Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] npm update not updating package.json #708

Closed
basickarl opened this issue Jan 20, 2020 · 101 comments
Closed

[BUG] npm update not updating package.json #708

basickarl opened this issue Jan 20, 2020 · 101 comments
Assignees
Labels
Enhancement new feature or improvement Priority 1 high priority issue Release 7.x work is associated with a specific npm 7 release Release 8.x work is associated with a specific npm 8 release

Comments

@basickarl
Copy link

basickarl commented Jan 20, 2020

npm update does not update and write to package.json

node v12.14.1
npm v6.13.4
windows 10 pro 64-bit 1903 build 18362.592

Delete node_modules directory and package-lock.json, open cmd.exe and run the following:

C:\Users\karl\Development\langurama>npm install
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated connect@2.30.2: connect 2.x series is deprecated
npm WARN deprecated json3@3.3.2: Please use the native JSON object instead of JSON 3
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()

> grpc@1.24.2 install C:\Users\karl\Development\langurama\node_modules\grpc
> node-pre-gyp install --fallback-to-build --library=static_library

node-pre-gyp WARN Using request for node-pre-gyp https download
[grpc] Success: "C:\Users\karl\Development\langurama\node_modules\grpc\src\node\extension_binary\node-v72-win32-x64-unknown\grpc_node.node" is installed via remote

> node-sass@4.13.1 install C:\Users\karl\Development\langurama\node_modules\node-sass
> node scripts/install.js

Cached binary found at C:\Users\karl\AppData\Roaming\npm-cache\node-sass\4.13.1\win32-x64-72_binding.node

> protobufjs@6.8.8 postinstall C:\Users\karl\Development\langurama\node_modules\protobufjs
> node scripts/postinstall


> node-sass@4.13.1 postinstall C:\Users\karl\Development\langurama\node_modules\node-sass
> node scripts/build.js

Binary found at C:\Users\karl\Development\langurama\node_modules\node-sass\vendor\win32-x64-72\binding.node
Testing binary
Binary is fine

> cypress@3.2.0 postinstall C:\Users\karl\Development\langurama\node_modules\cypress
> node index.js --exec install

Installing Cypress (version: 3.2.0)

 √  Downloaded Cypress
 √  Unzipped Cypress
 √  Finished Installation C:\Users\karl\AppData\Local\Cypress\Cache\3.2.0

You can now open Cypress by running: node_modules\.bin\cypress open

https://on.cypress.io/installing-cypress

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN notsup Unsupported engine for amqplib@0.5.1: wanted: {"node":">=0.8 <6 || ^6"} (current: {"node":"12.14.1","npm":"6.13.4"})
npm WARN notsup Not compatible with your version of node/npm: amqplib@0.5.1
npm WARN notsup Unsupported engine for dissolve@0.3.3: wanted: {"node":"~0.10.0"} (current: {"node":"12.14.1","npm":"6.13.4"})
npm WARN notsup Not compatible with your version of node/npm: dissolve@0.3.3
npm WARN @lasso/marko-taglib@1.0.10 requires a peer of lasso-marko@>=2.4.0 but none is installed. You must install peer dependencies yourself.
npm WARN langurama@0.1.0 No license field.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.11 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.11: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 1955 packages from 810 contributors and audited 889081 packages in 446.948s

20 packages are looking for funding
  run `npm fund` for details

found 41 vulnerabilities (21 low, 3 moderate, 15 high, 2 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

C:\Users\karl\Development\langurama>npm update

C:\Users\karl\Development\langurama>npm outdated
Package                          Current  Wanted   Latest  Location
@babel/core                        7.4.3   7.4.3    7.8.3  langurama
@babel/plugin-transform-runtime    7.4.3   7.4.3    7.8.3  langurama
@babel/runtime                     7.4.3   7.4.3    7.8.3  langurama
@google-cloud/pubsub              0.28.1  0.28.1    1.3.0  langurama
@lasso/marko-taglib               1.0.10  1.0.10   1.0.15  langurama
amqplib                            0.5.1   0.5.1    0.5.5  langurama
bragi                              0.1.3   0.1.3    0.1.9  langurama
browser-refresh                    1.7.1   1.7.1    1.7.3  langurama
cypress                            3.2.0   3.2.0    3.8.2  langurama
eslint                            5.16.0  5.16.0    6.8.0  langurama
eslint-config-standard            12.0.0  12.0.0   14.1.0  langurama
eslint-plugin-import              2.16.0  2.16.0   2.20.0  langurama
eslint-plugin-node                 8.0.1   8.0.1   11.0.0  langurama
eslint-plugin-promise              4.1.1   4.1.1    4.2.1  langurama
eslint-plugin-standard             4.0.0   4.0.0    4.0.1  langurama
geoip-lite                         1.2.0   1.2.0    1.4.0  langurama
gm                                1.23.0  1.23.0   1.23.1  langurama
jwt-simple                         0.5.1   0.5.1    0.5.6  langurama
lasso                              3.2.3   3.2.3    3.3.1  langurama
lasso-marko                        2.3.0   2.3.0    2.4.8  langurama
marko                             4.16.9  4.16.9  4.18.34  langurama
mongodb                            3.1.1   3.1.1    3.5.1  langurama
passport-linkedin-oauth2           1.5.0   1.5.0    2.0.0  langurama
redux                              4.0.0   4.0.0    4.0.5  langurama
redux-logger                       3.0.0   3.0.0    3.0.6  langurama
redux-promise-middleware           6.1.0   6.1.0    6.1.2  langurama
redux-thunk                        2.2.0   2.2.0    2.3.0  langurama
request-promise-native             1.0.7   1.0.7    1.0.8  langurama
sass-lint                         1.12.1  1.12.1   1.13.1  langurama
socket.io                          2.1.1   2.1.1    2.3.0  langurama
socket.io-client                   2.1.1   2.1.1    2.3.0  langurama

I'm expecting the contents of package.json to be updated.

Here is my package.json:

{
    "name": "langurama",
    "version": "0.1.0",
    "description": "Langurama",
    "author": "Karl Morrison <karl@langurama.com>",
    "main": "application/server/index.js",
    "repository": {
        "type": "git",
        "url": "git+ssh://git@bitbucket.org/basickarl/langurama.git"
    },
    "type": "module",
    "engine": "12.14",
    "scripts": {
        "style": "npx prettier --check \"**/*.*\"",
        "style_fix": "npx prettier --write \"**/*.*\"",
        "lint": "npx eslint .",
        "------------": "",
        "setup_install_l": "NODE_PATH=\"$(pwd)\" sudo apt-get install -y graphicsmagick && npm install && npm rebuild node-sass",
        "setup_install_w": "",
        "setup_config_l": "NODE_ENV=development NODE_PATH=\"$(pwd)\" node application/tasks/generate_config.js",
        "setup_config_w": "cmd.exe /C \"set NODE_ENV=development && set NODE_PATH=.&& node application/tasks/generate_config.js\"",
        "setup_start_db_l_w": "docker pull mongo && docker run --name langurama -d -p 27017:27017 mongo",
        "setup_config_db_l_w": "mongo langurama application/tasks/setup_mongodb.js",
        "setup_pop_l--needfixing": "NODE_PATH=\"$(pwd)\" node application/tasks/populate_database.js",
        "setup_pop_w--needfixing": "cmd.exe /C \"set NODE_ENV=development && set NODE_PATH=.&& node application/tasks/populate_database.js",
        "drop_db_l_w--needfixing": "mongo langurama application/tasks/drop_mongodb.js",
        "dev_l": "NODE_ENV=development NODE_PATH=\"$(pwd)\" browser-refresh --nolazy --inspect=9229 application/server.js",
        "dev_w": "cmd.exe /C \"set NODE_ENV=development && set NODE_PATH=.&& browser-refresh --nolazy --inspect=9229 application/index.js\"",
        "dev_inspect_l": "NODE_ENV=development NODE_PATH=\"$(pwd)\" node --nolazy --inspect-brk=9229 application/server.js",
        "test_l": "NODE_ENV=test NODE_PATH=\"$(pwd)\" npx cypress",
        "start_l": "NODE_ENV=development NODE_PATH=\"$(pwd)\" node application/server.js",
        "lint_l_w": "node_modules/.bin/eslint ."
    },
    "devDependencies": {
        "@babel/plugin-transform-runtime": "7.4.3",
        "browser-refresh": "1.7.1",
        "cross-env": "6.0.3",
        "cypress": "3.2.0",
        "dotenv-extended": "2.7.1",
        "eslint": "5.16.0",
        "eslint-config-prettier": "6.9.0",
        "eslint-config-standard": "12.0.0",
        "eslint-plugin-import": "2.16.0",
        "eslint-plugin-node": "8.0.1",
        "eslint-plugin-promise": "4.1.1",
        "eslint-plugin-standard": "4.0.0",
        "jest": "24.9.0",
        "prettier": "1.19.1",
        "run-script-os": "1.0.7",
        "sass-lint": "1.12.1",
        "shelljs": "0.8.3"
    },
    "dependencies": {
        "@babel/core": "7.4.3",
        "@babel/preset-env": "7.8.3",
        "@babel/runtime": "7.4.3",
        "@google-cloud/pubsub": "0.28.1",
        "@lasso/marko-taglib": "1.0.10",
        "acorn": "7.1.0",
        "amqplib": "0.5.1",
        "bragi": "0.1.3",
        "browser-refresh-taglib": "1.1.0",
        "express": "4.17.1",
        "express-passport": "0.1.0",
        "fluent-ffmpeg": "2.1.2",
        "geoip-lite": "1.2.0",
        "gm": "1.23.0",
        "jwt-simple": "0.5.1",
        "lasso": "3.2.3",
        "lasso-babel-transform": "3.0.0",
        "lasso-marko": "2.3.0",
        "lasso-sass": "3.0.0",
        "marko": "4.16.9",
        "mongodb": "3.1.1",
        "node-native2ascii": "0.2.0",
        "node-wav-player": "0.1.0",
        "passport-facebook": "3.0.0",
        "passport-jwt": "4.0.0",
        "passport-linkedin-oauth2": "1.5.0",
        "passport-local": "1.0.0",
        "redux": "4.0.0",
        "redux-logger": "3.0.0",
        "redux-promise-middleware": "6.1.0",
        "redux-thunk": "2.2.0",
        "request-promise-native": "1.0.7",
        "require-self-ref": "2.0.1",
        "socket.io": "2.1.1",
        "socket.io-client": "2.1.1",
        "urlencode": "1.1.0"
    }
}

@ljharb
Copy link
Contributor

ljharb commented Jan 20, 2020

Why would npm install ever modify package.json?

@basickarl
Copy link
Author

@ljharb Hey man! I did that just to illustrate that I did a fresh install from scratch before running npm update. So I did an install then I did an update, but the update didn't change the package.json?

@ljharb
Copy link
Contributor

ljharb commented Jan 20, 2020

Ah. npm update also shouldn’t change it afaik, it updates what’s on disk to match the package.json.

@collinalexbell
Copy link

collinalexbell commented Jan 30, 2020

@basickarl, you are specifying exact versions in your package.json instead of specifying minimum versions with caret or tilde dependencies. If you want npm update to work, use tilde or caret deps: https://stackoverflow.com/questions/22343224/whats-the-difference-between-tilde-and-caret-in-package-json

Please close this issue.

@ljharb
Copy link
Contributor

ljharb commented Oct 9, 2020

Seems answered; can reopen if not.

@ljharb ljharb closed this as completed Oct 9, 2020
@jalik
Copy link

jalik commented Feb 4, 2021

I have the same issue, npm update does not update versions in package.json, but only in package-lock.json (npm v7).
However the official doc is stating that this should be the case:
https://docs.npmjs.com/cli/v7/commands/npm-update#description

As of npm@5.0.0, the npm update will change package.json to save the new version as the minimum required dependency. To get the old behavior, use npm update --no-save

I can confirm that this only happens with npm v7.5.1 and not v6.x.
All my versions are defined using ^x.x.x.

node v15.8.0 (official script install)
npm v7.5.1
OS: KDE neon User Edition 5.20 x86_64

As a side note, I also have nvm installed, but pointing to the system node binary, so should not affect anything.

@weirdyang
Copy link

I'm experiencing the same thing as @jalik, using caret or tilde, it does not update the package.json after running install or update.
npm: '7.5.4',
node: '14.15.4',

@jaysonwu991
Copy link

I also meet the same problem for not updating package.json when executing npm update, but something wired is that npm update do update packages, and I don't find what the difference between 6.x npm configs and 7.x npm configs is. Are there any solutions for that?

Versions Below

  • npm: '7.5.3'
  • node: '15.9.0'
  • yarn: '1.22.10'

@el7cosmos
Copy link

I'm experiencing the same issue with @jalik, can we reopen this?

@LucasSymons
Copy link

I am having these same issues and even downgrading to 6.14.11 and 6.14.8 had no effect.

@bogdan-h
Copy link

Confirm - the same issue -> npm update will leave the package.json untouched. This is terribly confusing as it does not reflect the actual component's version.
npm version 7.6.3 ; node version : 14.8.0
I end up manually modifying the package.json + cleared the node_modules then npm install with the new versions.

@jaysonwu991
Copy link

Confirm - the same issue -> npm update will leave the package.json untouched. This is terribly confusing as it does not reflect the actual component's version.
npm version 7.6.3 ; node version : 14.8.0
I end up manually modifying the package.json + cleared the node_modules then npm install with the new versions.

I have to use npm-check-updates instead of modifying package.json manually, but I don't want it that way.

@dandmcd
Copy link

dandmcd commented Mar 24, 2021

This issue just started for me the other day. Same as everyone else, npm version 7.6.3 is not updating package.json. This issue needs to be reopened.

@ZwapKillrath
Copy link

ZwapKillrath commented Mar 24, 2021

Same here. Worked yesterday. Updated to latest version. After that - no updating of the package.json. An "npm out" shows that things are updated though. So something is wrong here. Installed version: NodeJS v.14.16.0.

@daviddaxi
Copy link

I have the same issue, npm update does not update versions in package.json, but only in package-lock.json (npm v7).
However the official doc is stating that this should be the case:
https://docs.npmjs.com/cli/v7/commands/npm-update#description

As of npm@5.0.0, the npm update will change package.json to save the new version as the minimum required dependency. To get the old behavior, use npm update --no-save

I can confirm that this only happens with npm v7.5.1 and not v6.x.
All my versions are defined using ^x.x.x.

node v15.8.0 (official script install)
npm v7.5.1
OS: KDE neon User Edition 5.20 x86_64

As a side note, I also have nvm installed, but pointing to the system node binary, so should not affect anything.

Seems like they removed these sentences from the official docs... There is no info anymore, that npm update will change the package.json.

@nicraf
Copy link

nicraf commented Mar 25, 2021

Having same issue! Please reopen!

@jalik
Copy link

jalik commented Mar 25, 2021

Seems answered; can reopen if not.

@ljharb Did someone maintaining this repo has only seen our messages ?
Are you aware of this issue with npm update not updating package.json ? Can you reproduce ?
If this is a new intended behaviour (which I don't understand), how to update minor dependencies in package.json like before using a single command vs npm install dep1@latest dep2@latest dep3@latest ... command which is so much less convenient ?

@ljharb
Copy link
Contributor

ljharb commented Mar 25, 2021

@jalik it was an intended change in npm 7. There is not any way to do that as a single npm command anymore.

This type of feedback was brought up on this week's Open RFC call, so it is being considered.

@jalik
Copy link

jalik commented Mar 25, 2021

@ljharb thank you for answering.
I don't mind if the default behavior changed between two major versions (which means breaking changes), but not having the ability to do like before is a regression to me, even if in fact it seems to be a rollback to "pre-v5" in which package.json was not modified.

Also I did not see in the docs any info about the v7 behavior, can it be updated ?
Keeping dependencies up to date (patches only) should be done in a single short command.

So please consider at least a mean to offer a "v6-legacy" behavior (like npm update --save similar to yarn upgrade --latest --tilde), because the current process is tedious :

  1. run npm outdated
  2. check which package to upgrade
  3. run npm install dep@latest several times or npm install dep1@latest dep2@latest ... once for the shortest
  4. repeat for every package and project you maintain...

@ljharb
Copy link
Contributor

ljharb commented Mar 25, 2021

yes, that's what i've done on every project i maintain for half a decade

@jalik
Copy link

jalik commented Mar 25, 2021

@ljharb so we should do the same for the next decade ⸮

@ZwapKillrath
Copy link

ZwapKillrath commented Mar 28, 2021

"npm out" ignores packages that need to be updated!!!!
The packages listed in the package.json which are meant to be updated according to their semantic version (^) are completely ignored when running an "npm out".
"node -v": 14.16.0
"npm -v": 6.14.11

(Download from https://nodejs.org/en/ + clean install on new machine)
Even tried to clear the contents of the "dependencies" section in the package-lock.json and do an "npm i" and "npm out" afterwards. Also tried to delete package-lock.json completely.

package.json:
...
"dependencies": {
"@mdi/font": "^5.8.55",
...

"npm out" does not report that @mdi/font has a v.5.9.55.

To do individual "npm i xx@version" is non-sense if you have a lot of dependencies and running automatic testing with sufficient coverage.


New test:
package.json with only "@mdi/font" in it:
{
"name": "test",
"version": "0.1.0",
"private": true,
"scripts": {
"serve": "vue-cli-service serve",
"build": "vue-cli-service build",
"lint": "eslint src/**/*.{ts,vue}",
"test:e2e": "vue-cli-service test:e2e --mode development"
},
"dependencies": {
"@mdi/font": "^5.8.55"
}
}

  1. Delete node_modules and package-lock.json
  2. Doing and "npm i" does not touch the package.json (correct behaviour)
  3. Looking in the freshly created "package-lock.json" i see the following: (not correct behaviour to my knowledge)
    {
    "name": "test",
    "version": "0.1.0",
    "lockfileVersion": 1,
    "requires": true,
    "dependencies": {
    "@mdi/font": {
    "version": "5.9.55",
    "resolved": "https://registry.npmjs.org/@mdi/font/-/font-5.9.55.tgz",
    "integrity": "sha512-jswRF6q3eq8NWpWiqct6q+6Fg/I7nUhrxYJfiEM8JJpap0wVJLQdbKtyS65GdlK7S7Ytnx3TTi/bmw+tBhkGmg=="
    }
    }
    }

So "npm i" installs a newer version of @mdi/font without me allowing it. "npm update" is now integrated in "npm i" or what?
and does not update the "package.json" file... If this is the case going forward - i dont get it!

@daviddaxi
Copy link

@ZwapKillrath please read the official npm docs --> "About semantic versioning"!!

This issue is not related to semantic versioning! We are talking about the new behavior of npm update, which is not updating the package.json anymore.

@joelpurra
Copy link

joelpurra commented Mar 30, 2021

npm update --save would be nice. Until then, here's a quick sh command line hack using jq.

  • Runs npm update and saves the resolved ^ (caret) dependency versions to package.json (and updates package-lock.json).
  • Does not do semver-breaking updates; it only keeps the in-range versions "fresh".
npm update && npm list --json | jq --slurpfile package package.json 'def replaceVersion($replacements): with_entries(if .value | startswith("^") then .value = ("^" + $replacements[.key].version) else . end); .dependencies as $resolved | reduce ["dependencies", "devDependencies"][] as $deps ($package[0]; if .[$deps] | type == "object" then .[$deps] |= replaceVersion($resolved) else . end)' > package.json~ && mv package.json~ package.json && npm install

Only tested in a few many of my own projects. Use at your own risk.

Edit: Now using it in all of my projects. Works very well.

npm update
npm list --json | jq --slurpfile package package.json '
def replaceVersion($replacements):
	with_entries(
		if .value | startswith("^")
		then
			.value = ("^" + $replacements[.key].version)
		else
			.
		end
	);

.dependencies as $resolved
| reduce ["dependencies", "devDependencies"][] as $deps (
	$package[0];
	if .[$deps] | type == "object"
	then
		.[$deps] |= replaceVersion($resolved)
	else
		.
	end
)' > package.json~
mv package.json~ package.json
npm install

@ZwapKillrath
Copy link

ZwapKillrath commented Mar 30, 2021

@daviddaxi

@ZwapKillrath please read the official npm docs --> "About semantic versioning"!!

This issue is not related to semantic versioning! We are talking about the new behavior of npm update, which is not updating the package.json anymore.

I know that it is not related to semantic versioning, and have read the official npm docs :-)
I was merely stating an example of whats going on at my end.
I was trying to say: "My package.json does not get updated but my package-lock.json does"
My example was with @mdi/font at v.5.8.55 in the package.json and after npm update at v.5.9.55 in the package-lock.json with the package.json not updated and still at 5.8.55. And to my knowledge - thats weird!

@abhimanusharma
Copy link

Why is the issue closed? This is a bug and should be resolved or provide alternative such as npm update --save. Fix or reopnen this bug.

@VanderSP
Copy link

VanderSP commented Apr 5, 2021

THIS IS HORRIBLE HAPPENING WITH ME ALSO... BUT

yarn got same behaviour lately...

probably something more complex...

node?

wsl2?

@fc-reus
Copy link

fc-reus commented Nov 10, 2021

Having the same issue now ...

@ais-one
Copy link

ais-one commented Nov 10, 2021

current work around...

  1. npm outdated to see what to potentially update/install
  2. set the versions of the packages that you wish to update/install in the respective package.json files... manually...
  3. npm i

@iainmerrick
Copy link

iainmerrick commented Nov 10, 2021

Somebody mentioned npm-check-updates, which works nicely (at the expense of an extra dependency):

npx npm-check-updates -u
npm update

It would definitely be nice to have a simple npm update --save option. I don't see why there was a need for a regression in NPM 7 — is this seen as a security risk?

Another option is to use npm audit, which won't update everything but will hopefully pull in any security-critical updates:

npm audit fix --force

sergiocabral added a commit to sergiocabral/Blockchain.GoHorse that referenced this issue Nov 22, 2021
Não estava atualizando o arquivo package.json

Bug?

npm/cli#708
@driehle
Copy link

driehle commented Dec 8, 2021

Having the same issue after I updated from NPM 7.x to 8.x. Previously, npm update modified the package.json, now it doesn't do so anymore.

@mlandisbqs
Copy link

My team has build processes that rely on this function (updating package.json) to keep our dependencies up to date with pending minors. If there is a workaround I would love to hear about. This is a breaking change that hit us after updating Node to 16.13.1 LTS. Based on the discussion on this thread, we're going to have to write a script that iterates over the output from npm outdated and runs the install command in a loop.

@SharakPL
Copy link

@mlandisbqs I also had scripts involving package.json, but figured relying on package-lock.json is safer.

@ebelyaev
Copy link

What is the source of truth, the package.json or package-lock.json?

@HRK44
Copy link

HRK44 commented Dec 19, 2021

can confim that just happened to me, still an issue with Node 16.3.0 and npm 7.15.1

@chris-pynegar
Copy link

I'm having this issue also since updating from 7.x to 8.x

ruyadorno added a commit to ruyadorno/cli that referenced this issue Jan 7, 2022
Previously `npm update` was not respecting the `save` option, it
would be impossible for users to use `npm update` and automatically
update their `package.json` files.

This fixes it by adding extra steps on `Arborist.reify._saveIdealTree`
to read direct dependencies of any `package.json` and update them as
needed when reifying using the `update` and `save` options.

Fixes: npm#708
Fixes: npm#2704
Relates to: npm/feedback#270
ruyadorno added a commit to ruyadorno/cli that referenced this issue Jan 12, 2022
Previously `npm update` was not respecting the `save` option, it
would be impossible for users to use `npm update` and automatically
update their `package.json` files.

This fixes it by adding extra steps on `Arborist.reify._saveIdealTree`
to read direct dependencies of any `package.json` and update them as
needed when reifying using the `update` and `save` options.

Fixes: npm#708
Fixes: npm#2704
Relates to: npm/feedback#270
@ruyadorno
Copy link
Contributor

Thanks @basickarl and everyone else who helped out in the discussion here!

The team has decided that fixing usage of npm update --save was the best way moving forwards 😊 it enables saving dependency ranges to package.json as expected. It's also worth noticing that you can also just set save=true in a .npmrc file in case you want that to be the default behavior..

npm@8.3.2 is out now with the fix 🎉

@SharakPL
Copy link

Thanks @ruyadorno and the team :)

@NormandoHall
Copy link

Thanks @ruyadorno for the work. Takes exactly 2 years! But prefer late than never! THANKS!

@sla100
Copy link

sla100 commented Jan 21, 2022

.npmrc of 2022:

global-style=true
engine-strict=true
legacy-peer-deps=true
lockfile-version=3
save=true

@ljharb
Copy link
Contributor

ljharb commented Jan 21, 2022

@sla100 #2704 (comment)

@basickarl
Copy link
Author

basickarl commented Jan 21, 2022

Excellent that the experience will now be improved!

And thanks for updating the docs: https://docs.npmjs.com/cli/v8/commands/npm-update

@emrekupcuoglu
Copy link

--save doesn't work when updating patches using ~ at npm@8.5.4. But it works when using the ^ in front of the version number.

@ljharb
Copy link
Contributor

ljharb commented Sep 25, 2022

@emrekupcuoglu see npm/rfcs#547

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement new feature or improvement Priority 1 high priority issue Release 7.x work is associated with a specific npm 7 release Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Development

No branches or pull requests