Unintended package-lock.json updates when using npm workspaces

[ksugawara61]

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

I'm experiencing an issue with package-lock.json updates when using npm workspaces in my project. Specifically, the updates do not behave as expected with regards to dependency version management in the workspace subprojects.

Issue Details:

• My project is structured to use npm workspaces, specifying subproject paths in the workspaces field of the root package.json.
• In these subprojects, the package.json files contain version specifications for dependencies, such as "date-fns": "^3.2.0".
• When running Renovate, I expect it to update the package-lock.json files with new versions of dependencies, such as upgrading date-fns to version 3.6.0, without altering the original version range specified in the package.json files.

Unexpected Behavior:

• However, after Renovate runs, not only is the package-lock.json updated to reflect the new version of date-fns (as expected), but the package.json in the affected workspace also gets its version specifier updated from "date-fns": "^3.2.0" to "date-fns": "^3.6.0", which is unintended.
• This modification of the package.json version specifier goes beyond my expectations, as I wish to maintain the original version range in package.json and only have the exact dependency versions managed through package-lock.json.
• And, the PR created by renovate only commits changes to package-lock.json even though the subproject's package.json has been updated.

Is there a specific configuration or a known issue with Renovate's handling of npm workspaces that could lead to this behavior?

I have created a simple project below that reproduces the problem.
ksugawara61/renovate-npm-workspaces-sandbox#3

The expected and actual results are below.

expected results

$ git diff
diff --git a/package-lock.json b/package-lock.json
index 5ca9b4a..8d9eed5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -168,9 +168,9 @@
       "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
     },
     "node_modules/date-fns": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-3.2.0.tgz",
-      "integrity": "sha512-E4KWKavANzeuusPi0jUjpuI22SURAznGkx7eZV+4i6x2A+IZxAMcajgkvuDAU1bg40+xuhW1zRdVIIM/4khuIg==",
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-3.6.0.tgz",
+      "integrity": "sha512-fRHTG8g/Gif+kSh50gaGEdToemgfj74aRX3swtiouboip5JDLAyDE9F11nHMIcvOaXeOC6D7SpNhi7uFyB7Uww==",
       "funding": {
         "type": "github",
         "url": "https://github.com/sponsors/kossnocorp"

actual results

$ git diff
diff --git a/apps/test2/package.json b/apps/test2/package.json
index 8da16eb..c6d9b5b 100644
--- a/apps/test2/package.json
+++ b/apps/test2/package.json
@@ -9,6 +9,6 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "date-fns": "^3.2.0"
+    "date-fns": "^3.6.0"
   }
 }
diff --git a/package-lock.json b/package-lock.json
index 5ca9b4a..5300cec 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -22,7 +22,7 @@
       "version": "1.0.0",
       "license": "ISC",
       "dependencies": {
-        "date-fns": "^3.2.0"
+        "date-fns": "^3.6.0"
       }
     },
     "node_modules/@apollo/client": {
@@ -168,9 +168,9 @@
       "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
     },
     "node_modules/date-fns": {
-      "version": "3.2.0",
-      "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-3.2.0.tgz",
-      "integrity": "sha512-E4KWKavANzeuusPi0jUjpuI22SURAznGkx7eZV+4i6x2A+IZxAMcajgkvuDAU1bg40+xuhW1zRdVIIM/4khuIg==",
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-3.6.0.tgz",
+      "integrity": "sha512-fRHTG8g/Gif+kSh50gaGEdToemgfj74aRX3swtiouboip5JDLAyDE9F11nHMIcvOaXeOC6D7SpNhi7uFyB7Uww==",
       "funding": {
         "type": "github",
         "url": "https://github.com/sponsors/kossnocorp"

Logs (if relevant)

No response

[rarkins]

The package.json is not updated in your reproduction PR, so it doesn't seem to match you description above

[ksugawara61]

Thank you for your quick reply.

I apologize for any confusion caused by my description and PR.

I understand renovate might use commands as follows for updating package-lock.json.
e.g.) npm install --package-lock-only --no-audit --ignore-scripts --workspace=apps/test2 date-fns@3.6.0
ref:

renovate/lib/modules/manager/npm/post-update/npm.ts

Lines 153 to 155 in a9779a7

	const updateCmd = `npm install ${cmdOptions} --workspace=${workspace} ${currentWorkspaceUpdates.join(
	' ',
	)}`;

I think updating package-lock.json using a command like the one above may also update package.json in subprojects.
However, PR created by renovate containes only package-lock.json in spite of diffrerence of subproject's package.json

The description is based on the output from trying a command in my local environment that I believe Renovate executes.
Therefore, My description contains the difference of package.json.

Is this selective update of only package-lock.json by Renovate the intended behavior for npm workspaces?

[rarkins]

"npm install" does not update package.json

--package-lock-only means "no need to add the node modules"