npm-check-updates vs retire vs depcheck vs snyk
Dependency Health and Security Analysis in JavaScript Projects
Search packages..
npm-check-updatesretiredepchecksnykSimilar Packages:

Dependency Health and Security Analysis in JavaScript Projects

depcheck, npm-check-updates, retire, and snyk are CLI tools that help developers maintain healthy, secure, and up-to-date npm dependency trees. While they share the broad goal of improving project hygiene, each targets a distinct aspect: unused dependencies (depcheck), outdated packages (npm-check-updates), known vulnerable libraries in frontend assets (retire), and comprehensive vulnerability scanning with remediation guidance (snyk). Together, they form complementary layers of a modern JavaScript dependency management strategy.

Npm Package Weekly Downloads Trend

3 Years

Github Stars Ranking

Stat Detail

Package
Downloads
Stars
Size
Issues
Publish
License
npm-check-updates698,55810,21413.6 MB1004 hours agoApache-2.0
retire213,2914,110108 kB23 months agoApache-2.0
depcheck04,938231 kB1162 years agoMIT
snyk05,50050.1 MB1237 days agoApache-2.0

Dependency Hygiene Deep Dive: depcheck vs npm-check-updates vs retire vs snyk

Managing npm dependencies isn’t just about installing packages — it’s about keeping your project lean, current, and secure. The tools depcheck, npm-check-updates, retire, and snyk each tackle a different slice of this problem. Let’s compare them head-to-head through real engineering scenarios.

🧹 Finding Dead Weight: Unused Dependencies

depcheck analyzes your codebase to find packages listed in package.json that aren’t actually imported or required anywhere.

# Run depcheck to list unused dependencies
npx depcheck

It parses JavaScript, TypeScript, and common config files to trace static imports. However, it won’t detect:

  • Packages used via dynamic require() (e.g., require(someVar))
  • Dependencies referenced only in shell scripts, Dockerfiles, or CI configs
  • Binaries invoked via npx or scripts in package.json

Example output might show:

Unused dependencies
* lodash
* moment

In contrast, npm-check-updates, retire, and snyk do not check for unused code — they assume everything in package.json is needed.

🔄 Keeping Dependencies Fresh: Version Updates

npm-check-updates (often aliased as ncu) tells you which packages have newer versions available and can update package.json for you.

# Show outdated packages
npx npm-check-updates

# Update package.json to latest majors
npx npm-check-updates -u
npm install

It respects your package.json version ranges and can target specific update strategies (e.g., only minors, or latest tags). This is purely a versioning tool — it doesn’t assess security or usage.

The other tools handle updates differently:

  • depcheck: No version checking at all.
  • retire: Reports vulnerable versions but doesn’t suggest non-vulnerable alternatives or update package.json.
  • snyk: Recommends specific safe versions to upgrade to (or patches) based on vulnerability data.
# Snyk shows fixable issues with upgrade paths
npx snyk test
npx snyk fix  # applies safe upgrades automatically

🛡️ Detecting Known Vulnerabilities

This is where the tools diverge sharply in scope.

retire focuses only on client-side JavaScript libraries. It scans your project’s public assets (like dist/ or public/) and node_modules for known vulnerable versions of frontend frameworks.

# Scan for vulnerable JS libraries in ./public
npx retire --js --outputformat json

It uses a local database of CVE-like entries for libraries such as React, Vue, or Handlebars. But it won’t catch vulnerabilities in server-side packages like express or lodash when used in Node.js.

snyk, by comparison, scans your entire dependency tree — including deeply nested transitive dependencies — for vulnerabilities in both frontend and backend contexts. It pulls from a continuously updated vulnerability database and understands exploitability in your specific environment.

# Snyk scans node_modules and lockfile for all vulns
npx snyk test

Output includes CVSS scores, exploit maturity, and whether the vulnerable function is actually reachable in your code.

depcheck and npm-check-updates do not perform any vulnerability detection.

🛠️ Remediation: From Detection to Fix

Finding issues is only half the battle. How easy is it to act?

  • depcheck: You manually remove unused entries from package.json and run npm install.
  • npm-check-updates: Use -u flag to auto-update package.json, then run install.
  • retire: Only reports — you must manually choose a safe version and update yourself.
  • snyk: Offers snyk fix to automatically apply safe upgrades or patches without breaking changes.
# Snyk can patch without version bumps
npx snyk fix
# Applies a targeted patch to vulnerable code

This makes snyk uniquely valuable in regulated or high-compliance environments where audit trails and minimal-change fixes matter.

🔍 Scope of Analysis: What Each Tool Actually Checks

ToolScans package.jsonAnalyzes Source CodeChecks node_modulesScans Public AssetsUnderstands Transitive Deps
depcheck✅ (static imports)
npm-check-updates
retire✅ (frontend libs only)⚠️ (limited)
snyk⚠️ (via deps)

💡 Note: snyk uses your package-lock.json or yarn.lock to reconstruct the full dependency graph, including transitive dependencies that may not appear in package.json.

🧪 Real-World Workflow Integration

Scenario: Preparing for a Production Release

  1. Clean dead code: Run depcheck to remove unused deps → reduces bundle size and attack surface.
  2. Update safely: Run npm-check-updates -u to bump to latest non-breaking versions.
  3. Scan frontend: Run retire to catch vulnerable client-side libraries missed by other tools.
  4. Deep security audit: Run snyk test to find and snyk fix to patch remaining vulnerabilities.

This layered approach catches issues no single tool can address alone.

Scenario: Emergency Patch After Zero-Day Disclosure

  • Skip depcheck and npm-check-updates — they don’t understand exploit context.
  • Run snyk test immediately: it will tell you if you’re affected and how to fix it.
  • Use snyk monitor to get alerts on future vulnerabilities.

retire might help if the zero-day affects a frontend library, but it lacks remediation guidance.

⚠️ Limitations and Gotchas

  • depcheck may falsely flag packages used in non-standard ways (e.g., ESLint plugins, Webpack loaders). Use --ignores to suppress false positives.
  • npm-check-updates doesn’t guarantee compatibility — always test after major upgrades.
  • retire’s database is less comprehensive than Snyk’s and hasn’t seen frequent updates in recent years. Verify its findings against official advisories.
  • snyk requires authentication for full features (snyk auth), and the free tier has monthly scan limits. Offline mode is limited.

📊 When to Use Which Tool

GoalBest Tool(s)
Remove unused dependenciesdepcheck
Update to latest package versionsnpm-check-updates
Find vulnerable frontend JS librariesretire
Comprehensive security scanning & fixingsnyk
Routine dependency maintenancenpm-check-updates + snyk
Reducing bundle sizedepcheck

💡 Final Recommendation

Think of these tools as layers in a defense-in-depth strategy:

  • Start with depcheck to keep your dependency list honest.
  • Use npm-check-updates regularly to stay current.
  • Layer retire if you ship a lot of third-party frontend code.
  • Anchor everything with snyk for security-critical projects.

No single tool replaces the others — together, they give you visibility into usage, freshness, and risk across your entire JavaScript stack.

How to Choose: npm-check-updates vs retire vs depcheck vs snyk

  • npm-check-updates:

    Choose npm-check-updates when your primary goal is to update dependencies to their latest compatible or major versions. It excels at showing what’s outdated and can automatically update package.json, making it ideal for routine maintenance. Use it before security scans to ensure you’re not fixing vulnerabilities in versions that could simply be upgraded.

  • retire:

    Choose retire if you specifically need to scan frontend JavaScript files (including those in node_modules) for known vulnerabilities in client-side libraries like jQuery, Bootstrap, or Angular. It’s lightweight and focused on browser-facing code but does not analyze server-side Node.js dependencies or provide fix recommendations beyond version updates.

  • depcheck:

    Choose depcheck when you need to identify and remove unused or extraneous npm dependencies from your project. It’s especially useful during refactoring, tech debt cleanup, or before major version upgrades to slim down package.json. However, be aware it may miss dynamically required modules (e.g., via require(variable)) or dependencies used only in build scripts or non-JavaScript files like CSS imports.

  • snyk:

    Choose snyk when you require deep, actionable security intelligence across both frontend and backend JavaScript dependencies, including transitive ones. It identifies vulnerabilities with severity context, suggests precise upgrade paths or patches, and integrates into CI/CD pipelines. Note that full remediation features require authentication and may involve usage limits under the free tier.

Similar Npm Packages to npm-check-updates

npm-check-updates is a command-line tool that allows developers to easily check for updates to their npm dependencies. It scans the package.json file and identifies which packages have newer versions available, providing a convenient way to keep your project dependencies up to date. This tool is particularly useful for maintaining the health of a project, ensuring that you are using the latest features, bug fixes, and security patches from your dependencies.

While npm-check-updates is a powerful tool for managing package updates, there are alternative tools available that serve similar purposes. Here are a few noteworthy alternatives:

  • npm-check is a utility that not only checks for outdated dependencies but also provides an interactive interface to manage them. It allows developers to see which packages are unused, outdated, or have newer versions available. With npm-check, you can easily update your dependencies directly from the command line, making it a great choice for developers who prefer a more hands-on approach to managing their packages.

  • yarn-upgrade-all is a command-line tool specifically designed for users of Yarn, a popular alternative to npm. This tool allows developers to upgrade all dependencies in their project to the latest versions with a single command. If you are using Yarn as your package manager and want a straightforward way to keep your dependencies up to date, yarn-upgrade-all is an excellent choice.

To see how npm-check-updates compares with npm-check and yarn-upgrade-all, check out the comparison: Comparing npm-check vs npm-check-updates vs yarn-upgrade-all.

Similar Npm Packages to depcheck

depcheck is a popular npm package that helps developers identify unused dependencies in their projects. By analyzing the project's source code and package.json file, depcheck can pinpoint packages that are no longer needed, allowing developers to clean up their projects and reduce bloat. This can lead to improved performance and easier maintenance of the codebase. While depcheck is a powerful tool for managing dependencies, there are other alternatives available that offer similar functionality. Here are a few noteworthy options:

  • knip is a dependency management tool that focuses on identifying unused dependencies as well as unused files and folders in a project. It provides a comprehensive analysis of the codebase, helping developers maintain a clean and efficient project structure. Knip is particularly useful for larger projects where unused files and dependencies can accumulate over time, making it easier to keep the codebase tidy and manageable.
  • npm-check is another tool that helps developers manage their npm dependencies. It provides a user-friendly interface to check for outdated, incorrect, and unused dependencies in a project. npm-check allows developers to interactively update dependencies, making it a convenient choice for those who prefer a more hands-on approach to managing their packages. Its ability to provide a quick overview of the project's dependencies makes it a valuable tool for maintaining a healthy codebase.

To explore how depcheck compares with knip and npm-check, check out the comparison: Comparing depcheck vs knip vs npm-check.

Similar Npm Packages to snyk

snyk is a security scanning tool designed to help developers identify and fix vulnerabilities in their applications' dependencies. It provides a comprehensive solution for monitoring and managing security risks in open-source libraries and packages. Snyk integrates seamlessly into development workflows, offering features such as automated vulnerability scanning, patching, and reporting. By using Snyk, developers can ensure that their applications remain secure and compliant with best practices.

While Snyk is a powerful tool for managing security vulnerabilities, there are several alternatives available that also focus on dependency management and security. Here are a few notable options:

  • depcheck is a utility that helps developers identify unused dependencies in their projects. By analyzing the codebase, depcheck can determine which packages are no longer being used and can be safely removed. This helps to keep the project clean and reduces the risk of including outdated or vulnerable packages. While depcheck does not specifically focus on security vulnerabilities, it plays a crucial role in maintaining a healthy dependency tree.
  • npm-check-updates is a tool that allows developers to easily upgrade their package.json dependencies to the latest versions. It checks for outdated packages and provides a simple way to update them, ensuring that the application benefits from the latest features and security patches. While npm-check-updates focuses on updating dependencies rather than scanning for vulnerabilities, keeping dependencies up to date is an essential part of maintaining application security.
  • retire is a tool that scans your project for known vulnerabilities in JavaScript libraries and dependencies. It checks against a database of known vulnerabilities and can help developers identify and address security issues in their applications. Retire is particularly useful for projects that rely heavily on third-party libraries, as it provides insights into potential security risks.

To see how Snyk compares with depcheck, npm-check-updates, and retire, check out the comparison: Comparing depcheck vs npm-check-updates vs retire vs snyk.

README for npm-check-updates

npm-check-updates

npm version Build Status

npm-check-updates upgrades your package.json dependencies to the latest versions, ignoring specified versions.

  • maintains existing semantic versioning policies, i.e. "react": "^17.0.2" to "react": "^18.3.1".
  • only modifies package.json file. Run npm install to update your installed packages and package-lock.json.
  • sensible defaults, but highly customizable
  • compatible with npm, yarn, pnpm, deno, and bun
  • CLI and module usage
  • Pure ESM architecture with dual-build support (ESM/CJS)

⚠️ v21.0.0 Breaking Changes (ESM Migration)

npm-check-updates is now a dual ESM/CJS module. If you use a .ncurc.js config or programmatic imports, please see the ESM Migration Guide in the CHANGELOG for required updates.

example output

$${\color{red}Red}$$ major upgrade (and all major version zero)
$${\color{cyan}Cyan}$$ minor upgrade
$${\color{green}Green}$$ patch upgrade

Requirements

  • Node.js: ^20.19.0 || ^22.12.0 || >=24.0.0
  • npm: >=10.0.0

npm-check-updates v21+ requires modern Node.js and npm versions to support native ESM and Vite 8's Rolldown bundler.

Installation

Install globally to use npm-check-updates or the shorter ncu:

npm install -g npm-check-updates

Or run with npx (only the long form is supported):

npx npm-check-updates

Usage

Check the latest versions of all project dependencies:

$ ncu
Checking package.json
[====================] 5/5 100%

 eslint             7.32.0  →    8.0.0
 prettier           ^2.7.1  →   ^3.0.0
 svelte            ^3.48.0  →  ^3.51.0
 typescript         >3.0.0  →   >4.0.0
 untildify          <4.0.0  →   ^4.0.0
 webpack               4.x  →      5.x

Run ncu -u to upgrade package.json

Upgrade a project's package file:

Make sure your package file is in version control and all changes have been committed. This will overwrite your package file.

$ ncu -u
Upgrading package.json
[====================] 1/1 100%

 express           4.12.x  →   4.13.x

Run npm install to install new versions.

$ npm install      # update installed packages and package-lock.json

Check global packages:

ncu -g

Interactive Mode

Choose which packages to update in interactive mode:

ncu --interactive
ncu -i

ncu --interactive

Combine with --format group for a truly luxe experience:

ncu --interactive --format group

Keys

  • Select a package
  • Space Toggle selection
  • a Toggle all
  • Enter Upgrade

Filter packages

Filter packages using the --filter option or adding additional cli arguments:

# upgrade only mocha
ncu mocha
ncu -f mocha
ncu --filter mocha

# upgrade only chalk, mocha, and react
ncu chalk mocha react
ncu chalk, mocha, react
ncu -f "chalk mocha react"

Filter with wildcards or regex:

# upgrade packages that start with "react-"
ncu react-*
ncu "/^react-.*$/"

Exclude specific packages with the --reject option or prefixing a filter with !. Supports strings, wildcards, globs, comma-or-space-delimited lists, and regex:

# upgrade everything except nodemon
ncu \!nodemon
ncu -x nodemon
ncu --reject nodemon

# upgrade packages that do not start with "react-".
ncu \!react-*
ncu '/^(?!react-).*$/' # mac/linux
ncu "/^(?!react-).*$/" # windows

Advanced filters: filter, filterResults, filterVersion

How dependency updates are determined

  • Direct dependencies are updated to the latest stable version:
    • 2.0.12.2.0
    • 1.21.3
    • 0.1.01.0.1
  • Range operators are preserved and the version is updated:
    • ^1.2.0^2.0.0
    • 1.x2.x
    • >0.2.0>0.3.0
  • "Less than" is replaced with a wildcard:
    • <2.0.0^3.0.0
    • 1.0.0 < 2.0.0^3.0.0
  • "Any version" is preserved:
    • **
  • Prerelease versions are ignored by default.
    • Use --pre to include prerelease versions (e.g. alpha, beta, build1235)
  • Choose what level to upgrade to:
    • With --target semver, update according to your specified semver version ranges:
      • ^1.1.0^1.9.99
    • With --target minor, strictly update the patch and minor versions (including major version zero):
      • 0.1.00.2.1
    • With --target patch, strictly update the patch version (including major version zero):
      • 0.1.00.1.2
    • With --target @next, update to the version published on the next tag:
      • 0.1.0 -> 0.1.1-next.1

Options

Options are merged with the following precedence:

  1. Command line options
  2. Local Config File (current working directory)
  3. Project Config File (next to package.json)
  4. User Config File ($HOME)

Options that take no arguments can be negated by prefixing them with --no-, e.g. --no-peer.

--cacheCache versions to a local cache file. Default --cacheFile is ~/.ncu-cache.json and default --cacheExpiration is 10 minutes.
--cacheClearClear the default cache, or the cache file specified by --cacheFile.
--cacheExpiration <min>Cache expiration in minutes. Only works with --cache. (default: 10)
--cacheFile <path>Filepath for the cache file. Only works with --cache. (default: "~/.ncu-cache.json")
--colorForce color in terminal.
--concurrency <n>Max number of concurrent HTTP requests to registry. (default: 8)
--configFileName <s>Config file name. (default: .ncurc.{json,yml,js,cjs})
--configFilePath <path>Directory of .ncurc config file. (default: directory of packageFile)
-c, --cooldown <period>Sets a minimum age for package versions to be considered for upgrade. Accepts a number (days) or a string with a unit: "7d" (days), "12h" (hours), "30m" (minutes). Reduces the risk of installing newly published, potentially compromised packages.
--cwd <path>Working directory in which npm will be executed.
--deepRun recursively in current working directory. Alias of (--packageFile '**/package.json').
--dep <value>Check one or more sections of dependencies only: dev, optional, peer, prod, or packageManager (comma-delimited). (default: ["prod","dev","optional","packageManager"])
--deprecatedInclude deprecated packages. Use --no-deprecated to exclude deprecated packages (20–25% slower). (default: true)
-d, --doctorIteratively installs upgrades and runs tests to identify breaking upgrades. Requires -u to execute.
--doctorInstall <command>Specifies the install script to use in doctor mode. (default: npm install or the equivalent for your package manager)
--doctorTest <command>Specifies the test script to use in doctor mode. (default: npm test)
--enginesNodeInclude only packages that satisfy engines.node as specified in the package file.
-e, --errorLevel <n>Set the error level. 1: exits with error code 0 if no errors occur. 2: exits with error code 0 if no packages need updating (useful for continuous integration). (default: 1)
-f, --filter <p>Include only package names matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function.
filterResults <fn>Filters results based on a user provided predicate function after fetching new versions.
--filterVersion <p>Filter on package version using comma-or-space-delimited list, /regex/, or predicate function.
--format <value>Modify the output formatting or show additional information. Specify one or more comma-delimited values: dep, group, ownerChanged, repo, time, lines, installedVersion. (default: [])
-g, --globalCheck global packages instead of in the current project.
groupFunction <fn>Customize how packages are divided into groups when using --format group.
--install <value>Control the auto-install behavior: always, never, prompt. (default: "prompt")
-i, --interactiveEnable interactive prompts for each dependency; implies -u unless one of the json options are set.
-j, --jsonAllOutput new package file instead of human-readable message.
--jsonDepsLike jsonAll but only lists dependencies, devDependencies, optionalDependencies, etc of the new package data.
--jsonUpgradedOutput upgraded dependencies in json.
-l, --loglevel <n>Amount to log: silent, error, minimal, warn, info, verbose, silly. (default: "warn")
--mergeConfigMerges nested configs with the root config file for --deep or --packageFile options. (default: false)
-m, --minimalDo not upgrade newer versions that are already satisfied by the version range according to semver.
--packageData <value>Package file data (you can also use stdin).
--packageFile <path|glob>Package file(s) location. (default: ./package.json)
-p, --packageManager <s>npm, yarn, pnpm, deno, bun, staticRegistry (default: npm).
--peerCheck peer dependencies of installed packages and filter updates to compatible versions.
--pre <n>Include prerelease versions, e.g. -alpha.0, -beta.5, -rc.2. Automatically set to 1 when --target is newest or greatest, or when the current version is a prerelease. (default: 0)
--prefix <path>Current working directory of npm.
-r, --registry <uri>Specify the registry to use when looking up package versions.
--registryType <type>Specify whether --registry refers to a full npm registry or a simple JSON file or url: npm, json. (default: npm)
-x, --reject <p>Exclude packages matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function.
--rejectVersion <p>Exclude package.json versions using comma-or-space-delimited list, /regex/, or predicate function.
--removeRangeRemove version ranges from the final package version.
--retry <n>Number of times to retry failed requests for package info. (default: 3)
--rootRuns updates on the root project in addition to specified workspaces. Only allowed with --workspace or --workspaces. (default: true)
-s, --silentDon't output anything. Alias for --loglevel silent.
--stdinRead package.json from stdin.
-t, --target <value>Determines the version to upgrade to: latest, newest, greatest, minor, patch, semver, @[tag], or [function]. (default: latest)
--timeout <ms>Global timeout in milliseconds. (default: no global timeout and 30 seconds per npm-registry-fetch)
-u, --upgradeOverwrite package file with upgraded versions instead of just outputting to console.
--verboseLog additional information for debugging. Alias for --loglevel verbose.
--workspace <s>Run on one or more specified workspaces. Add --no-root to exclude the root project. (default: [])
-w, --workspacesRun on all workspaces. Add --no-root to exclude the root project.

Advanced Options

Some options have advanced usage, or allow per-package values by specifying a function in your .ncurc.js file.

Run ncu --help [OPTION] to view advanced help for a specific option, or see below:

cooldown

Usage:

ncu --cooldown [period]
ncu -c [period]

The cooldown option helps protect against supply chain attacks by requiring package versions to be published at least the given amount of time before considering them for upgrade.

The value can be a plain number (days) or a string with a unit suffix:

--cooldown 7       7 days
--cooldown 7d      7 days (same as above)
--cooldown 12h     12 hours
--cooldown 30m     30 minutes

Note that previous stable versions will not be suggested. The package will be completely ignored if its latest published version is within the cooldown period. This is due to a limitation of the npm registry, which does not provide a way to query previous stable versions.

Example:

Let's examine how cooldown works with a package that has these versions available:

1.0.0          Released 7 days ago    (initial version)
1.1.0          Released 6 days ago    (minor update)
1.1.1          Released 5 days ago    (patch update)
1.2.0          Released 5 days ago    (minor update)
2.0.0-beta.1   Released 5 days ago    (beta release)
1.2.1          Released 4 days ago    (patch update)
1.3.0          Released 4 days ago    (minor update) [latest]
2.0.0-beta.2   Released 3 days ago    (beta release)
2.0.0-beta.3   Released 2 days ago    (beta release) [beta]

With default target (latest):

$ ncu --cooldown 5

No update will be suggested because:

  • Latest version (1.3.0) is only 4 days old.
  • Cooldown requires versions to be at least 5 days old
  • Use --cooldown 4 or lower to allow this update

With @beta/@tag target:

$ ncu --cooldown 3 --target @beta

No update will be suggested because:

  • Current beta (2.0.0-beta.3) is only 2 days old
  • Cooldown requires versions to be at least 3 days old
  • Use --cooldown 2 or lower to allow this update

With other targets:

$ ncu --cooldown 5 --target greatest|newest|minor|patch|semver

Each target will select the best version that is at least 5 days old:

greatest → 1.2.0        (highest version number outside cooldown)
newest   → 2.0.0-beta.1 (most recently published version outside cooldown)
minor    → 1.2.0        (highest minor version outside cooldown)
patch    → 1.1.1        (highest patch version outside cooldown)

Note for latest/tag targets:

:warning: For packages that update frequently (e.g. daily releases), using a long cooldown period (7+ days) with the default --target latest or --target @tag may prevent all updates since new versions will be published before older ones meet the cooldown requirement. Please consider this when setting your cooldown period.

You can also provide a custom function in your .ncurc.js file or when importing npm-check-updates as a module.

:warning: The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/** Set cooldown to 3 days but skip it for `@my-company` packages.
  @param packageName     The name of the dependency.
  @returns               Cooldown days restriction for given package.
*/
cooldown: packageName => (packageName.startsWith('@my-company') ? 0 : 3)

doctor

Usage:

ncu --doctor -u
ncu --no-doctor
ncu -du

Iteratively installs upgrades and runs your project's tests to identify breaking upgrades. Reverts broken upgrades and updates package.json with working upgrades.

Requires -u to execute (modifies your package file, lock file, and node_modules)

To be more precise:

  1. Runs npm install and npm test to ensure tests are currently passing.
  2. Runs ncu -u to optimistically upgrade all dependencies.
  3. If tests pass, hurray!
  4. If tests fail, restores package file and lock file.
  5. For each dependency, install upgrade and run tests.
  6. Prints broken upgrades with test error.
  7. Saves working upgrades to package.json.

Additional options:

--doctorInstallspecify a custom install script (default: `npm install` or `yarn`)
--doctorTestspecify a custom test script (default: `npm test`)

Example:

$ ncu --doctor -u
Running tests before upgrading
npm install
npm run test
Upgrading all dependencies and re-running tests
ncu -u
npm install
npm run test
Tests failed
Identifying broken dependencies
npm install
npm install --no-save react@16.0.0
npm run test
  ✓ react 15.0.0 → 16.0.0
npm install --no-save react-redux@7.0.0
npm run test
  ✗ react-redux 6.0.0 → 7.0.0

/projects/myproject/test.js:13
  throw new Error('Test failed!')
  ^

npm install --no-save react-dnd@11.1.3
npm run test
  ✓ react-dnd 10.0.0 → 11.1.3
Saving partially upgraded package.json

filter

Usage:

ncu --filter [p]
ncu -f [p]

Include only package names matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function. Only included packages will be checked with --peer.

--filter runs before new versions are fetched, in contrast to --filterResults which runs after.

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

:warning: The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/**
  @param name     The name of the dependency.
  @param semver   A parsed Semver array of the current version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        True if the package should be included, false if it should be excluded.
*/
filter: (name, semver) => {
  if (name.startsWith('@myorg/')) {
    return false
  }
  return true
}

filterResults

Filters results based on a user provided predicate function after fetching new versions.

filterResults runs after new versions are fetched, in contrast to filter, reject, filterVersion, and rejectVersion, which run before. This allows you to exclude upgrades with filterResults based on how the version has changed (e.g. a major version change).

:warning: The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/** Exclude major version updates. Note this could also be achieved with --target semver.
  @param {string} packageName               The name of the dependency.
  @param {string} current                   Current version declaration (may be a range).
  @param {SemVer[]} currentVersionSemver    Current version declaration in semantic versioning format (may be a range).
  @param {string} upgraded                  Upgraded version.
  @param {SemVer} upgradedVersionSemver     Upgraded version in semantic versioning format.
  @returns {boolean}                        Return true if the upgrade should be kept; otherwise, it will be ignored.
*/
filterResults: (packageName, { current, currentVersionSemver, upgraded, upgradedVersionSemver }) => {
  const currentMajor = parseInt(currentVersionSemver[0]?.major, 10)
  const upgradedMajor = parseInt(upgradedVersionSemver?.major, 10)
  if (currentMajor && upgradedMajor) {
    return currentMajor >= upgradedMajor
  }
  return true
}

For the SemVer type definition, see: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring

filterVersion

Usage:

ncu --filterVersion [p]

Include only versions matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function.

--filterVersion runs before new versions are fetched, in contrast to --filterResults which runs after.

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

:warning: The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions. This function is an alias for the filter option function.

/**
  @param name     The name of the dependency.
  @param semver   A parsed Semver array of the current version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        True if the package should be included, false if it should be excluded.
*/
filterVersion: (name, semver) => {
  if (name.startsWith('@myorg/') && parseInt(semver[0]?.major) > 5) {
    return false
  }
  return true
}

format

Usage:

ncu --format [value]

Modify the output formatting or show additional information. Specify one or more comma-delimited values.

depPrints the dependency type (dev, peer, optional) of each package.
groupGroups packages by major, minor, patch, and major version zero updates.
homepageDisplays links to the package's homepage if specified in its package.json.
installedVersionPrints the exact current version number instead of a range.
linesPrints name@version on separate lines. Useful for piping to npm install.
ownerChangedShows if the package owner has changed.
repoInfers and displays links to the package's source code repository. Requires packages to be installed.
diffDisplay link to compare the changes between package versions.
timeShows the publish time of each upgrade.

groupFunction

Customize how packages are divided into groups when using --format group.

Only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/**
  @param name             The name of the dependency.
  @param defaultGroup     The predefined group name which will be used by default.
  @param currentSpec      The current version range in your package.json.
  @param upgradedSpec     The upgraded version range that will be written to your package.json.
  @param upgradedVersion  The upgraded version number returned by the registry.
  @returns                A predefined group name ('major' | 'minor' | 'patch' | 'majorVersionZero' | 'none') or a custom string to create your own group.
*/
groupFunction: (name, defaultGroup, currentSpec, upgradedSpec, upgradedVersion) => {
  if (name === 'typescript' && defaultGroup === 'minor') {
    return 'major'
  }
  if (name.startsWith('@myorg/')) {
    return 'My Org'
  }
  return defaultGroup
}

install

Usage:

ncu --install [value]

Default: prompt

Control the auto-install behavior.

alwaysRuns your package manager's install command automatically after upgrading.
neverDoes not install and does not prompt.
promptShows a message after upgrading that recommends an install, but does not install. In interactive mode, prompts for install. (default)

packageManager

Usage:

ncu --packageManager [s]
ncu -p [s]

Specifies the package manager to use when looking up versions.

npmSystem-installed npm. Default.
yarnSystem-installed yarn. Automatically used if yarn.lock is present.
pnpmSystem-installed pnpm. Automatically used if pnpm-lock.yaml is present.
bunSystem-installed bun. Automatically used if bun.lock or bun.lockb is present.

peer

Usage:

ncu --peer
ncu --no-peer

Check peer dependencies of installed packages and filter updates to compatible versions.

Example:

The following example demonstrates how --peer works, and how it uses peer dependencies from upgraded modules.

The package ncu-test-peer-update has two versions published:

  • 1.0.0 has peer dependency "ncu-test-return-version": "1.0.x"
  • 1.1.0 has peer dependency "ncu-test-return-version": "1.1.x"

Our test app has the following dependencies:

"ncu-test-peer-update": "1.0.0",
"ncu-test-return-version": "1.0.0"

The latest versions of these packages are:

"ncu-test-peer-update": "1.1.0",
"ncu-test-return-version": "2.0.0"

With --peer:

ncu upgrades packages to the highest version that still adheres to the peer dependency constraints:

ncu-test-peer-update     1.0.0  →  1.1.0
ncu-test-return-version  1.0.0  →  1.1.0

Without --peer:

As a comparison: without using the --peer option, ncu will suggest the latest versions, ignoring peer dependencies:

ncu-test-peer-update     1.0.0  →  1.1.0
ncu-test-return-version  1.0.0  →  2.0.0

registryType

Usage:

ncu --registryType [type]

Specify whether --registry refers to a full npm registry or a simple JSON file.

npmDefault npm registry
jsonChecks versions from a file or url to a simple JSON registry. Must include the `--registry` option.

Example:

// local file
$ ncu --registryType json --registry ./registry.json

// url
$ ncu --registryType json --registry https://api.mydomain/registry.json

// you can omit --registryType when the registry ends in .json
$ ncu --registry ./registry.json
$ ncu --registry https://api.mydomain/registry.json

registry.json:

{
  "prettier": "2.7.1",
  "typescript": "4.7.4"
}

reject

Usage:

ncu --reject [p]
ncu -x [p]

The inverse of --filter. Exclude package names matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function. This will also exclude them from the --peer check.

--reject runs before new versions are fetched, in contrast to --filterResults which runs after.

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

:warning: The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/**
  @param name     The name of the dependency.
  @param semver   A parsed Semver array of the current version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        True if the package should be excluded, false if it should be included.
*/
reject: (name, semver) => {
  if (name.startsWith('@myorg/')) {
    return true
  }
  return false
}

rejectVersion

Usage:

ncu --rejectVersion [p]

The inverse of --filterVersion. Exclude versions matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function.

--rejectVersion runs before new versions are fetched, in contrast to --filterResults which runs after.

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

:warning: The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions. This function is an alias for the reject option function.

/**
  @param name     The name of the dependency.
  @param semver   A parsed Semver array of the current version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        True if the package should be excluded, false if it should be included.
*/
rejectVersion: (name, semver) => {
  if (name.startsWith('@myorg/') && parseInt(semver[0]?.major) > 5) {
    return true
  }
  return false
}

target

Usage:

ncu --target [value]
ncu -t [value]

Determines the version to upgrade to. (default: "latest")

greatestUpgrade to the highest version number published, regardless of release date or tag. Includes prereleases.
latestUpgrade to whatever the package's "latest" git tag points to. Excludes prereleases unless --pre is specified.
minorUpgrade to the highest minor version without bumping the major version.
newestUpgrade to the version with the most recent publish date, even if there are other version numbers that are higher. Includes prereleases.
patchUpgrade to the highest patch version without bumping the minor or major versions.
semverUpgrade to the highest version within the semver range specified in your package.json.
@[tag]Upgrade to the version published to a specific tag, e.g. 'next' or 'beta'.

e.g.

ncu --target semver

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

:warning: The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/** Upgrade major version zero to the next minor version, and everything else to latest.
  @param name     The name of the dependency.
  @param semver   A parsed Semver object of the upgraded version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        One of the valid target values (specified in the table above).
*/
target: (name, semver) => {
  if (parseInt(semver[0]?.major) === '0') return 'minor'
  return 'latest'
}

Config File

Add a .ncurc.{json,yml,js,cjs} file to your project directory to specify configuration information.

For example, .ncurc.json:

{
  "upgrade": true,
  "filter": "svelte",
  "reject": ["@types/estree", "ts-node"]
}

Options are merged with the following precedence:

  1. Command line options
  2. Local Config File (current working directory)
  3. Project Config File (next to package.json)
  4. User Config File ($HOME)

You can also specify a custom config file name or path using the --configFileName or --configFilePath command line options.

Config Functions

Some options offer more advanced configuration using a function definition. These include filter, filterVersion, filterResults, reject, rejectVersion, and groupFunction. To define these, use a JavaScript-based configuration file.

ESM (Recommended)

Rename your config to .ncurc.js (if using "type": "module") or .ncurc.mjs.

import { defineConfig } from 'npm-check-updates'

export default defineConfig({
  upgrade: true,
  filter: name => name.startsWith('@myorg/'),
})

CommonJS

Use the .ncurc.cjs extension or a standard .ncurc.js file (if useing "type": "commonjs").

const { defineConfig } = require('npm-check-updates')

module.exports = defineConfig({
  upgrade: true,
  filter: name => name.startsWith('@myorg/'),
})

Alternatively, if you prefer not to use the helper, you can use JSDoc for IntelliSense:

ESM (JSDoc)

/** @type {import('npm-check-updates').RcOptions} */
export default {
  upgrade: true,
  filter: name => name.startsWith('@myorg/'),
}

CommonJS (JSDoc)

/** @type {import('npm-check-updates').RcOptions} */
module.exports = {
  upgrade: true,
  filter: name => name.startsWith('@myorg/'),
}

JSON Schema

If you write .ncurc config files using json or yaml, you can add the JSON Schema to your IDE settings for completions.

e.g. for VS Code:

  "json.schemas": [
    {
      "fileMatch": [
        ".ncurc",
        ".ncurc.json",
      ],
      "url": "https://raw.githubusercontent.com/raineorshine/npm-check-updates/main/src/types/RunOptions.json"
    }
  ],
  "yaml.schemas": {
    "https://raw.githubusercontent.com/raineorshine/npm-check-updates/main/src/types/RunOptions.json": [
        ".ncurc.yml",
    ]
  },

Module/Programmatic Usage

npm-check-updates can be imported as a module in both ESM and CommonJS environments.

ESM (Recommended)

Use this for modern projects using "type": "module" in package.json or .mjs files.

import * as ncu from 'npm-check-updates'

const upgraded = await ncu.run({
  // Pass any cli option
  packageFile: '../package.json',
  upgrade: true,
  // Defaults:
  // jsonUpgraded: true,
  // silent: true,
})

console.log(upgraded) // { "mypackage": "^2.0.0", ... }

CommonJS

Use this for legacy projects using "type": "commonjs" or scripts using the .cjs extension.

const ncu = require('npm-check-updates')

// Since ncu.run() is an async function
ncu
  .run({
    packageFile: './package.json',
    upgrade: true,
  })
  .then(upgraded => {
    console.log(upgraded)
  })

Contributing

Contributions are happily accepted. I respond to all PR's and can offer guidance on where to make changes. For contributing tips see CONTRIBUTING.md.

Problems?

File an issue. Please search existing issues first.

npm-compare.com is an independent website designed to help developers choose the most suitable npm packages. We are not affiliated with npm, Inc, the official website for the npm registry. Note that npm is a registered trademark of npm, Inc. Please share your feedback via our GitHub repository. For more details, please refer to our Terms & Privacy.