How to keep his NPM dependencies up-to-date ?

Août 17, 2016

After we have installed NPM dependencies, we don’t take care of their new versions. After some months, we realize that the project is completely outdated and needs to be upgraded. The problem is that many dependencies contain breaking changes and it becomes a real pain to upgrade.

To avoid this kind of problems, updating regularly is important. And rather than go yourself check each version of dependency, you can use one of the many solutions described here :

npm-check-updates

0788a4d8-3171-11e5-9881-8f7dcf634d14Currently in version 2.8.0, this NPM package can be used in command line directly if you install it in global. As you can see on the right, you just have to tap the ncu command in the root of your project, and npm-check-updates will verify for you if it exists more recent version of your NPM dependencies defined in your package.json. It’s probably the most simple solution at all. (The official NPM page : npm-check-update)

Note : Despite being a global command usable in any projects, I don’t advise you to install it in global, and neither other NPM packages by the way. Install in global will constrain you to use the same version of the NPM in all your local projects, while not any project depends on different versions.

updtr

updtrUptr looks like ncu but run the test after each attempt of upgrading. In fact, uptr will try to replace the current version with the lastest of each dependency and will execute the tests after each try. If the tests failed, it will rollback the upgrade and it will continue to the end. It is very useful, because when you use a tool like ncu you have no idea if your project will continue to work after upgrading. Here, updtr will check with your automated test, then, it is your business to ensure that the « npm test » (default command to run the test) runs correctly and complete the test suite.

next-update

Is the most complete tool suite. It does not only check if it can install newer version of NPM dependencies while test pass. It can also watch many Github repositories (like Greenkeeper that we will see in a moment) thanks to next-updater, checks if your code is going to break everyone who depends on it with dont-break and retrieves commit’s comments between two versions of a NPM package by using changed-log.

Each tool is usable separately. This suite can be really useful for company strongly using NodeJS and NPM, because you can check the interaction between all of your NPM packages and understand the impact of an upgrade.

Greenkeeper

greenkeeper.ioGreenkeeper is different of the others because it is more a Sofware as a service (aka Saas) than a local tool. The first step to use Greenkeeper, is to connect it to your Github account, then you have to choose one or more repositories (depends on the price plan you choose) that you want to see watched by Greenkeeper. And that’s all. From this point, Greenkeeper bot will watch the selected repositories and offer you to upgrade the packages by sending you pull-requests ! These pull requests look like that :
Greenkeeper bot's pull-requestsIt is up to you to merge or not the pull-request. As Greenkeeper recommends on its main page, It is better to have a Continuous Integration service to run automated test againts the pull-requests (like TravisCI or Codeship). Any way, if you want to check by yourself, or make some modifications on the upgrade, feel free to checkout the pull-request’s branch and update it before merging. This solution is greatly appreciated by many big open source project like Lodash, Request, or Modernizr. One con, you need a Github public or private on the web or in the enterprise.

Conclusion

I don’t advise you to use npm-check-update, because it doesn’t take in count the automated tests present in your project. The simplest and efficient solutions stay for me updtr or next-update, except next-update will be more interesting in a real enterprise context where you have to deal with your own enterprise NPM dependencies. If you are looking for something which work with Github, and you already have a Continuous Integration service, Greenkeeper can be the best solution.

By Mathieu Breton, CTO Js-Republic

Tags:

15 Comments. Leave new

Florent Le Gall
17 août 2016 22 h 43 min

Hi Mathieu!

Nice tools !
Do they work as well with dev dependencies and do they play nicely with npm shrinkwrap ?

We use npm shrinkwrap to lock the indirect dependencies (even the dev ones as those have been very flaky in the past, « yes Babel 6 I’m looking at you !)…

Regards,

Florent

Répondre
Mathieu Breton
17 août 2016 23 h 15 min

Hi Florent :),
I use Greenkeeper actually on the JS-Republic website and it works well with the dev dependencies. Updtr runs like a charm too on another project.
I don’t use the Shrinkwrap because I prefer to use exact versions in my package.json.

See you !
Mathieu

Répondre
Florent Le Gall
18 août 2016 11 h 31 min

Nice!

We do the same using the exact versions, but shrinkwrap also locks the indirect dependencies (ie: the dependencies of dependencies).

Florent

Répondre

What about npm-check https://www.npmjs.com/package/npm-check ? Seems to better than some of the others you mentioned, and a better consle UI. It has a -u options that displays all semantic differences and a selection method to select which packages to update and more.

Répondre
Mathieu Breton
18 août 2016 18 h 04 min

Hi Scott,
I didn’t know npm-check but it seems very nice. I will try it and surely edit the article.
Thanks a lot for your feedback !

Répondre

Hi, I’m the author of npm-check. Thanks for suggesting it!

Répondre

Author of next-update here,
Thanks for including the tool and good comparison!

One more thing – next-update anonymously collects update stats for public packages and can show you the likelihood of successful upgrade from version X to Y.

Répondre

Another solutions is https://www.versioneye.com. It’s also a SaaS tool like greenkeeper.io, but isn’t a fully replacement for greekeeper because it’s not auto updating your dependencies yet. VersionEye can monitor different Git providers and notifies you about out-dated dependencies, security vulnerabilities and license violations. It’s fully open source and you can run it on your own hardware if you like and it works well together with 13 package managers.

I’m working on VersionEye since a couple years.

Répondre

NCU with ghook could be powerful. We should control our own tools as much as possible. There’s no telling how long these other services will be around. That said there’s little point in updating your dependencies for the sake of staying up-to-date. Update them when you need a feature they provide or if there’s a security vulnerability. Otherwise you’re just creating more work.

Also, I tried Greenkeeper for a year before learning about NCU and found it quite noisy.

Répondre
Mathieu Breton
18 août 2016 21 h 43 min

Hi Josh,
I got your point, but I don’t agree with you about staying up-to-date. It doesn’t only matter of security or feature. I will take for example Ember.js, while the transition from version 1.5 to the version 2, each major version deprecated a small piece of their API to finally remove all of deprecated methods at the V2. In fact, we didn’t more functionalities to migrate from the 1.5 to 1.X, nevertheless, make the updates each time was more easy than make a big bang to go to the version 2.

Répondre
“Links is the ultimate pervert art. It doesn't give you what you desire - it tells you how to desire.” - Slavoj Žižek - Magnus Udbjørg
21 août 2016 22 h 36 min

[…] How To Keep His Npm Dependencies Up-to-date ? – Js-republic’s Blog […]

Répondre
前端开发技术周刊-20160822-IT知识圈
22 août 2016 5 h 52 min

[…] TO KEEP HIS NPM DEPENDENCIES UP-TO-DATE http://blog.js-republic.com/keep-npm-dependencies-up-to-date/ After we have installed NPM dependencies, we don’t take care of their new versions. After some […]

Répondre
Weekly notes 11 – Rule of Tech
28 septembre 2016 9 h 01 min

[…] How to keep your NPM dependencies up-to-date “Tools for helping you keep your npm dependencies up-to-date. See the comments for more tools.” Uptr worked nicely for my use case. (from @jpaakko) […]

Répondre

Great tools! There is another solution with a different approach https://uptodatenpm.com it sends you a weekly newsletter with information of new versions of your project’s dependencies so that you can decide which deps to update.

Répondre

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *