node.jsnpmdompurify

Why aren't all node packages updated to the latest version when running npm update?

Environment

Windows 10 Home
Node v10.13.0
NPM 6.4.1

Desired Behaviour

Update all node packages.

Actual Behaviour

Not all packages are being updated.

What I've Tried

npm update per information in this post:

npm install vs. update - what's the difference?

Before running npm update:

$ npm outdated
Package                      Current   Wanted   Latest  Location
babel-loader                   7.1.4    7.1.5    8.0.5  my_folder
bcrypt                         3.0.0    3.0.4    3.0.4  my_folder
body-parser                   1.18.2   1.18.3   1.18.3  my_folder
clipboard                      2.0.1    2.0.4    2.0.4  my_folder
cors                           2.8.4    2.8.5    2.8.5  my_folder
css-loader                   0.28.11  0.28.11    2.1.0  my_folder
date-fns                      1.29.0   1.30.1   1.30.1  my_folder
dompurify                      1.0.8   1.0.10   1.0.10  my_folder
express                       4.16.3   4.16.4   4.16.4  my_folder
file-loader                   1.1.11   1.1.11    3.0.1  my_folder
file-saver                     1.3.8    1.3.8    2.0.1  my_folder
helmet                        3.13.0   3.15.1   3.15.1  my_folder
hotkeys-js                     3.3.8    3.4.4    3.4.4  my_folder
jsonwebtoken                   8.2.1    8.5.0    8.5.0  my_folder
less                           3.0.4    3.9.0    3.9.0  my_folder
mongodb                        3.1.6   3.1.13   3.1.13  my_folder
nodemailer                     4.6.8    4.7.0    5.1.1  my_folder
socket.io                      2.1.1    2.2.0    2.2.0  my_folder
style-loader                  0.21.0   0.21.0   0.23.1  my_folder
uglifyjs-webpack-plugin        1.2.5    1.3.0    2.1.2  my_folder
uikit                    3.0.0-rc.24    3.0.3    3.0.3  my_folder
url-loader                     1.0.1    1.1.2    1.1.2  my_folder
validator                     10.8.0  10.11.0  10.11.0  my_folder
webpack                       4.19.1   4.29.6   4.29.6  my_folder
webpack-cli                    2.1.5    2.1.5    3.2.3  my_folder

package.json before running npm update:

"dependencies": {
"bcrypt": "^3.0.0",
"body-parser": "^1.18.2",
"clipboard": "^2.0.1",
"cors": "^2.8.4",
"date-fns": "^1.29.0",
"dompurify": "^1.0.8",
"express": "^4.16.3",
"file-saver": "^1.3.8",
"helmet": "^3.13.0",
"hotkeys-js": "^3.3.8",
"jquery": "^3.3.1",
"js-cookie": "^2.2.0",
"jsonwebtoken": "^8.2.1",
"markdown-it": "^8.4.2",
"markdown-it-attrs": "^2.3.2",
"mongodb": "^3.1.6",
"nodemailer": "^4.6.8",
"rename-keys": "^2.0.1",
"socket.io": "^2.1.1",
"validator": "^10.8.0"
},
"devDependencies": {
"babel-cli": "^6.26.0",
"babel-core": "^6.26.3",
"babel-loader": "^7.1.4",
"babel-preset-env": "^1.7.0",
"babel-preset-stage-0": "^6.24.1",
"css-loader": "^0.28.11",
"expose-loader": "^0.7.5",
"file-loader": "^1.1.11",
"less": "^3.0.4",
"less-loader": "^4.1.0",
"style-loader": "^0.21.0",
"uglifyjs-webpack-plugin": "^1.2.5",
"uikit": "^3.0.0-rc.24",
"url-loader": "^1.0.1",
"webpack": "^4.19.1",
"webpack-cli": "^2.1.5"
}

After running npm update:

$ npm outdated
Package                  Current   Wanted  Latest  Location
babel-loader               7.1.5    7.1.5   8.0.5  my_folder
css-loader               0.28.11  0.28.11   2.1.0  my_folder
file-loader               1.1.11   1.1.11   3.0.1  my_folder
file-saver                 1.3.8    1.3.8   2.0.1  my_folder
nodemailer                 4.7.0    4.7.0   5.1.1  my_folder
style-loader              0.21.0   0.21.0  0.23.1  my_folder
uglifyjs-webpack-plugin    1.3.0    1.3.0   2.1.2  my_folder
webpack-cli                2.1.5    2.1.5   3.2.3  my_folder

Why aren't these packages being updated to the latest version when running npm update?

How do I update them to the latest version?

Context

I've been away from a development project for around 3 months and when attempting to run npm start on local machine got the error:

Error: EPERM: operation not permitted, open 'C:\Users\Me\AppData\Roaming\npm\node_modules\nodemon\node_modules\flatmap-stream\index.min.js'

It seems the event‑stream node package was 'hijacked' (see related github issue here).

My antivirus program Bitdefender had indeed deleted the offending file:

Item was deleted.  
Threat name:  
Trojan.Agent.DQGP.
C:\Users\Me\AppData\Roaming\npm\node_modules\nodemon\node_modules\flatmap-stream\index.min.js

So I decided to update all node packages in the hope that the offending package would be removed and updated to the latest 'clean' version.

Solution

  • It behaves the way it is expected to.

    If you look at the packages which you've mentioned as "not getting updated", and refer to their respective entry in your package.json, you can see they are prefixed with a ^ (caret operator) which will only update them to the most recent major version (of the first number).

    For example, if you take the package babel-loader, your package.json has the version "^7.1.4" tagged against it. And the most recent major version of babel-loader's ^7.X.X is => 7.1.5

    You can check the version history (of babel-loader) here => https://www.npmjs.com/package/babel-loader/v/8.0.0-beta.1

    The above is applicable for other packages which are all starts with ^ in your package.json like, 

    css-loader
file-loader
file-saver
nodemailer
style-loader
uglifyjs-webpack-plugin
webpack-cli

    Hope this helps!