Why did npm update axios fail to update but npm uninstall then install can?

Question

I used "axios": "^0.19.2", running npm i gave the warning "npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1." so I run npm update -S axios to update it. But it failed to update axios. I run yarn upgrade axios but it failed too.

I had thought there maybe a module required 0.19.2 so I checked package-lock.json and I found the only module in my project that requires axios is pm2 but it requires "axios": "^0.21.0",

"@pm2/js-api": {
  "version": "0.6.7",
  "resolved": "https://registry.npmjs.org/@pm2/js-api/-/js-api-0.6.7.tgz",
  "integrity": "sha512-xxxxxxxx",
  "requires": {
    "async": "^2.6.3",
    "axios": "^0.21.0",
    "debug": "~4.3.1",
    "eventemitter2": "^6.3.1",
    "ws": "^7.0.0"
  },

I have no idea why npm update failed to update axios. I then run npm uninstall axios, npm install -S axios then "axios": "^0.27.2" is installed.

But why ?

--- update ---

To verify whether I can reproduce this issue or not I create a project at https://github.com/qiulang/npm-update-error-demo

It shows that even I only have one dependency axios, npm update axios still failed to update. BTW I use npm 8.x (try both 8.5 & latest 8.11)

Answer 1

When I run npm update -S axios --loglevel verbose with npm 6 I got the result

npm verb outdated not updating axios because it's currently at the maximum version that matches its specified semver range

If I run with npm 8 I even got 404 error

npm verb audit error HttpErrorGeneral: 404 Not Found - POST https://registry.npmmirror.com/-/npm/v1/security/audits/quick

So I had thought could this be npm bug ? Suddenly I realize this was caused by Caret Ranges ^ I used because normally ^ means patch and minor updates (most people are familiar with that) but it only means for the patch updates for versions 0.X >=0.1.0 as npm document says

Many authors treat a 0.x version as if the x were the major "breaking-change" indicator.

Caret ranges are ideal when an author may make breaking changes between 0.2.4 and 0.3.0 releases, which is a common practice.

...

^0.2.3 := >=0.2.3 <0.3.0

BTW because many answers were given to What's the difference between tilde(~) and caret(^) in package.json? so the answer about patch only for ^0.x was buried in them.