[BUG] npm -g update serverless@pre-3 wipes global node_modules

[mnapoli]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Running npm -g update serverless@pre-3 wipes the content of the global node_modules directory (/usr/local/lib/node_modules).

Here is a log file of the command: https://gist.github.com/mnapoli/0170614e3f4ab1915a82783bf871d033

Here is what I tried to pinpoint the problem:

• no problem with a local install (npm update serverless@pre-3)
• npm -g i pure-prompt works
• npm -g update pure-prompt works
• npm -g i serverless works
• npm -g update serverless works
• npm -g i serverless@pre-3 works
• npm -g update serverless@pre-3 ❌ wipes everything
• yarn global add serverless works
• yarn global update serverless@pre-3 works

Expected Behavior

Nothing should be removed, the package should be installed.

Steps To Reproduce

Run:

npm -g update serverless@pre-3

Now all global dependencies are gone (e.g. serverless, npm, etc.). The global folder /usr/local/lib/node_modules still exists, but it's empty.

I have to reinstall NPM and reinstall all global NPM dependencies.

Environment

• npm: 8.3.0
• Node.js: v17.3.1
• OS Name: macOS
• System Model Name: Bug Sur 11.6.2
• npm config:

; "builtin" config from /usr/local/lib/node_modules/npm/npmrc

prefix = "/usr/local"

; "user" config from /Users/matthieu/.npmrc

//npm.pkg.github.com/:_authToken = (protected)
//registry.npmjs.org/:_authToken = (protected)

; node bin location = /usr/local/Cellar/node/17.3.1/bin/node
; cwd = /Users/matthieu/dev/PHP/bref
; HOME = /Users/matthieu
; Run `npm config ls -l` to show all defaults.

[ljharb]

Use install, not update. npm update -g doesn’t make sense as a command because there’s no global package.json to update.

[mnapoli]

Thanks for the quick response. I would follow up with 2 separate questions:

1. Would npm -g install make sure to upgrade dependencies of the package too? The official npm documentation recommends using npm -g update anyway so it sounds like a valid use case.
2. Even if that works with install, the fact that update wipes all global dependencies is a problem, right?

[ljharb]

Yea, installing a package always must install its dependencies also, or it’d never work.

Yes, i agree that’s still a problem.

[mnapoli]

Yea, installing a package always must install its dependencies also, or it’d never work.

We are talking about update, not installation. This is when a package is already installed.

[ljharb]

The same remains true. Updating is never anything more than “installing the new version”, in any software I’m aware of, but especially in npm.

[mnapoli]

I reproduced it in a Docker container:

docker run --rm -it --entrypoint=bash ubuntu

In the container, I installed latest Node and NPM (https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-20-04), then ran:

npm -g i serverless@pre-3
npm -g update serverless@pre-3

Result: /usr/local/lib/node_modules is removed entirely.

[mnapoli]

This seems to actually be caused by the @ in the update command. It can be reproduced with other packages:

npm -g update typescript

☝️ no problem

npm -g update typescript@4

☝️ wipes everything

It seems to be a duplicate of #3175

[mryellow]

Same without the @

npm update -g gulp-cli

removed 636 packages, and audited 1 package in 2s

found 0 vulnerabilities

[ruyadorno]

@mryellow what version of npm are you using? This should have been fixed as of npm@8.4.0

[mryellow]

8.1.2 it would appear. That's what nvm installs with node 16.13.2.

[ljharb]

@mryellow try nvm install-latest-npm

[mryellow]

All good I can avoid running global updates.

Strangely it even removed npm itself, though I managed to recover with:

nvm use 8
nvm uninstall 16.13.2
nvm install 16