[BUG] npx does not fetch latest possible semvar match

[jeff-an]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When using the syntax npx <package>@<semvar> <command>, npx is always using a local cached version instead of fetching the latest available version that falls within the semvar from the npm registry and prompting for an upgrade.

Running npm cache clean --force does not seem to help.

The issue only seems to be reproducible on some machines. One user even reported that with [email protected] installed locally, npx momentic^1 was still invoking 1.0.11 instead of the newer version.

Expected Behavior

I expect npx to issue a prompt like the one below:

Need to install the following packages:
[email protected]
Ok to proceed? (y)

rather than proceeding with the locally cached version of [email protected], for example.

Steps To Reproduce

1. Run npx [email protected] init and accept the install prompt. Ignore the output of the program (the program in this case doesn't matter and can be substituted with any other).
2. Run npx momentic@^1 init. This should be expected to prompt to install 1.0.13 or whatever the latest version is. However, it does not and instead prints the same output as step 1.

Screenshot of what I mean on the turbo repo (the latest turbo version is 2.1.3 at time of writing):

Environment

• npm: 10.9.0
• Node.js: v20.9.0
• OS Name: Mac OS Sonoma 14.4
• System Model Name: M3 Max MBP
• npm config:

; "project" config from /Users/jeffan/code/momentic/.npmrc

auto-install-peers = true
public-hoist-pattern = ["*eslint-plugin*","*prisma*","*bull*"]

I confirmed that my npx path is fixed and set to:

which npx
/Users/<REDACTED>/.nvm/versions/node/v20.9.0/bin/npx

[milaninfy]

I am getting expected behaviour

~/workarea/rep/test $ npx -ddd [email protected] init
Need to install the following packages:
[email protected]
Ok to proceed? (y) y

~/workarea/rep/test $ npx momentic@^1 init
Need to install the following packages:
[email protected]
Ok to proceed? (y) 

[jeff-an]

Thanks for the responses folks! --no-cache and prefer-online both do not seem to help this case:

We know that it works on some people's machines but not others. How can we debug why? At this point we are thinking of just hitting npm's registry programmatically at startup to figure out what the latest version is.

[ljharb]

you don't need to do that; do npx foo@latest and you'll get the latest no matter what's locally available.

[jeff-an]

We are aware of that, but we don't want to use @latest because it will automatically install versions that may be backwards incompatible with what the user is currently using.

Besides, it seems like a bug that this behavior is a) non-deterministic across machines and b) different from what is advertised in the official docs:

Package names with a specifier will only be considered a match if they have the exact same name and version as the local dependency.

[milaninfy]

@jeff-an what's the output of npm -v and npm config ls -a

[jeff-an]

I put it in the environment section:

version: 10.9.0

npm config:

auto-install-peers = true
public-hoist-pattern = ["*eslint-plugin*","*prisma*","*bull*"]