[BUG] `npm update` only edits package-lock.json, not package.json about cli HOT 8 OPEN

This is the documented behaviour. Try adding --save.

https://docs.npmjs.com/cli/v10/commands/npm-update

Note that by default npm update will not update the semver values of direct dependencies in your project package.json. If you want to also update values in package.json you can run: npm update --save (or add the save=true option to a configuration file to make that the default behavior).

from cli.

Hey @shadowspawn thanks for the info, npm update --save also isn't updating package.json

The bug appears to be affecting dependabot's behavior too: dependabot/dependabot-core#9071

Sometimes dependabot updates both files:
Bump @adamlui/scss-to-css from 1.1.1 to 1.2.0
Bump @adamlui/minify.js from 1.0.1 to 1.0.2

...and sometimes it doesn't:
Bump @adamlui/scss-to-css from 1.0.1 to 1.2.0
Bump sass from 1.70.0 to 1.71.0 in /scss-to-css

from cli.

Wait nvm those were sub-dependencies and my main ones were already up-to-date, I tested down-bumping then --save worked to edit both files. But do you know if Dependabot's glitched behavior is due to a npm cli bug?

from cli.

Also if a user is using --save and sub-dependencies are being bumped, shouldn't it be expected they want the sub-dependency's package.json' to save this new tree?

from cli.

I am seeing two behaviors from my workflow and maybe this is related. I am using node@20 and [email protected]

--save works with the npm update command, however, if I set save=true in my .npmrc file, it does not pick up the setting. And --save doesn't work for workspaces. e.g. npm update prettier --save -w my_workspace_1 will only update package-lock file.

from cli.

I'm having a very similar issue, if I run npm up --save some dependencies are getting updated in package.json but some don't.

In this example if you run npm up --save - vite will be updated but vitest wont. They both get updated in package-lock.json as they should.

https://raw.githubusercontent.com/HristoKolev/vite-workshop/e0079a98e32ef069ca20e66c9223836132a37d1b/package.json
https://raw.githubusercontent.com/HristoKolev/vite-workshop/e0079a98e32ef069ca20e66c9223836132a37d1b/package-lock.json

• npm: 10.2.4
• Node.js: v20.11.0
• OS Name: Windows 11 Pro
• npm config:

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.11.0
; npm local prefix = C:\Users\hristo
; npm version = 10.2.4
; cwd = C:\Users\hristo
; HOME = C:\Users\hristo
; Run `npm config ls -l` to show all defaults.

from cli.

I also found this behavior surprising.
Instead of npm update <package> I now use npm install <package>@<version> to make sure the package json is updated but it's less conveniant because I need to look up the version first.

from cli.

In my case npm update --save does update (some!!!!!) packages but not others. I'm using version 10.8.0 on MacOS Sonoma 14.5 with node 20.11.1

Repro steps using an Angular app as sample project:

0. Install angular cli if not already in place > npm install -g @angular/cli
1. Create an empty angular app > ng new my-app and selecy any option in the setup wizard (will not affect the result)
2. Move to the new working folder > cd my-app
3. Check the created package.json > it should reference tslib: ^2.3.0 as dependency
4. Check the actual installed version of tslib and zone.js > npm list and look for tslib and zone.js
5. Eventually, for the sake of the issue, force the proper tslib version > npm install [email protected]
6. Eventually, for the sake of the issue, force the proper zone.js version > npm install [email protected]
7. Check all dependencies for tslib allow for latest version of tslib (2.6.2 at this moment) > npm list tslib
8. Run npm update --save
9. Check your package.json file and notice that zone.js version is up to date but tslib is not
10. Check the actual installed version of tslib and zone.js are BOTH up to date > npm list and look for tslib and zone.js

from cli.