diff --git a/lib/manager/npm/update/locked-dependency/dep-constraints.spec.ts b/lib/manager/npm/update/locked-dependency/dep-constraints.spec.ts
index 7eda1ecb194dce044aedda09cc1f61e9e5d9ef6b..47e0122b741f8c176954c0e2810ee2e0de8a03cb 100644
--- a/lib/manager/npm/update/locked-dependency/dep-constraints.spec.ts
+++ b/lib/manager/npm/update/locked-dependency/dep-constraints.spec.ts
@@ -16,12 +16,24 @@ describe(getName(__filename), () => {
describe('findDepConstraints()', () => {
it('finds indirect dependency', () => {
expect(
- findDepConstraints(packageJson, packageLockJson, 'send', '0.2.0')
+ findDepConstraints(
+ packageJson,
+ packageLockJson,
+ 'send',
+ '0.2.0',
+ '0.2.1'
+ )
).toMatchSnapshot();
});
it('finds direct dependency', () => {
expect(
- findDepConstraints(packageJson, packageLockJson, 'express', '4.0.0')
+ findDepConstraints(
+ packageJson,
+ packageLockJson,
+ 'express',
+ '4.0.0',
+ '4.5.0'
+ )
).toMatchSnapshot();
});
it('finds direct devDependency', () => {
@@ -29,7 +41,13 @@ describe(getName(__filename), () => {
packageJsonDev.devDependencies = packageJsonDev.dependencies;
delete packageJsonDev.dependencies;
expect(
- findDepConstraints(packageJsonDev, packageLockJson, 'express', '4.0.0')
+ findDepConstraints(
+ packageJsonDev,
+ packageLockJson,
+ 'express',
+ '4.0.0',
+ '4.5.0'
+ )
).toMatchSnapshot();
});
});
diff --git a/lib/manager/npm/update/locked-dependency/dep-constraints.ts b/lib/manager/npm/update/locked-dependency/dep-constraints.ts
index 11c5a6d867d86084e9d44b0277878ccb59d9fe8c..34c3a482e3136ccf2c12c2fd89cc4b18f37cdf38 100644
--- a/lib/manager/npm/update/locked-dependency/dep-constraints.ts
+++ b/lib/manager/npm/update/locked-dependency/dep-constraints.ts
@@ -8,6 +8,7 @@ export function findDepConstraints(
lockEntry: PackageLockOrEntry,
depName: string,
currentVersion: string,
+ newVersion: string,
parentDepName?: string
): ParentDependency[] {
let parents: ParentDependency[] = [];
@@ -29,6 +30,10 @@ export function findDepConstraints(
if (parentDepName && requires) {
const constraint = requires[depName];
if (constraint && semver.matches(currentVersion, constraint)) {
+ if (constraint === currentVersion) {
+ // Workaround for old versions of npm which wrote the exact version in requires instead of the constraint
+ requires[depName] = newVersion;
+ }
parents.push({
parentDepName,
parentVersion: version,
@@ -44,6 +49,7 @@ export function findDepConstraints(
dependency,
depName,
currentVersion,
+ newVersion,
packageName
)
);
diff --git a/lib/manager/npm/update/locked-dependency/index.ts b/lib/manager/npm/update/locked-dependency/index.ts
index 1d3652a73d577bec9d1106ed009a7669d9bc837b..58076267fcaa3c750072cd86ce681d65d286ab5d 100644
--- a/lib/manager/npm/update/locked-dependency/index.ts
+++ b/lib/manager/npm/update/locked-dependency/index.ts
@@ -84,7 +84,8 @@ export async function updateLockedDependency(
packageJson,
packageLockJson,
depName,
- currentVersion
+ currentVersion,
+ newVersion
);
logger.trace({ deps: lockedDeps, constraints }, 'Matching details');
if (!constraints.length) {