[BUG] Installing from tar file does not update on change

[JacobLey]

What / Why

Installing packages from a tar file loads the package just as if it were hosted on a registry.
If the tarball updates (gets new integrity hash which does not match current in package-lock.json) it should install/replace the new version. Instead it keeps the old version, unless the package is named explicitly.

Running the update command is worse. It will never pull the correct version even when named explicitly.

When

When installing from a .tgz file, updating the .tgz file, and trying to re-install.

Where

Running npm locally.
I setup an example repo at https://github.com/JacobLey/cli/tree/installExample to show issue.

How

Running install on a package should fetch that package. If a local version is not in sync (wrong integrity hash), it should pull the correct version.

Current Behavior

Once a .tgz file has been installed, it will not be replaced by running npm i. Instead the package must be explicitly named via npm i <tar-based-package>

Steps to Reproduce

# from working cli directory
git remote add jacob-install [email protected]:JacobLey/cli.git
git pull jacob-install installExample
git co installExample
cd ./tar-install-example
./install.sh

After script has finished, inspect logs to see that packages did not update as expected.
You can also compare the package-lock.json to the output pack integrity to ensure the files are out of sync.

Expected Behavior

Installing a package by tar file should make sure the local version is in sync. This behavior is mirrored by local file: installations, which are always up to date with the target.

It is worth noting that I included a file installation in the example repo, to show why pack->tar is preferable to local file dependencies.

It could be argued that the install command is just responsible for downloading the package, and checking/responding to updates falls in the domain of npm update. If that were the case, I would expect npm update to correctly fetch latest tar file, but it is never capable of refreshing based on integrity hash.

References

https://docs.npmjs.com/cli/install
https://docs.npmjs.com/cli/update
https://docs.npmjs.com/cli/pack

[JacobLey]

Worth mentioning the explicit install step is the cause of another issue with npm dedupe #1548

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.