Updating your npm packages to their latest version

In any NodeJS project, you would want to update your pacakge dependencies often. The process is very simple and can be done with minimal efforts. It is important to verify any updates with some QA and hopefully some automated tests (maybe using a test framework and/or a CI tool) can come in handy for live environments.

Let’s start with the most simple command to update all out-of-date packages according to package.json and is the default way to update packages.

npm update

Before you would be updating the packages, you might want to know which packages have been outdated. To get this information use below command

npm outdated

A much preferred way for me is to use the npm-check-updates (ncu) module. This package allows to easily upgrade package.json dependencies to latest versions of the module regardless of version constraints.

How ncu updates these packages?

ncu, updates the version number in package.json file based on the latest information sourced from npm. Then using npm install or npm update command will upgrade the installed packages.

In order, to proceed using this method, below are few commands to help in the upgrade process.

Let’s start with installing the package globally and later can be accessed using ncu:

npm install -g npm-check-updates

#if using ubuntu
sudo npm install -g npm-check-updates

Next, let us understand what are the possibilities in using this command

ncu --help

Usage: ncu [options] [filter]
[filter] is a list or regex of package names to check (all others will be ignored).
-h, --help                   output usage information
-V, --version                output the version number
-d, --dev                    check only devDependencies
-e, --error-level <n>        set the error-level.
                                1: exits with error code 0 if no errors occur.
                                2: exits with error code 0 if no packages need
                                updating (useful for continuous integration). Default is 1.
-g, --global                 check global packages instead of in the current project
-j, --jsonAll                output new package file instead of human-readable message
--jsonUpgraded               output upgraded dependencies in json
-l, --loglevel <n>           what level of logs to report: silent, error, warn,
                                info, verbose, silly (default: warn)
-m, --packageManager <name>  npm (default) or bower
-o, --optional               check only optionalDependencies
--packageData                include stringified package file (use stdin instead)
--packageFile <filename>     package file location (default: ./package.json)
-p, --prod                   check only dependencies (not devDependencies)
-r, --registry <url>         specify third-party npm registry
-s, --silent                 dont output anything (--loglevel silent)
-t, --greatest               find the highest versions available instead of the
                                latest stable versions
-u, --upgrade                overwrite package file
-a, --upgradeAll             include even those dependencies whose latest version
                                satisfies the declared semver dependency

Now let’s see how these commands compare

1. Checking for Possible Updates

If we want to check for packages that have updates

Detecting with npm
$ npm outdated

# Output of command
Package                Current   Wanted   Latest  Location
axios                   0.19.0   0.19.2   0.19.2  cra-test
react                  16.12.0  16.13.1  16.13.1  cra-test
Detecting with ncu
$ ncu

# Output of command
 axios                   ^0.19.0  →   ^0.19.2
 react-dom              ^16.12.0  →  ^16.13.1
2. Strict vs. Non-Strict versioned updates

Semantic Versioning, otherwise known as semver has become a core part of Node.js software development. Thanks to npm, semver is embedded in the way we publish and link packages together to form simple libraries or complex applications.

We can either allow for strict versioned updates (based on the npm semver constraints) or non-strict versioned updates (to update regardless of semver constraints)

Strict versioned updates with npm
$ npm update

# Output of command
Package                Current   Wanted   Latest  Location
axios                   0.19.2   0.19.2   0.19.2  cra-test
react                  16.13.1  16.13.1  16.13.1  cra-test
Non-Strict versioned updates using ncu
$ ncu --upgrade axios

# Output of command
 axios                   ^0.19.0  →   ^0.19.2

Note: This command with update package.json semver for the axios package. Also, it is important to note here that the ncu tool does maintain your existing semantic versioning policies e.g. “allow only minor upgrades”, when updating the package.json. Therefore above you can see the patch update and will extend upto 0.x.x.

Below is an example that will denote the semantic versioning polity set for ncu tool.

$ npm outdated

# Output of command
Package                Current   Wanted   Latest  Location
react                  15.5.0  16.13.1  16.13.1  cra-test

using the non-strict version to update and with our versioning policy will limit update of react-dom to only the minor version (as seen below) compared to the latest version (as seen above)

$ ncu --upgrade react-dom

# Output of command
 react-dom              ^15.5.0  →  ^15.6.2

Bonus – Additional helpful commands

ncu commands

1. To upgrade all packages within the app

$ ncu --upgradeAll
$ npm install

2. Filtering

$ ncu --upgrade /^react-/

3. To check only “dependencies” package and not “devDependencies” packages

$ ncu -p
npm commands

1. To check issue with package dependency

$ npm audit

2. To fix package dependency if possible

$ npm audit fix

Support Us