ng update adds a fake dependency/package

[ChrisMBarr]

Command

update

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

I have a monorepo with several angular apps, and I added an NPM script to run ng update for me. I made a script on the root monorepo level to run the script on all of the child applications. When I do this, it always seems to ADD a fake dependency to each of the app package.json files which is the name of that project

Minimal Reproduction

On the root level package I have this NPM script

"update-angular-apps": "npm run update-angular --prefix ./app-1 && npm run update-angular --prefix ./app-2 && npm run update-angular --prefix ./app-3",

And here is what the individual app package files look like

{
  "name": "name-of-app-2",
  "private": true,
  "author": "Me",
  "description": "My App #2",
  "homepage": "https://company.com/app-2",
  "repository": {
    "type": "git",
    "url": "git+https://github.com/redacted/app-2.git"
  },
  "scripts": {
    "ng": "ng",
    "start": "ng serve",
    "build": "ng build",
    "test": "ng test",
    "update-angular": "ng update @angular/cli @angular/core @angular/material --allow-dirty",
    "lint": "ng lint --fix --max-warnings=0",
  },
  "dependencies": {
    "@angular/animations": "^19.2.12",
    "@angular/cdk": "^19.2.17",
    "@angular/common": "^19.2.12",
    "@angular/compiler": "^19.2.12",
    "@angular/core": "^19.2.12",
    "@angular/forms": "^19.2.12",
    "@angular/material": "^19.2.17",
    "@angular/platform-browser": "^19.2.12",
    "@angular/platform-browser-dynamic": "^19.2.12",
    "@angular/router": "^19.2.12",
    "@angular/service-worker": "^19.2.12",
    "zone.js": "^0.15.0"
  },
  "devDependencies": {
    "@angular-devkit/build-angular": "^19.2.13",
    "@angular/cli": "^19.2.13",
    "@angular/compiler-cli": "^19.2.12"
  },
  "peerDependencies": {
    "rxjs": "*",
    "typescript": "*"
  }
}

From the root level I run npm run update-angular-apps and it modifies the package.json files with all the correct updates, and then after a little bit of time it adds a fake package to dependencies as a final step. It is formatted like

"name-of-app-2": "file:"

and I have to manually delete this and re-run npm install on each child application since it does add an entry to the package-lock.json file for this as well

Exception or Error

Your Environment

Angular CLI: 19.2.13
Node: 22.14.0
Package Manager: npm 10.9.1
OS: win32 x64

Angular: 19.2.12
... animations, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router
... service-worker

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.1902.13
@angular-devkit/build-angular     19.2.13
@angular-devkit/core              19.2.13
@angular-devkit/schematics        19.2.13
@angular/cdk                      19.2.17
@angular/cli                      19.2.13
@angular/material                 19.2.17
@angular/material-luxon-adapter   19.2.17
@schematics/angular               19.2.13
zone.js                           0.15.0

Anything else relevant?

The root package does NOT have any Angular packages installed on it, only the child apps have them. I'm not sure if this would matter or not. I mean, the upgrades do all work, it just adds some nonsense that I have to remove each time

[alan-agius4]

I'm sorry, but we can't reproduce the problem following the instructions you provided. Can you setup a minimal repro please?

You can read here why this is needed. A good way to make a minimal repro is to create a new app via ng new repro-app and adding the minimum possible code to show the problem. Then you can push this repository to github and link it here.

This might be related to your directory structure so its really important to get an accurate repro to diagnose this.

[ChrisMBarr]

ok, no problem. Here it is: https://github.com/ChrisMBarr/angular-cli-issue-30374-reproduction

You can run npm install and then run the script npm run update-angular-apps and it reproduces this behavior.

Here's a screenshot of the file diff after running this with the fake dependencies added:

[alan-agius4]

Hi @ChrisMBarr, thanks for the reproduction. Unfortunately, I am seeing unable to replicate this.

[ChrisMBarr]

You ran the script from the root level and not from each app, right?

I just downloaded my repo above on my home computer (Mac OS X) and I was not able to reproduce it here either. I am not sure what might be specific about running that command on my work computer. I am running Node 22 on this Mac, but I believe only Node 20 on my work machine, not sure if that would make a difference or not. Do you have any tips on what else I could look for on my work machine to see why this only happens there?

[ChrisMBarr]

Back on my work computer and I was wrong, I am also using Node 22 here. Just ran the script to update from 19.2.12 to 19.2.13 and it happened again

[jkrems]

One thing that confuses me a bit is why npm is a patch version behind in that output:

Package Manager: npm 10.9.1

That seems very minor but is weird. From all I can tell (including the release metadata), nodejs 22 should be shipping with npm v10.9.2, not npm v10.9.1.

[ChrisMBarr]

I just ran npm i npm -g and I am now updated to 11.4.1. I didn't realize I was that far behind.

With that, I opened up my linked reproduction repo and ran my update script. It still happens.

Here's what the inside of the package-lock.json file looks like at the top after running this

{
  "name": "app-2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "app-2",
      "dependencies": {
        "@angular/animations": "19.2.13",
        "@angular/common": "19.2.13",
        "@angular/compiler": "19.2.13",
        "@angular/core": "19.2.13",
        "@angular/forms": "19.2.13",
        "@angular/platform-browser": "19.2.13",
        "@angular/platform-browser-dynamic": "19.2.13",
        "@angular/router": "19.2.13",
        "app-2": "file:",
        "rxjs": "*",
        "tslib": "2.3.0",
        "zone.js": "~0.15.0"
      },
      "devDependencies": {
        "@angular-devkit/build-angular": "19.2.13",
        "@angular/cli": "19.2.13",
        "@angular/compiler-cli": "19.2.13"
      },
      "peerDependencies": {
        "rxjs": "*",
        "typescript": "*"
      }

And then scrolling way down, it adds this:

"node_modules/app-2": {
  "resolved": "",
  "link": true
},

And even more wild... there actually is a folder for this in my node_modules! It appears to just copy the whole app folder into itself

[alan-agius4]

Hi @ChrisMBarr,
I'm not sure what's happening here. I tried replicating the issue on two machines (Linux and Windows), but I wasn't able to reproduce what you're experiencing.

[ChrisMBarr]

@alan-agius4 I'm not sure either. I was also not able to reproduce this on my personal Mac machine, but this is still happening on my work Windows machine.

We are about to move to angular 20. I need to see if this still happens after that upgrade. I also need to see if this happens with any of my coworkers of if it really is just my machine