[BUG] npm update does not retain specified dependency ranges in package.json

[rosstroha]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

npm update package --save removes some version range symbols (I have only tested ~ and ^) from package.json

Expected Behavior

It doesn't remove them.

Steps To Reproduce

1. Fresh project created with npm init
2. With package.json contents:

{
  "name": "npmbug",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "emoji-poop": "~1.2.0"
  }
}

4. Run npm update emoji-poop --save
5. The version becomes 1.2.1 instead of ~1.2.1

Environment

• npm: 10.9.0
• Node.js: 20.11.1
• OS Name: Mac OS
• System Model Name: Macbook Pro M1
• npm config:

; "user" config from /Users/r.troha/.npmrc

<redacted>
package-lock = true
save-exact = true
save-prefix = ""

; "env" config from environment

python = "/opt/homebrew/python/bin/python3.8"

; node bin location = /Users/r.troha/.volta/tools/image/node/20.11.1/bin/node
; node version = v20.11.1
; npm local prefix = /Users/r.troha/Projects/npmbug
; npm version = 10.9.0
; cwd = /Users/r.troha/Projects/npmbug
; HOME = /Users/r.troha
; Run `npm config ls -l` to show all defaults.

[kchindam-infy]

@rosstroha I checked with npm update and it does not remove the version range. npm update intended to update the package to the latest version allowed by the version range in the package.json.

Note: save-exact = true config in your .npmrc you can try removing that from npmrc or you can use inline config while running command like this npm update emoji-poop --no-save-exact
checkout this config documentation. https://docs.npmjs.com/cli/v8/using-npm/config#save-exact

[rosstroha]

Same issue

[kchindam-infy]

Not an issue, it is working as intended.

[rosstroha]

Not an issue, it is working as intended.

I must be missing something. --no-save-exact should retain the dependency range, correct?

[rosstroha]

Additionally I've removed save-exact=true from my .npmrc file, just to ensure it's not being considered

Here's my full config

; "default" config from default values

_auth = (protected)
access = null
all = false
allow-same-version = false
also = null
audit = true
audit-level = null
auth-type = "web"
before = null
bin-links = true
browser = null
ca = null
cache = "/Users/r.troha/.npm"
cache-max = null
cache-min = 0
cafile = null
call = ""
cert = null
cidr = null
color = true
commit-hooks = true
cpu = null
depth = null
description = true
dev = false
diff = []
diff-dst-prefix = "b/"
diff-ignore-all-space = false
diff-name-only = false
diff-no-prefix = false
diff-src-prefix = "a/"
diff-text = false
diff-unified = 3
dry-run = false
editor = "vi"
engine-strict = false
expect-result-count = null
expect-results = null
fetch-retries = 2
fetch-retry-factor = 10
fetch-retry-maxtimeout = 60000
fetch-retry-mintimeout = 10000
fetch-timeout = 300000
force = false
foreground-scripts = false
format-package-lock = true
fund = true
git = "git"
git-tag-version = true
global = false
global-style = false
globalconfig = "/Users/r.troha/.volta/tools/image/node/20.11.1/etc/npmrc"
heading = "npm"
https-proxy = null
if-present = false
ignore-scripts = false
include = []
include-staged = false
include-workspace-root = false
init-author-email = ""
init-author-name = ""
init-author-url = ""
init-license = "ISC"
init-module = "/Users/r.troha/.npm-init.js"
init-version = "1.0.0"
init.author.email = ""
init.author.name = ""
init.author.url = ""
init.license = "ISC"
init.module = "/Users/r.troha/.npm-init.js"
init.version = "1.0.0"
install-links = false
install-strategy = "hoisted"
json = false
key = null
legacy-bundling = false
legacy-peer-deps = false
libc = null
link = false
local-address = null
location = "user"
lockfile-version = null
loglevel = "notice"
logs-dir = null
logs-max = 10
; long = false ; overridden by cli
maxsockets = 15
message = "%s"
node-options = null
noproxy = [""]
npm-version = "10.9.0"
offline = false
omit = []
omit-lockfile-registry-resolved = false
only = null
optional = null
os = null
otp = null
pack-destination = "."
package = []
; package-lock = true ; overridden by user
package-lock-only = false
parseable = false
prefer-dedupe = false
prefer-offline = false
prefer-online = false
prefix = "/Users/r.troha/.volta/tools/image/node/20.11.1"
preid = ""
production = null
progress = true
provenance = false
provenance-file = null
proxy = null
read-only = false
rebuild-bundle = true
registry = "https://registry.npmjs.org/"
replace-registry-host = "npmjs"
save = true
save-bundle = false
save-dev = false
save-exact = false
save-optional = false
save-peer = false
; save-prefix = "^" ; overridden by user
save-prod = false
sbom-format = null
sbom-type = "library"
scope = ""
script-shell = null
searchexclude = ""
searchlimit = 20
searchopts = ""
searchstaleness = 900
shell = "/bin/zsh"
shrinkwrap = true
sign-git-commit = false
sign-git-tag = false
strict-peer-deps = false
strict-ssl = true
tag = "latest"
tag-version-prefix = "v"
timing = false
umask = 0
unicode = true
update-notifier = true
usage = false
user-agent = "npm/{npm-version} node/{node-version} {platform} {arch} workspaces/{workspaces} {ci}"
userconfig = "/Users/r.troha/.npmrc"
version = false
versions = false
viewer = "man"
which = null
workspace = []
workspaces = null
workspaces-update = true
yes = null

; "user" config from /Users/r.troha/.npmrc

<redacted>
package-lock = true
save-prefix = ""

; "env" config from environment

python = "/opt/homebrew/python/bin/python3.8"

; "cli" config from command line options

long = true

[rosstroha]

@kchindam-infy

[ljharb]

I think this is related to npm/rfcs#547.