[BUG] npx not getting latest version, yes again!

[markg85]

Is there an existing issue for this?

• [X] I have searched the existing issues

This issue exists in the latest npm version

• [X] I am using the latest npm

Current Behavior

As soon as you've used npx, the package you used it on is cached. Subsequent uses of that package will use the cache and therefore not update.

Unless you explicitly manually provide <package>@latest

Expected Behavior

npx should nearly always try to get the latest version. Except when an explicit tag/version is provided. This essentially flips the default behavior.

I know a lot has been said about this very subject in the past. People have good arguments for either direction. My argument to flipping the default behavior is:

• When using npx, you don't care about the version. You want to run package X in it's current - upstream - state!
• The current behavior makes npx at the very least a lot less useful. I'm using npx to have an easy way to get the latest version (usually with the serve package). If npx now in it default behavior nags me about a package updates then it's usefulness for my purposes is rapidly declining

Steps To Reproduce

-

Environment

-

[lukekarrys]

Transferred this to our RFCs repo where it will be better to discuss both sides of this. I'm also thinking that a change to this could be breaking depending on the final outcome.

[wraithgar]

This doesn't track. npx will always try to get the newest version of a package when requested with no tag/version unless it is installed globally or is installed in the package at cwd/prefix.

[wraithgar]

The local cache that npm uses when fetching packuments has a maximum life of 5 minutes. So at the very most there is a 5 minute window after a new version is published that your local cache will not pull the brand newest packument.

[wesleytodd]

I have not tested explicitly recently, but I have a bunch of places where I have had to add @latest for npx to actually pick up the latest version. I have done this afaik in both 8.x and 9.x versions.

[wraithgar]

@wesleytodd I'm sure you did. There was a regression that got fixed two months ago https://github.com/npm/cli/pull/6374

That shipped with npm@9.6.5.

As of right now though npx works as intended.

[markg85]

I might have been wrong, i still don't know.

I'm using npm from my package manager (Arch linux), npx comes from npm in that package. https://gitlab.archlinux.org/archlinux/packaging/packages/npm/-/blob/main/PKGBUILD

It does turn out that my version is 8.19.2 with no update on the arch side of things yet [1]

Using it this way does mean npx is installed globally. Does this mean that npx doesn't auto update a package that's already be used before? As that's the impression i get from @wraithgar reply.

[1] That's unique. It's flagged as out of date and usually an update is there in at most a couple weeks. This time things take longer apparently.

[wraithgar]

Your package manager appears to be at least a major version behind. We usually recommend using a node version manager to install node/npm and then using npm to update itself to the latest version.

https://docs.npmjs.com/cli/v9/configuring-npm/install

[markg85]

We usually recommend using a node version manager to install node/npm and then using npm to update itself to the latest version.

Why is that? That's the role of a package manager.

I get that switching between nodejs versions would be sweet and you'd need a fancy script for that to do that cleanly. But installing nodejs (and npm) should in my opinion be left to the distribution package manager.

In fact, that very page you linked to states for linux: "NodeSource installer (recommended)" is something i passionately disagree with. Besides that the project is named confusingly (you get binaries, not sources. So "NodeSource" is misleading at best). It also means you get generic installs which always hurt performance. Distribution specific installs at least have the option to go for optimal compiler flags. Lastly, no archlinux which only proves my point of this belonging into the distribution package manager, not a third party one.

Sorry for being a bit on the offensive here. This stuff - on a surface level, haven't dived deep into it - just has a lot of red flags for me.

[wesleytodd]

That's the role of a package manager.

@markg85 that is not the case here. Based on your comments, I would strongly recommend not using what ships with your linux version/package manager for managing your node version or npm version. These are not handled well by the varying linux distros. The best bet is something like nvm and then updating like @wraithgar mentioned.

The main reason is just that linux distros have a very different take on how they ship updates than runtimes like node.js (and this is not node.js specific, it applies to python, java, etc).

[ljharb]

@markg85 node is not officially distributed by any distributions, and as such, I'd suggest that you use the official installation method only - downloading from nodejs.org, which conveniently is what node version managers automate for you.

[markg85]

I'm not liking this... I am using nvm now, as per the suggestion of @wesleytodd and it does work just flawlessly and super fast!

But... I'm now manually in control of updates. My package manager won't do it as i'm outside of it now. I get that to some this is a feature, to some this is an annoyance. This much depends on how one wants to use it. I for example just want to have the latest version always and fix my node applications if they need fixing. So for me in my case this is an annoyance (have to manually update). But i totally get that this is an awesome feature for others.

Another potential issue is nvm breaking when i update my system. I hope that's not going to happen.

Oh well, i'll just keep using nvm for the time being.

But hey, i do now have the latest version of npx out of the "nvm box" :)

❯ npx --version
9.6.7