[BUG] npm update --depth breaks dependencies

[zypA13510]

What / Why

NPM reports unmet dependency after performing a recursive/deep update

When

• After running npm --depth 9999 update

Where

• n/a

How

Current Behavior

• After update, npm ls reports a lot of missing/unmet dependencies, for example:

  ├─┬ @semantic-release/exec@3.3.8
  │ ├── @semantic-release/error@2.2.0 deduped
  │ ├── aggregate-error@3.0.1 deduped
  │ ├─┬ debug@4.1.1
  │ │ └── ms@2.1.2
  │ ├─┬ UNMET DEPENDENCY execa@3.3.0
  

  npm ERR! missing: execa@3.3.0, required by @semantic-release/exec@3.3.8
  

Steps to Reproduce

1. Create a folder locally and run npm init
2. Install a package with more than one level of dependencies, e.g. npm i -D @semantic-release/exec
3. Wait for one of their deep dependencies to get a newer version
4. Run npm --depth 9999 update

Expected Behavior

• There shouldn't be any unmet dependencies. Updates are performed according to the package.json file of their parent or any npm-shrinkwrap.json of their ancestor.
• In another word, it should act as if there is no package-lock.json and proceed to resolve all dependencies, install/update/remove as necessary, and then update the lockfile with the resolved tree.

Who

• n/a

References

• n/a

[pahan35]

Looks like I've prepared duplicated issue

What / Why

Command npm update --depth <number> loses dev: true for updated devDependencies dependencies.

When

• Whenever I use npm update --depth <number> for packages with not fresh devDependencies dependencies

Where

• npm public registry

How

Current Behavior

It loses dev: true for updated devDependencies dependencies

Steps to Reproduce

1. Take this repo https://github.com/pahan35/npm-bugs
2. Checkout branch loses-dev-for-dev-deps
3. Run npm i
4. Run npm update --depth 7

Expected Behavior

I expect that this action should keep dev: true for updated devDependencies dependencies

References

Possibly related to #944

[tflori]

I'm also experiencing that npm update forgets the dev flag for the dependencies when --depth is greater than 0. Maybe it is not necessary for lower depth?

[tflori]

I found out that the dev flag is restored after reinstalling the node modules (rm -rf node_modules; npm install)

[Ulrikop]

I see the same issue of loosing the dev flag after using npm update --depth but only for dev dependencies of my project which are real dependencies at an other dependency.

In my case an other dependency adds "@types/node" as dependency but at my project has it as dev dependency:

package.json of dependency "a":

{
  name: "a",
  dependencies: {
    "@types/node": ">=5.10"
  }
}

my project:

{
  dependencies: {
    "a": "1.0.0"
  },

  devDependencies: {
    "@types/node": "^12.0.0",
    "somethingElse": "1.0.0"
  }
}

after npm update --depth=99 the dev flag is ok for somethingElse but it is wrong for @type/node

edit: npm install seems to store the @types/node as dev dependency at the root + as dependency at nested node_module at component "a".
npm update installes it only once as dependency at root

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.