Update overwriting tilde version number with caret

[patrickhousley]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

When I run npm install, it is not installing the latest version of dependencies that use the ~ in the version. When I run npm update, it is updating the version in the package.json for dependencies that use ~ to ^.

How can the CLI team reproduce the problem?

1. npm init a new directory
2. Add "@angular/common": "4.2.0" to the package.json as a dependency
3. npm i
4. Change the dependency version to "~4.2.0"
5. npm i
6. Observe the latest patch version of the dependency was not installed. The version in the package-lock.json was respected. This is inconsistent with how the package-lock.json is treated when using version numbers with a ^.
7. npm update
8. Observe the dependency version number was updated to ^4.2.6. npm update should not change the ~ to ^.

supporting information:

• npm -v prints: 5.6.0
• node -v prints: 8.9.3
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: Windows
• Network issues:
  • Geographic location where npm was run:
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container:
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).

[kenany]

This is inconsistent with how the package-lock.json is treated when using version numbers with a ^.

If I use ^ instead of ~, the dep stays at 4.2.0, which is consistent with the ~ behavior.

npm update should not change the ~ to ^

What is the output of npm config get save and npm config get save-prefix? You probably have the former set to true, and the latter set to ^, which seems like this isn't what you actually want?

[patrickhousley]

$ npm config get save
true

$ npm config get save-prefix
^

I do want the former to be true. Is it possible I am misunderstanding the docs? Specifically, the caret and tilde sections.

My understanding is that ^4.2.0 will match on anything >=4.2.0 and anything <5 while ~4.2.0 will match on anything >=4.2.0 sand anything <4.3. I want to be able to restrict npm to only taking patch updates.

That said, I would also argue that the prefix used in the package.json should override the save-prefix setting. The only time I would expect the save-prefix setting to apply would be when I first add a dependency with npm install @angular/core.

[kenany]

May be a duplicate of #18603 and #19211.

[patrickhousley]

@kenany I would agree but I am also reporting an issue with npm install not installing the latest version for tilde version like it does with caret versions. I will leave closing to your discretion.