fix(update): prevent package.json updates when updating indirect dependencies (#5118) (#10155)

TrevorBurnham · zkochan · commit 17344ca27fbe · 2025-11-06T15:14:36.000+01:00
close #5118
diff --git a/.changeset/every-trains-shake.md b/.changeset/every-trains-shake.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/plugin-commands-installation": patch
+"pnpm": patch
+---
+
+When a user runs `pnpm update` on a dependency that is not directly listed in `package.json`, none of the direct dependencies should be updated [#10155](https://github.com/pnpm/pnpm/pull/10155).
diff --git a/pkg-manager/plugin-commands-installation/src/installDeps.ts b/pkg-manager/plugin-commands-installation/src/installDeps.ts
@@ -272,6 +272,8 @@ when running add/update with the --workspace option')
   }
 
   let updateMatch: UpdateDepsMatcher | null
+  let updatePackageManifest = opts.updatePackageManifest
+  let updateMatching: ((pkgName: string) => boolean) | undefined
   if (opts.update) {
     if (params.length === 0) {
       const ignoreDeps = opts.updateConfig?.ignoreDependencies
@@ -291,6 +293,10 @@ when running add/update with the --workspace option')
         throw new PnpmError('NO_PACKAGE_IN_DEPENDENCIES',
           'None of the specified packages were found in the dependencies.')
       }
+      // No direct dependencies matched, so we're updating indirect dependencies only
+      // Don't update package.json in this case, and limit updates to only matching dependencies
+      updatePackageManifest = false
+      updateMatching = (pkgName: string) => updateMatch!(pkgName) != null
     }
   }
 
@@ -343,7 +349,11 @@ when running add/update with the --workspace option')
     return
   }
 
-  const { updatedCatalogs, updatedManifest, ignoredBuilds } = await install(manifest, installOpts)
+  const { updatedCatalogs, updatedManifest, ignoredBuilds } = await install(manifest, {
+    ...installOpts,
+    updatePackageManifest,
+    updateMatching,
+  })
   if (opts.update === true && opts.save !== false) {
     await Promise.all([
       writeProjectManifest(updatedManifest),
diff --git a/pnpm/test/update.ts b/pnpm/test/update.ts
@@ -684,6 +684,44 @@ test('update with tag @latest will downgrade prerelease', async function () {
   expect(lockfile2).toHaveProperty(['packages', '@pnpm.e2e/has-prerelease@2.0.0'])
 })
 
+test('update indirect dependency should not update package.json', async function () {
+  const project = prepare({
+    dependencies: {
+      '@pnpm.e2e/pkg-with-1-dep': '^100.0.0',
+    },
+  })
+
+  // Ensure the initial versions
+  await addDistTag('@pnpm.e2e/pkg-with-1-dep', '100.0.0', 'latest')
+  await addDistTag('@pnpm.e2e/dep-of-pkg-with-1-dep', '100.0.0', 'latest')
+
+  await execPnpm(['install'])
+
+  const pkg1 = await readPackageJsonFromDir(process.cwd())
+  expect(pkg1.dependencies?.['@pnpm.e2e/pkg-with-1-dep']).toBe('^100.0.0')
+
+  const lockfile1 = project.readLockfile()
+  expect(lockfile1.importers['.'].dependencies?.['@pnpm.e2e/pkg-with-1-dep'].version).toBe('100.0.0')
+
+  // Now publish a new version of the direct dependency and update the indirect dependency
+  await addDistTag('@pnpm.e2e/pkg-with-1-dep', '100.1.0', 'latest')
+  await addDistTag('@pnpm.e2e/dep-of-pkg-with-1-dep', '100.1.0', 'latest')
+
+  // Update the indirect dependency only
+  await execPnpm(['update', '@pnpm.e2e/dep-of-pkg-with-1-dep@latest'])
+
+  // The direct dependency in package.json should remain unchanged at ^100.0.0
+  const pkg2 = await readPackageJsonFromDir(process.cwd())
+  expect(pkg2.dependencies?.['@pnpm.e2e/pkg-with-1-dep']).toBe('^100.0.0')
+
+  // But the lockfile should have the updated indirect dependency
+  const lockfile2 = project.readLockfile()
+  expect(Object.keys(lockfile2.packages ?? {})).toContain('@pnpm.e2e/dep-of-pkg-with-1-dep@100.1.0')
+
+  // The direct dependency should remain at 100.0.0 in the lockfile (not upgraded to 100.1.0)
+  expect(lockfile2.importers['.'].dependencies?.['@pnpm.e2e/pkg-with-1-dep'].version).toBe('100.0.0')
+})
+
 test('update to latest recursive workspace (outdated, updated, prerelease, outdated)', async function () {
   await addDistTag('@pnpm.e2e/has-prerelease', '2.0.0', 'latest')
 

Original file line number	Diff line number	Diff line change
`@@ -272,6 +272,8 @@ when running add/update with the --workspace option')`
`272`	`272`	`}`
`273`	`273`
`274`	`274`	`let updateMatch: UpdateDepsMatcher \| null`
	`275`	`+ let updatePackageManifest = opts.updatePackageManifest`
	`276`	`+ let updateMatching: ((pkgName: string) => boolean) \| undefined`
`275`	`277`	`if (opts.update) {`
`276`	`278`	`if (params.length === 0) {`
`277`	`279`	`const ignoreDeps = opts.updateConfig?.ignoreDependencies`
`@@ -291,6 +293,10 @@ when running add/update with the --workspace option')`
`291`	`293`	`throw new PnpmError('NO_PACKAGE_IN_DEPENDENCIES',`
`292`	`294`	`'None of the specified packages were found in the dependencies.')`
`293`	`295`	`}`
	`296`	`+ // No direct dependencies matched, so we're updating indirect dependencies only`
	`297`	`+ // Don't update package.json in this case, and limit updates to only matching dependencies`
	`298`	`+ updatePackageManifest = false`
	`299`	`+ updateMatching = (pkgName: string) => updateMatch!(pkgName) != null`
`294`	`300`	`}`
`295`	`301`	`}`
`296`	`302`
`@@ -343,7 +349,11 @@ when running add/update with the --workspace option')`
`343`	`349`	`return`
`344`	`350`	`}`
`345`	`351`
`346`		`- const { updatedCatalogs, updatedManifest, ignoredBuilds } = await install(manifest, installOpts)`
	`352`	`+ const { updatedCatalogs, updatedManifest, ignoredBuilds } = await install(manifest, {`
	`353`	`+ ...installOpts,`
	`354`	`+ updatePackageManifest,`
	`355`	`+ updateMatching,`
	`356`	`+ })`
`347`	`357`	`if (opts.update === true && opts.save !== false) {`
`348`	`358`	`await Promise.all([`
`349`	`359`	`writeProjectManifest(updatedManifest),`