How to keep his NPM dependencies up-to-date ?
After we have installed NPM dependencies, we don’t take care of their new versions. After some months, we realize that the project is completely outdated and needs to be upgraded. The problem is that many dependencies contain breaking changes and it becomes a real pain to upgrade.
To avoid this kind of problems, updating regularly is important. And rather than go yourself check each version of dependency, you can use one of the many solutions described here :
npm-check-updates
Currently in version 2.8.0, this NPM package can be used in command line directly if you install it in global. As you can see on the right, you just have to tap the ncu command in the root of your project, and npm-check-updates will verify for you if it exists more recent version of your NPM dependencies defined in your package.json. It’s probably the most simple solution at all. (The official NPM page : npm-check-update)
Note : Despite being a global command usable in any projects, I don’t advise you to install it in global, and neither other NPM packages by the way. Install in global will constrain you to use the same version of the NPM in all your local projects, while not any project depends on different versions.
updtr
Uptr looks like ncu but run the test after each attempt of upgrading. In fact, uptr will try to replace the current version with the lastest of each dependency and will execute the tests after each try. If the tests failed, it will rollback the upgrade and it will continue to the end. It is very useful, because when you use a tool like ncu you have no idea if your project will continue to work after upgrading. Here, updtr will check with your automated test, then, it is your business to ensure that the « npm test » (default command to run the test) runs correctly and complete the test suite.
next-update
Is the most complete tool suite. It does not only check if it can install newer version of NPM dependencies while test pass. It can also watch many Github repositories (like Greenkeeper that we will see in a moment) thanks to next-updater, checks if your code is going to break everyone who depends on it with dont-break and retrieves commit’s comments between two versions of a NPM package by using changed-log.
Each tool is usable separately. This suite can be really useful for company strongly using NodeJS and NPM, because you can check the interaction between all of your NPM packages and understand the impact of an upgrade.
Greenkeeper
Greenkeeper is different of the others because it is more a Sofware as a service (aka Saas) than a local tool. The first step to use Greenkeeper, is to connect it to your Github account, then you have to choose one or more repositories (depends on the price plan you choose) that you want to see watched by Greenkeeper. And that’s all. From this point, Greenkeeper bot will watch the selected repositories and offer you to upgrade the packages by sending you pull-requests ! These pull requests look like that :
It is up to you to merge or not the pull-request. As Greenkeeper recommends on its main page, It is better to have a Continuous Integration service to run automated test againts the pull-requests (like TravisCI or Codeship). Any way, if you want to check by yourself, or make some modifications on the upgrade, feel free to checkout the pull-request’s branch and update it before merging. This solution is greatly appreciated by many big open source project like Lodash, Request, or Modernizr. One con, you need a Github public or private on the web or in the enterprise.
Conclusion
I don’t advise you to use npm-check-update, because it doesn’t take in count the automated tests present in your project. The simplest and efficient solutions stay for me updtr or next-update, except next-update will be more interesting in a real enterprise context where you have to deal with your own enterprise NPM dependencies. If you are looking for something which work with Github, and you already have a Continuous Integration service, Greenkeeper can be the best solution.
By Mathieu Breton, CTO Js-Republic
15 Comments. Leave new
Hi Mathieu!
Nice tools !
Do they work as well with dev dependencies and do they play nicely with npm shrinkwrap ?
We use npm shrinkwrap to lock the indirect dependencies (even the dev ones as those have been very flaky in the past, « yes Babel 6 I’m looking at you !)…
Regards,
Florent
Hi Florent :),
I use Greenkeeper actually on the JS-Republic website and it works well with the dev dependencies. Updtr runs like a charm too on another project.
I don’t use the Shrinkwrap because I prefer to use exact versions in my package.json.
See you !
Mathieu
Nice!
We do the same using the exact versions, but shrinkwrap also locks the indirect dependencies (ie: the dependencies of dependencies).
Florent
What about npm-check https://www.npmjs.com/package/npm-check ? Seems to better than some of the others you mentioned, and a better consle UI. It has a -u options that displays all semantic differences and a selection method to select which packages to update and more.
Hi Scott,
I didn’t know npm-check but it seems very nice. I will try it and surely edit the article.
Thanks a lot for your feedback !
Hi, I’m the author of npm-check. Thanks for suggesting it!
Author of next-update here,
Thanks for including the tool and good comparison!
One more thing – next-update anonymously collects update stats for public packages and can show you the likelihood of successful upgrade from version X to Y.
Another solutions is https://www.versioneye.com. It’s also a SaaS tool like greenkeeper.io, but isn’t a fully replacement for greekeeper because it’s not auto updating your dependencies yet. VersionEye can monitor different Git providers and notifies you about out-dated dependencies, security vulnerabilities and license violations. It’s fully open source and you can run it on your own hardware if you like and it works well together with 13 package managers.
I’m working on VersionEye since a couple years.
NCU with ghook could be powerful. We should control our own tools as much as possible. There’s no telling how long these other services will be around. That said there’s little point in updating your dependencies for the sake of staying up-to-date. Update them when you need a feature they provide or if there’s a security vulnerability. Otherwise you’re just creating more work.
Also, I tried Greenkeeper for a year before learning about NCU and found it quite noisy.
Hi Josh,
I got your point, but I don’t agree with you about staying up-to-date. It doesn’t only matter of security or feature. I will take for example Ember.js, while the transition from version 1.5 to the version 2, each major version deprecated a small piece of their API to finally remove all of deprecated methods at the V2. In fact, we didn’t more functionalities to migrate from the 1.5 to 1.X, nevertheless, make the updates each time was more easy than make a big bang to go to the version 2.
A few other similar tools:
https://github.com/skratchdot/npm-dview
https://david-dm.org/
[…] How To Keep His Npm Dependencies Up-to-date ? – Js-republic’s Blog […]
[…] TO KEEP HIS NPM DEPENDENCIES UP-TO-DATE http://blog.js-republic.com/keep-npm-dependencies-up-to-date/ After we have installed NPM dependencies, we don’t take care of their new versions. After some […]
[…] How to keep your NPM dependencies up-to-date “Tools for helping you keep your npm dependencies up-to-date. See the comments for more tools.” Uptr worked nicely for my use case. (from @jpaakko) […]
Great tools! There is another solution with a different approach https://uptodatenpm.com it sends you a weekly newsletter with information of new versions of your project’s dependencies so that you can decide which deps to update.