[BUG] `npm update` only edits package-lock.json, not package.json

adamlui commented 7 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

This issue exists in the latest npm version

[X] I am using the latest npm

Current Behavior

When running npm update from a project's root, only the package-lock.json gets edited

Expected Behavior

When running npm update, both the package.json + package-lock.json should be edited

Steps To Reproduce

Run npm update in any package root
Inspect package.json to oberve no changes made when update is found

Environment

npm: 10.2.4
Node.js: 21.6.2
OS Name: Windows 10 Home 22H2
System Model Name: HP Notebook 15-AY011NR
npm config: "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc
```
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc
```

prefix = "C:\Users\adaaaam\AppData\Roaming\npm"

; "user" config from C:\Users\adaaaam.npmrc

//registry.npmjs.org/:_authToken = (protected)

; node bin location = C:\Program Files\nodejs\node.exe ; node version = v21.6.2 ; npm local prefix = e:\kudoai\kudoai.com ; npm version = 10.2.4 ; cwd = e:\kudoai\kudoai.com ; HOME = C:\Users\adaaaam ; Run npm config ls -l to show all defaults.

shadowspawn commented 6 months ago

This is the documented behaviour. Try adding --save.

https://docs.npmjs.com/cli/v10/commands/npm-update

Note that by default npm update will not update the semver values of direct dependencies in your project package.json. If you want to also update values in package.json you can run: npm update --save (or add the save=true option to a configuration file to make that the default behavior).

adamlui commented 6 months ago

Hey @shadowspawn thanks for the info, npm update --save also isn't updating package.json

The bug appears to be affecting dependabot's behavior too: https://github.com/dependabot/dependabot-core/issues/9071

Sometimes dependabot updates both files: Bump @adamlui/scss-to-css from 1.1.1 to 1.2.0 Bump @adamlui/minify.js from 1.0.1 to 1.0.2

...and sometimes it doesn't: Bump @adamlui/scss-to-css from 1.0.1 to 1.2.0 Bump sass from 1.70.0 to 1.71.0 in /scss-to-css

adamlui commented 6 months ago

Wait nvm those were sub-dependencies and my main ones were already up-to-date, I tested down-bumping then --save worked to edit both files. But do you know if Dependabot's glitched behavior is due to a npm cli bug?

adamlui commented 6 months ago

Also if a user is using --save and sub-dependencies are being bumped, shouldn't it be expected they want the sub-dependency's package.json' to save this new tree?

Toxiapo commented 5 months ago

I am seeing two behaviors from my workflow and maybe this is related. I am using node@20 and npm@10.1.0

--save works with the npm update command, however, if I set save=true in my .npmrc file, it does not pick up the setting. And --save doesn't work for workspaces. e.g. npm update prettier --save -w my_workspace_1 will only update package-lock file.

HristoKolev commented 5 months ago

I'm having a very similar issue, if I run npm up --save some dependencies are getting updated in package.json but some don't.

In this example if you run npm up --save - vite will be updated but vitest wont. They both get updated in package-lock.json as they should.

https://raw.githubusercontent.com/HristoKolev/vite-workshop/e0079a98e32ef069ca20e66c9223836132a37d1b/package.json https://raw.githubusercontent.com/HristoKolev/vite-workshop/e0079a98e32ef069ca20e66c9223836132a37d1b/package-lock.json

npm: 10.2.4
Node.js: v20.11.0
OS Name: Windows 11 Pro

npm config:

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.11.0
; npm local prefix = C:\Users\hristo
; npm version = 10.2.4
; cwd = C:\Users\hristo
; HOME = C:\Users\hristo
; Run `npm config ls -l` to show all defaults.

ChristophP commented 3 months ago

I also found this behavior surprising. Instead of npm update <package> I now use npm install <package>@<version> to make sure the package json is updated but it's less conveniant because I need to look up the version first.

enrij commented 3 months ago

In my case npm update --save does update (some!!!!!) packages but not others. I'm using version 10.8.0 on MacOS Sonoma 14.5 with node 20.11.1

Repro steps using an Angular app as sample project:

Install angular cli if not already in place > npm install -g @angular/cli
Create an empty angular app > ng new my-app and selecy any option in the setup wizard (will not affect the result)
Move to the new working folder > cd my-app
Check the created package.json > it should reference tslib: ^2.3.0 as dependency
Check the actual installed version of tslib and zone.js > npm list and look for tslib and zone.js
Eventually, for the sake of the issue, force the proper tslib version > npm install tslib@2.3.0
Eventually, for the sake of the issue, force the proper zone.js version > npm install zone.js@0.14.3
Check all dependencies for tslib allow for latest version of tslib (2.6.2 at this moment) > npm list tslib
Run npm update --save
Check your package.json file and notice that zone.js version is up to date but tslib is not
Check the actual installed version of tslib and zone.js are BOTH up to date > npm list and look for tslib and zone.js

npm / cli