Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] npm -g update serverless@pre-3 wipes global node_modules #4240

Closed
2 tasks done
mnapoli opened this issue Jan 17, 2022 · 12 comments
Closed
2 tasks done

[BUG] npm -g update serverless@pre-3 wipes global node_modules #4240

mnapoli opened this issue Jan 17, 2022 · 12 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release

Comments

@mnapoli
Copy link

mnapoli commented Jan 17, 2022

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Running npm -g update serverless@pre-3 wipes the content of the global node_modules directory (/usr/local/lib/node_modules).

Here is a log file of the command: https://gist.github.com/mnapoli/0170614e3f4ab1915a82783bf871d033

Here is what I tried to pinpoint the problem:

  • no problem with a local install (npm update serverless@pre-3)
  • npm -g i pure-prompt works
  • npm -g update pure-prompt works
  • npm -g i serverless works
  • npm -g update serverless works
  • npm -g i serverless@pre-3 works
  • npm -g update serverless@pre-3 ❌ wipes everything
  • yarn global add serverless works
  • yarn global update serverless@pre-3 works

Expected Behavior

Nothing should be removed, the package should be installed.

Steps To Reproduce

Run:

npm -g update serverless@pre-3

Now all global dependencies are gone (e.g. serverless, npm, etc.). The global folder /usr/local/lib/node_modules still exists, but it's empty.

I have to reinstall NPM and reinstall all global NPM dependencies.

Environment

  • npm: 8.3.0
  • Node.js: v17.3.1
  • OS Name: macOS
  • System Model Name: Bug Sur 11.6.2
  • npm config:
; "builtin" config from /usr/local/lib/node_modules/npm/npmrc

prefix = "/usr/local"

; "user" config from /Users/matthieu/.npmrc

//npm.pkg.github.com/:_authToken = (protected)
//registry.npmjs.org/:_authToken = (protected)

; node bin location = /usr/local/Cellar/node/17.3.1/bin/node
; cwd = /Users/matthieu/dev/PHP/bref
; HOME = /Users/matthieu
; Run `npm config ls -l` to show all defaults.
@mnapoli mnapoli added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Jan 17, 2022
@ljharb
Copy link
Contributor

ljharb commented Jan 17, 2022

Use install, not update. npm update -g doesn’t make sense as a command because there’s no global package.json to update.

@mnapoli
Copy link
Author

mnapoli commented Jan 17, 2022

Thanks for the quick response. I would follow up with 2 separate questions:

  1. Would npm -g install make sure to upgrade dependencies of the package too? The official npm documentation recommends using npm -g update anyway so it sounds like a valid use case.
  2. Even if that works with install, the fact that update wipes all global dependencies is a problem, right?

@ljharb
Copy link
Contributor

ljharb commented Jan 17, 2022

Yea, installing a package always must install its dependencies also, or it’d never work.

Yes, i agree that’s still a problem.

@mnapoli
Copy link
Author

mnapoli commented Jan 17, 2022

Yea, installing a package always must install its dependencies also, or it’d never work.

We are talking about update, not installation. This is when a package is already installed.

@ljharb
Copy link
Contributor

ljharb commented Jan 17, 2022

The same remains true. Updating is never anything more than “installing the new version”, in any software I’m aware of, but especially in npm.

@mnapoli
Copy link
Author

mnapoli commented Jan 18, 2022

I reproduced it in a Docker container:

docker run --rm -it --entrypoint=bash ubuntu

In the container, I installed latest Node and NPM (https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-20-04), then ran:

npm -g i serverless@pre-3
npm -g update serverless@pre-3

Result: /usr/local/lib/node_modules is removed entirely.

@mnapoli
Copy link
Author

mnapoli commented Jan 18, 2022

This seems to actually be caused by the @ in the update command. It can be reproduced with other packages:

npm -g update typescript

☝️ no problem

npm -g update typescript@4

☝️ wipes everything

It seems to be a duplicate of #3175

@mnapoli mnapoli closed this as completed Jan 18, 2022
ruyadorno added a commit to ruyadorno/cli that referenced this issue Jan 21, 2022
Arborist update does not support anything other than dependency names,
that is confusing to some users that are used to provide semver ranges
when using `npm install` and other commands.

This changeset adds validation to the values provided as arguments in
`npm update` and will throw a `EUPDATEARGS` error in case the user tries
to use semver ranges, e.g: `npm update [email protected]`

Relates to: npm#4240
ruyadorno added a commit that referenced this issue Jan 26, 2022
* feat(arborist): add named updates validation

Arborist update does not support anything other than dependency names,
that is confusing to some users that are used to provide semver ranges
when using `npm install` and other commands.

This changeset adds validation to the values provided as arguments in
`npm update` and will throw a `EUPDATEARGS` error in case the user tries
to use semver ranges, e.g: `npm update [email protected]`

Relates to: #4240
@mryellow
Copy link

mryellow commented Feb 2, 2022

Same without the @

npm update -g gulp-cli

removed 636 packages, and audited 1 package in 2s

found 0 vulnerabilities

@ruyadorno
Copy link
Contributor

@mryellow what version of npm are you using? This should have been fixed as of [email protected]

@mryellow
Copy link

mryellow commented Feb 3, 2022

8.1.2 it would appear. That's what nvm installs with node 16.13.2.

@ljharb
Copy link
Contributor

ljharb commented Feb 3, 2022

@mryellow try nvm install-latest-npm

@mryellow
Copy link

mryellow commented Feb 3, 2022

All good I can avoid running global updates.

Strangely it even removed npm itself, though I managed to recover with:

nvm use 8
nvm uninstall 16.13.2
nvm install 16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Development

No branches or pull requests

4 participants