        "@babel/preset-env": "7.8.3",
        "@babel/runtime": "7.4.3",
        "@google-cloud/pubsub": "0.28.1",
        "@lasso/marko-taglib": "1.0.10",
        "acorn": "7.1.0",
        "amqplib": "0.5.1",
        "bragi": "0.1.3",
        "browser-refresh-taglib": "1.1.0",
        "express": "4.17.1",
        "express-passport": "0.1.0",
        "fluent-ffmpeg": "2.1.2",
        "geoip-lite": "1.2.0",
        "gm": "1.23.0",
        "jwt-simple": "0.5.1",
        "lasso": "3.2.3",
        "lasso-babel-transform": "3.0.0",
        "lasso-marko": "2.3.0",
        "lasso-sass": "3.0.0",
        "marko": "4.16.9",
        "mongodb": "3.1.1",
        "node-native2ascii": "0.2.0",
        "node-wav-player": "0.1.0",
        "passport-facebook": "3.0.0",
        "passport-jwt": "4.0.0",
        "passport-linkedin-oauth2": "1.5.0",
        "passport-local": "1.0.0",
        "redux": "4.0.0",
        "redux-logger": "3.0.0",
        "redux-promise-middleware": "6.1.0",
        "redux-thunk": "2.2.0",
        "request-promise-native": "1.0.7",
        "require-self-ref": "2.0.1",
        "socket.io": "2.1.1",
        "socket.io-client": "2.1.1",
        "urlencode": "1.1.0"
    }
}

[ljharb]

Why would npm install ever modify package.json?

[basickarl]

@ljharb Hey man! I did that just to illustrate that I did a fresh install from scratch before running npm update. So I did an install then I did an update, but the update didn't change the package.json?

[ljharb]

Ah. npm update also shouldn’t change it afaik, it updates what’s on disk to match the package.json.

[collinalexbell]

@basickarl, you are specifying exact versions in your package.json instead of specifying minimum versions with caret or tilde dependencies. If you want npm update to work, use tilde or caret deps: https://stackoverflow.com/questions/22343224/whats-the-difference-between-tilde-and-caret-in-package-json

Please close this issue.

[ljharb]

Seems answered; can reopen if not.

[jalik]

I have the same issue, npm update does not update versions in package.json, but only in package-lock.json (npm v7).
However the official doc is stating that this should be the case:
https://docs.npmjs.com/cli/v7/commands/npm-update#description

As of npm@5.0.0, the npm update will change package.json to save the new version as the minimum required dependency. To get the old behavior, use npm update --no-save

I can confirm that this only happens with npm v7.5.1 and not v6.x.
All my versions are defined using ^x.x.x.

node v15.8.0 (official script install)
npm v7.5.1
OS: KDE neon User Edition 5.20 x86_64

As a side note, I also have nvm installed, but pointing to the system node binary, so should not affect anything.

[weirdyang]

I'm experiencing the same thing as @jalik, using caret or tilde, it does not update the package.json after running install or update.
npm: '7.5.4',
node: '14.15.4',

[jaysonwu991]

I also meet the same problem for not updating package.json when executing npm update, but something wired is that npm update do update packages, and I don't find what the difference between 6.x npm configs and 7.x npm configs is. Are there any solutions for that?

Versions Below

• npm: '7.5.3'
• node: '15.9.0'
• yarn: '1.22.10'

[el7cosmos]

I'm experiencing the same issue with @jalik, can we reopen this?

[LucasSymons]

I am having these same issues and even downgrading to 6.14.11 and 6.14.8 had no effect.

[bogdan-h]

Confirm - the same issue -> npm update will leave the package.json untouched. This is terribly confusing as it does not reflect the actual component's version.
npm version 7.6.3 ; node version : 14.8.0
I end up manually modifying the package.json + cleared the node_modules then npm install with the new versions.

[jaysonwu991]

Confirm - the same issue -> npm update will leave the package.json untouched. This is terribly confusing as it does not reflect the actual component's version.
npm version 7.6.3 ; node version : 14.8.0
I end up manually modifying the package.json + cleared the node_modules then npm install with the new versions.

I have to use npm-check-updates instead of modifying package.json manually, but I don't want it that way.

[dandmcd]

This issue just started for me the other day. Same as everyone else, npm version 7.6.3 is not updating package.json. This issue needs to be reopened.

[ZwapKillrath]

Same here. Worked yesterday. Updated to latest version. After that - no updating of the package.json. An "npm out" shows that things are updated though. So something is wrong here. Installed version: NodeJS v.14.16.0.

[daviddaxi]

I have the same issue, npm update does not update versions in package.json, but only in package-lock.json (npm v7).
However the official doc is stating that this should be the case:
https://docs.npmjs.com/cli/v7/commands/npm-update#description

As of npm@5.0.0, the npm update will change package.json to save the new version as the minimum required dependency. To get the old behavior, use npm update --no-save

I can confirm that this only happens with npm v7.5.1 and not v6.x.
All my versions are defined using ^x.x.x.

node v15.8.0 (official script install)
npm v7.5.1
OS: KDE neon User Edition 5.20 x86_64

As a side note, I also have nvm installed, but pointing to the system node binary, so should not affect anything.

Seems like they removed these sentences from the official docs... There is no info anymore, that npm update will change the package.json.

[nicraf]

Having same issue! Please reopen!

[jalik]

Seems answered; can reopen if not.

@ljharb Did someone maintaining this repo has only seen our messages ?
Are you aware of this issue with npm update not updating package.json ? Can you reproduce ?
If this is a new intended behaviour (which I don't understand), how to update minor dependencies in package.json like before using a single command vs npm install dep1@latest dep2@latest dep3@latest ... command which is so much less convenient ?

[ljharb]

@jalik it was an intended change in npm 7. There is not any way to do that as a single npm command anymore.

This type of feedback was brought up on this week's Open RFC call, so it is being considered.

[jalik]

@ljharb thank you for answering.
I don't mind if the default behavior changed between two major versions (which means breaking changes), but not having the ability to do like before is a regression to me, even if in fact it seems to be a rollback to "pre-v5" in which package.json was not modified.

Also I did not see in the docs any info about the v7 behavior, can it be updated ?
Keeping dependencies up to date (patches only) should be done in a single short command.

So please consider at least a mean to offer a "v6-legacy" behavior (like npm update --save similar to yarn upgrade --latest --tilde), because the current process is tedious :

1. run npm outdated
2. check which package to upgrade
3. run npm install dep@latest several times or npm install dep1@latest dep2@latest ... once for the shortest
4. repeat for every package and project you maintain...

[ljharb]

yes, that's what i've done on every project i maintain for half a decade

[jalik]

@ljharb so we should do the same for the next decade ⸮

[ZwapKillrath]

"npm out" ignores packages that need to be updated!!!!
The packages listed in the package.json which are meant to be updated according to their semantic version (^) are completely ignored when running an "npm out".
"node -v": 14.16.0
"npm -v": 6.14.11
(Download from https://nodejs.org/en/ + clean install on new machine)
Even tried to clear the contents of the "dependencies" section in the package-lock.json and do an "npm i" and "npm out" afterwards. Also tried to delete package-lock.json completely.

package.json:
...
"dependencies": {
"@mdi/font": "^5.8.55",
...

"npm out" does not report that @mdi/font has a v.5.9.55.

To do individual "npm i xx@version" is non-sense if you have a lot of dependencies and running automatic testing with sufficient coverage.

---

New test:
package.json with only "@mdi/font" in it:
{
"name": "test",
"version": "0.1.0",
"private": true,
"scripts": {
"serve": "vue-cli-service serve",
"build": "vue-cli-service build",
"lint": "eslint src/**/*.{ts,vue}",
"test:e2e": "vue-cli-service test:e2e --mode development"
},
"dependencies": {
"@mdi/font": "^5.8.55"
}
}

1. Delete node_modules and package-lock.json
2. Doing and "npm i" does not touch the package.json (correct behaviour)
3. Looking in the freshly created "package-lock.json" i see the following: (not correct behaviour to my knowledge)
   {
   "name": "test",
   "version": "0.1.0",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
   "@mdi/font": {
   "version": "5.9.55",
   "resolved": "https://registry.npmjs.org/@mdi/font/-/font-5.9.55.tgz",
   "integrity": "sha512-jswRF6q3eq8NWpWiqct6q+6Fg/I7nUhrxYJfiEM8JJpap0wVJLQdbKtyS65GdlK7S7Ytnx3TTi/bmw+tBhkGmg=="
   }
   }
   }

So "npm i" installs a newer version of @mdi/font without me allowing it. "npm update" is now integrated in "npm i" or what?
and does not update the "package.json" file... If this is the case going forward - i dont get it!

[daviddaxi]

@ZwapKillrath please read the official npm docs --> "About semantic versioning"!!

This issue is not related to semantic versioning! We are talking about the new behavior of npm update, which is not updating the package.json anymore.

[joelpurra]

npm update --save would be nice. Until then, here's a quick sh command line hack using jq.

• Runs npm update and saves the resolved ^ (caret) dependency versions to package.json (and updates package-lock.json).
• Does not do semver-breaking updates; it only keeps the in-range versions "fresh".

npm update && npm list --json | jq --slurpfile package package.json 'def replaceVersion($replacements): with_entries(if .value | startswith("^") then .value = ("^" + $replacements[.key].version) else . end); .dependencies as $resolved | reduce ["dependencies", "devDependencies"][] as $deps ($package[0]; if .[$deps] | type == "object" then .[$deps] |= replaceVersion($resolved) else . end)' > package.json~ && mv package.json~ package.json && npm install

Only tested in a few many of my own projects. Use at your own risk.

Edit: Now using it in all of my projects. Works very well.

npm update
npm list --json | jq --slurpfile package package.json '
def replaceVersion($replacements):
	with_entries(
		if .value | startswith("^")
		then
			.value = ("^" + $replacements[.key].version)
		else
			.
		end
	);

.dependencies as $resolved
| reduce ["dependencies", "devDependencies"][] as $deps (
	$package[0];
	if .[$deps] | type == "object"
	then
		.[$deps] |= replaceVersion($resolved)
	else
		.
	end
)' > package.json~
mv package.json~ package.json
npm install

[ZwapKillrath]

@daviddaxi

@ZwapKillrath please read the official npm docs --> "About semantic versioning"!!

This issue is not related to semantic versioning! We are talking about the new behavior of npm update, which is not updating the package.json anymore.

I know that it is not related to semantic versioning, and have read the official npm docs :-)
I was merely stating an example of whats going on at my end.
I was trying to say: "My package.json does not get updated but my package-lock.json does"
My example was with @mdi/font at v.5.8.55 in the package.json and after npm update at v.5.9.55 in the package-lock.json with the package.json not updated and still at 5.8.55. And to my knowledge - thats weird!

[abhimanusharma]

Why is the issue closed? This is a bug and should be resolved or provide alternative such as npm update --save. Fix or reopnen this bug.

[VanderSP]

THIS IS HORRIBLE HAPPENING WITH ME ALSO... BUT

yarn got same behaviour lately...

probably something more complex...

node?

wsl2?

[fc-reus]

Having the same issue now ...

[ais-one]

current work around...

1. npm outdated to see what to potentially update/install
2. set the versions of the packages that you wish to update/install in the respective package.json files... manually...
3. npm i

[iainmerrick]

Somebody mentioned npm-check-updates, which works nicely (at the expense of an extra dependency):

npx npm-check-updates -u
npm update

It would definitely be nice to have a simple npm update --save option. I don't see why there was a need for a regression in NPM 7 — is this seen as a security risk?

Another option is to use npm audit, which won't update everything but will hopefully pull in any security-critical updates:

npm audit fix --force

[driehle]

Having the same issue after I updated from NPM 7.x to 8.x. Previously, npm update modified the package.json, now it doesn't do so anymore.

[mlandisbqs]

My team has build processes that rely on this function (updating package.json) to keep our dependencies up to date with pending minors. If there is a workaround I would love to hear about. This is a breaking change that hit us after updating Node to 16.13.1 LTS. Based on the discussion on this thread, we're going to have to write a script that iterates over the output from npm outdated and runs the install command in a loop.

[SharakPL]

@mlandisbqs I also had scripts involving package.json, but figured relying on package-lock.json is safer.

[ebelyaev]

What is the source of truth, the package.json or package-lock.json?

[HRK44]

can confim that just happened to me, still an issue with Node 16.3.0 and npm 7.15.1

[chris-pynegar]

I'm having this issue also since updating from 7.x to 8.x

[ruyadorno]

Thanks @basickarl and everyone else who helped out in the discussion here!

The team has decided that fixing usage of npm update --save was the best way moving forwards 😊 it enables saving dependency ranges to package.json as expected. It's also worth noticing that you can also just set save=true in a .npmrc file in case you want that to be the default behavior..

npm@8.3.2 is out now with the fix 🎉

[SharakPL]

Thanks @ruyadorno and the team :)

[NormandoHall]

Thanks @ruyadorno for the work. Takes exactly 2 years! But prefer late than never! THANKS!

[sla100]

.npmrc of 2022:

global-style=true
engine-strict=true
legacy-peer-deps=true
lockfile-version=3
save=true

[ljharb]

@sla100 #2704 (comment)

[basickarl]

Excellent that the experience will now be improved!

And thanks for updating the docs: https://docs.npmjs.com/cli/v8/commands/npm-update

[emrekupcuoglu]

--save doesn't work when updating patches using ~ at npm@8.5.4. But it works when using the ^ in front of the version number.

[ljharb]

@emrekupcuoglu see npm/rfcs#547