This repository has been archived by the owner on Aug 11, 2022. It is now read-only.
no possibility to update just the package-lock.json
beside deleting, and recreating it
#17487
Open
1 of 4 tasks
I'm opening this issue because:
What's going wrong?
As already mentioned by @eamodio here there seems to be a misconception in how updates of the dependencies are handled right now. Or at least, there is a valid (IMHO the most valid) scenario, that is currently not supported.
In my opinion, if you've created a semver range-declaration (eitherway if it is done manually or automatically) for a dependency, you would like to update the dep-reference inside of the
package-lock.json
according to your semver-rules from time to time.So for example lets take a package declaration like this for
is-promise
, which exists in a greater version of2.1.0
at this moment.package.json
package-lock.json
Running
npm update --no-save
, will2.1.0
to thenode_modules
folderpackage-lock.json
(which I think is wrong)Calling
npm update --save
(ornpm install is-promise --save
) will2.1.0
to thenode_modules
folderpackage-lock.json
(which I consider right)package.json
to the latest version (which I consider right for --save)So
--save
is definitely doing what it should, but--no-save
in my opinion is definitely not.While that may be a wanted solution for some people too, to install libs, they don't want to be referenced in the
package-lock.json
at all, this behaviour is really a missing peace. Maybe it is necessary to introduce a new config-option to not break the former behaviour.How can the CLI team reproduce the problem?
create the initial dependency settings:
try to update only the
package-lock.json
Afterwards, the
package-lock.json
still referencesis-promise@2.0.0
, but thenode_modules
-Folder containsis-promise@2.1.0
.supporting information:
npm -v
prints: 5.0.4node -v
prints: v8.0.0npm config get registry
prints: https://registry.npmjs.org/The text was updated successfully, but these errors were encountered: