[BUG] npm install doesn't use newer tagged version if package-lock.json contains older version of the package

[andrew-potachits]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I have added a dependency to my package.json and specified a version by tag, like this:

  "dependencies": {
    "npm": "latest-6"
  }

Then after some time I've changed the tag to newer version, like this:

  "dependencies": {
    "npm": "latest"
  }

at this point, the package-lock.json has reference to older version. If I run npm install with npm@6 the package-lock.json gets updated with latest versions.
however, if I do the same on the system with npm@7, the package-lock.json gets migrated to version=2, but dependencies remains the same as before, so my application still references older versions of dependent packages.

Expected Behavior

I expect that npm@7 will respect the tagged version in the package.json if there is a mismatch between package.json and package-lock.json.
at least, based on comments of @zkat here it is expected behaviour of npm install

Steps To Reproduce

1. npm init and created an empty package.json
2. add npm@latest-6 as dependency - package-lock.json is gerenated with [email protected]
3. change package.json to have npm@latest as dependency
4. run `npm install' with npm@7 - the package-lock.json still references [email protected]. older dependencies are installed
5. run `npm install' with npm@6 - the package-lock.json is updated to [email protected]. latest dependencies are installed

Environment

• OS: Windows 10 Pro (works), Windows Server 2012 (doesn't work)
• Node: v14.16.1 (works), v10.16.3 (doesn't work)
• npm: 6.14.12 (works), 7.23.0 (doesn't work)

[wangxdmm]

7.24.0 still don't work.

[wraithgar]

This is due to the nature of tags and the package-lock. When you install npm@latest-6 npm translates that tag into the a version, and installs that version. What ends up in the lockfile looks something like this

  "packages": {
    "": {
      "name": "scratch",
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "npm": "^6.14.16"
      }
    },
    "node_modules/npm": {
      "version": "6.14.16",
      "resolved": "https://registry.npmjs.org/npm/-/npm-6.14.16.tgz",
      "integrity": "sha512-LMiLGYsVNJfVPlQg7v2NYjG7iRIapcLv+oMunlq7fkXVx0BATCjRu7XyWl0G+iuZzHy4CjtM32QB8ox8juTgaw==",

The version itself is what is in the lockfile. This is because a tag is not idempotent, it can change. It has to be looked up at install time.

When you run a bare npm install this kind of lookup is not done for tags. Only semver, version numbers, git shas are used in comparisons to determine if the tree needs updating. That is because versions and shas always point to the same thing every time, unlike a tag. If we tried re-fetching the tag every install then two breaking changes would happen, the first is that your package-lock would change on npm install, and npm ci would start failing once the tag pointed to a different version.

The solution is that if you are using tags in your package.json, and you have a lockfile, you need to npm install [dependency] if you want your lockfile to update.

The same issue happens with git tags and you can read my comment there which explains this from the perspective of git dependencies.

[aovchinn]

can we get some flag for npm install that would also lookup and update tags ?
like npm install --update-dist-tags ?

it was working like that in npm 6