[BUG] /plugin update never detects new versions for npm-sourced plugins — lockfile not refreshed

Resolved 💬 2 comments Opened Apr 28, 2026 by nicolas-vivot Closed Apr 30, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

/plugin update does not detect latest version (pinned or not) for npn sourced plugins.

Claude Code maintains its own npm workspace at ~/.claude/plugins/npm-cache/. When an npm-sourced plugin is installed, it writes a package.json with the installed version pinned (e.g. "@yourOrg/plugin-name": "^1.6.3") and a package-lock.json locking to that exact version.

When /plugin checks for updates, it reads the lockfile rather than querying the live registry. Since the lockfile is never refreshed unless npm install is explicitly run, it always reports the installed version as "latest."

npm install run only when there is no install folder for the version seen as the latest one - in this case the latest version installed, not the latest version published on the registry. (Google Artifact Registry in my case, but would be the same with any registry, public or private i believe)

What Should Happen?

/plugin update detects and installs the latest version.

When no specific version is mentioned in the marketplace for npm sourced plugin, it should default to the latest.
In such case, npm install should be run first to update the lock file, then the update to whatever latest version is found should be done without any issue.

Error Messages/Logs

No specific error message, just the feature not working properly due to code being bugged.

Steps to Reproduce

  1. Set up a private npm registry (e.g., Nexus, Verdaccio, Artifactory)
  2. Create a marketplace.json with an npm-sourced plugin (no need to specify version):
{
  "name": "test-marketplace",
  "plugins": [
    {
      "name": "test-plugin",
      "source": {
        "source": "npm",
        "package": "@org/test-plugin",
        "registry": "https://registry.example.com/"
      }
    }
  ]
}
  1. Add the marketplace and install the plugin:
/plugin marketplace add https://registry.example.com/marketplace.json
/plugin install test-plugin@test-marketplace
  1. Publish a new version (e.g., 1.1.0) of the plugin to your npm registry
  2. Try to update the plugin:

claude plugin update test-plugin@test-marketplace

  1. Do the same with updating your marketplace before (should not change anything)

Claude Model

Opus

Is this a regression?

No, this never worked. Has also been reported here and closed due to innactivity. But the bug is there and should be fixed, or remote entirely the support for npm sourced plugins as it just does not work.

Last Working Version

_No response_

Claude Code Version

2.1.121 (originally found on stable channel with 2.1.112)

Platform

Google Vertex AI

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Other

Additional Information

Found from a leaked version of claude code, somewhere in your code, you are running npm install only when there is no local folder matching the plugin version considered as the one to install or update.
This is a chicken-egg issue since the version check is done against the local lock file, not the remote registry, and the remote registry would be checked only when the npm install actually run..

Options to fix it (if the real code is still doing this)

  1. Either refactor the entire logic to properly handle version discovery (pinned or latest use cases) for npm sourced plugins
  2. Or introduce a force option in the /plugin skill to force the npm install to run to properly update the local npm cache and lock files.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗