[BUG] npm does not respect package.json dependencies

[yuri-karadzhov]

What / Why

Npm does not respect package.json dependencies. Lock file is missing and switched off in .npmrc:

package-lock=false

In package.json dependencies are set to latest minor e.g.

"dependencies": {
  "@hqjs/hq": "^0.0.15"
}

later versions of dependencies are available (e.g. @hqjs/hq@0.0.16), but during npm install instead of latest minor the exact ones (ignoring minor flag) that are specified in package.json are installed (e.g. @hqjs/hq@0.0.15).

When

Every time during npm install

Where

Any npm public repository

Steps to Reproduce

1. Create new project folder
2. Create .npmrc configuration inside this project folder with package-lock=false content
3. Init npm project with npm init
4. Specify dependencies "@hqjs/hq": "^0.0.15"
5. Run npm install

Current Behavior

@hqjs/hq@0.0.15 will be installed. Newest version 0.0.16 will be ignored despite of package.json configuration

Expected Behavior

@hqjs/hq@0.0.16 should be installed (as a latest minor for this moment)

System

OS: macOS Catalina 10.15.3
node: v12.6.0
npm: 6.14.2

[ljharb]

In general, the ^ does not guarantee any later version will be installed; if something else already requires it, it dedupes rather than forcing a newer version.

For 0.0.x, ^ is meaningless - it only says “up to the next x” in x.y.z, 0.x.y, or 0.0.x (ie, the x is the major in those three patterns).

[yuri-karadzhov]

In my case nothing else requires it. As I understand it * means latest, ^ means latest minor, and ~ means latest patch (taking into account that nothing else requires it). Are you sure rules that you mentioned are correct? They are too complicated to be useful.

On Tue, 10 Mar 2020 at 18:21, Jordan Harband ***@***.***> wrote: In general, the ^ does not guarantee any later version will be installed; if something else already requires it, it dedupes rather than forcing a newer version. For 0.0.x, ^ is meaningless - it only says “up to the next x” in x.y.z, 0.x.y, or 0.0.x (ie, the x is the major in those three patterns). — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#996?email_source=notifications&email_token=AAFHRPQ5RDPYIYR2X7JBUXDRGZSG5A5CNFSM4LEZUT2KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOMDNWQ#issuecomment-597178074>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFHRPT3SKC3PYKLNDS2G4TRGZSG5ANCNFSM4LEZUT2A> .

-- Best regards, Yuri Karadzhov

[ljharb]

No, ^ doesn’t mean “latest minor” - it means “this version, or any version up to but not including the next major” - any of which will satisfy the dependency.

[yuri-karadzhov]

Thanks for saving my day!

On Tue, 10 Mar 2020 at 18:41, Jordan Harband ***@***.***> wrote: No, ^ doesn’t mean “latest minor” - it means “this version, or any version up to but not including the next major” - any of which will satisfy the dependency. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#996?email_source=notifications&email_token=AAFHRPTHEVX6LE4URERWGZLRGZUTHA5CNFSM4LEZUT2KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOMGAYI#issuecomment-597188705>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFHRPRVSSZEBLE5MZR3JWLRGZUTHANCNFSM4LEZUT2A> .

-- Best regards, Yuri Karadzhov