deno

73ba7ce8 - fix(update): refetch npm metadata so stale cache doesn't hide newer versions (#35380)

fix(update): refetch npm metadata so stale cache doesn't hide newer versions (#35380) ## What Addresses #35348 ("deno update without it editing package.json"). `deno update --lockfile-only` updates dependencies and the lockfile to the latest semver-compatible versions **without** modifying the version requirements in `deno.json` / `package.json` (the `npm update` equivalent). But it could silently fail to bump a dependency when the npm registry metadata cache was stale. ## The bug The version *display* path (`deno outdated`) fetches packuments fresh with `CacheSetting::RespectHeaders`, so it correctly **shows** the available update. But the re-resolution that actually rewrites the lockfile runs through the npm installer, which reads the **separate** npm registry cache with the default `CacheSetting::Use`. If the cached packument predates the newer version, the installer never sees it, re-resolves to the same old version, and `deno update` reports `Updated 0 dependencies` with the lockfile unchanged. Because `deno update` doesn't accept `--reload`, there was no workaround. ## The fix `cli/tools/pm/outdated/mod.rs`: before the post-modification install re-resolves, add each npm package being updated to the install `cache_blocklist`, so `cache_setting()` returns `ReloadSome` and metadata is refetched for **only** those packages (not modules, tarballs, or unrelated packages). ## Tests - `update_lockfile_only_stale_npm_cache/` — new regression test that simulates a stale cache (`setup.ts` truncates the cached `registry.json` to drop 0.1.1/0.2.0 and its etag, and pins the lock back at 0.1.0), then asserts `deno update --lockfile-only` still bumps the lock `0.1.0 -> 0.1.1` while leaving `package.json` byte-for-byte unchanged. **Verified it fails without the fix** (`Updated 0 dependencies`) and passes with it. - `update_lockfile_only_bumps_within_range/` and `..._deno_json/` — happy-path coverage that the lock bumps within range and never jumps to the out-of-range `0.2.0`. - Existing `outdated` spec `.out` expectations are updated to reflect that npm metadata is now refetched during update re-resolution. ## Docs `cli/args/flags.rs`: added an example to both `deno update --help` and `deno outdated --help` presenting `--lockfile-only` as the way to update within existing ranges without editing the manifest (the `npm update` equivalent). ## Verification - `cargo test -p specs_tests --test specs -- outdated::update_lockfile_only` — passes; the stale-cache test fails on the parent commit and passes with the fix. - `tools/format.js` / `tools/lint.js` clean. Closes #35348 --------- Co-authored-by: Nathan Whitaker <nathan@deno.com>