th0r / npm-upgrade Goto Github PK

View Code? Open in Web Editor NEW

339.0 7.0 29.0 749 KB

Interactive CLI utility to easily update outdated NPM dependencies

License: MIT License

JavaScript 100.00%

npm update upgrade outdated packages interactive cli changelog deps

npm-upgrade's People

Contributors

Stargazers

Watchers

npm-upgrade's Issues

Ignore list doesn't work with maping react to preact

I have a project with Next.js and Preact and I have to map react to preact in package.json like:
"react": "npm:@preact/[email protected]"

When I add it to .npm-upgrade.json to be ignored, even when I use "*" in "versions" npm-upgrade doesn't see it and proposes to install a newer version.

.npm-upgrade.json

{
  "ignore": {
    "react": {
      "versions": "*",
      "reason": "version 17.0.3 breaks Next.js"
    }
}

I tried multiple combinations with provided "versions" and none of them work.

Babel Changelog URL ist outdated

Babel Upgrades point to the old Changelog: https://github.com/babel/babel/blob/master/CHANGELOG.md
This is the new one: https://github.com/babel/babel/blob/main/CHANGELOG.md

The branch name changed from master to main.

Setting Repository

Would it be possible to enable setting a repository flag (like npm)?

I am currently using a private repo that does not support npm update (thx nexus).

And therefore usually switch to the official npm repo for that.

Could you put that functionality into npm-upgrade?

Cannot find changelog for `@nrwl/nx-cloud`

Just want to file the issue as the log asks for - but it was no problem 🙂
Great Tool 👍

? Update "@nrwl/nx-cloud" in package.json from 14.2.0 to 14.3.0? Show changelog
Trying to find changelog URL...                                                
Sorry, we haven't found any changelog URL for @nrwl/nx-cloud module.                                    
It would be great if you could fill an issue about this here: https://github.com/th0r/npm-upgrade/issues
Thanks a lot!

peerDependency version messes up devDependency version update

In my package I specify a peer dependency to a React version:

{
    "peerDependencies": {
        "react": ">=16.3"
    }
}

For development I've also installed React as a dev dependency:

{
    "devDependencies": {
        "react": "16.11.0"
    }
}

Now, when I run npm-upgrade it suggest bumping the devDependencies React to >=16.12 instead of 16.12.0.

In my opinion, it should always respect the scheme of the version to be bumped, instead of in this case using the scheme from peerDependencies.

No arrow key moves

I tried npm-upgrade

the arrow it doesn't move but I can hit enter for Yes.

I tried on Win64bit using Cygwin

[Feature] To help prevent downloading hijacked or broken packages, warn if the package has been released less than 72 hours ago.

Recently the ecosystem is getting quite a lot of packages hijacked.
One way I try to prevent using those packages is not updating to any version released less than 72 hours ago, which is time enough for the maintainers of any big package to realize what's up and unpublish the contaminated version on npm.

This could be also very useful for people that like to download only versions that have already passed the "real world smoke test".

I propose that on the update prompt, you warn if the package was released less than 72 (blue), 48 (yellow) or 24 (red) hours ago.

Can't find changelog for fastly

Fastly npm
Fastly changelog

% npm-upgrade --version
3.1.0
% npm-upgrade fastly 
Checking for outdated production, optional, development, peer and bundled dependencies filtered with fastly for "xxxx/package.json"...
[====================] 85/85 100%

New versions of active modules available:

  fastly   ^3.3.1   →   ^4.2.2 

? Update "fastly" in package.json from ^3.3.1 to ^4.2.2? Show changelog
Trying to find changelog URL...
Sorry, we haven't found any changelog URL for fastly module.
It would be great if you could fill an issue about this here: https://github.com/th0r/npm-upgrade/issues
Thanks a lot!

Only one dependency block updated

Thanks for this great tool!

I'm using dependencies, peerDependencies and devDependencies in my project. Whenever I have one module in more than one of the dependency blocks, it is updated only in the first block. Could you please add an option, so I can update dependencies in all blocks simultaneously?

It does not actually update the package, just the package.json

When I run the latest version it finds the two that need updating and on each one I select yes. It says yes in the console output. Nothing happens and then the package json prompt comes up and a "Y" here does change the file. I am using node v4, npm 3, and npm-upgrade 0.6.1.

Also,

I find that npm upgrade fails often especially node-gyp stuff. So, can there be an option to uninstall and install instead of upgrade. Thanks

Repository assets

add support for time out option

Hello,

Could you please add support for a timeout option such as ncu --timeout 100000

Do not print package.json in the end

I’ve never used this feature but often I want to check versions of updated packages before and after. So a short summary would be more useful in my opinion.

I think something like this would be more useful:

These packages will be updated:

  jss                        ^9.3.3   →    ^9.4.0
  jss-default-unit           ^8.0.0   →    ^8.0.2
  q-i                        ^1.2.0   →    ^2.0.0
  babel-jest                ^21.2.0   →   ^22.0.3

? Update packages?
❯ Yes
  No
  Show package.json

What do you think?

Use same indentation as original package.json

The projects I'm working on use 4 space indentation for package.json, using npm-upgrade on these files will result in a package.json with 2 space indentation.

Would you be interested in a PR implementing detect-indent to fix this annoyance?

Blah!

Exception when using npm-upgrade : TypeError: Invalid Version: undefined

see:

PS D:\csharp\git\github\common\astexplorer\website> npm-upgrade
Checking for outdated production, optional, development, peer and bundled dependencies for "D:\csharp\git\github\common\astexplorer\website\package.json"...
[====================] 160/160 100%
TypeError: Invalid Version: undefined
    at new SemVer (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\semver\classes\semver.js:38:13)
    at outside (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\semver\ranges\outside.js:12:13)
    at Object.ltr (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\semver\ranges\ltr.js:3:42)
    at isUpgradeable (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\versionmanager.js:120:17)
    at C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\versionmanager.js:65:67
    at C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:13658:16
    at basePickBy (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:3825:13)
    at Function.pickBy (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:13657:14)
    at C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:4430:28
    at arrayReduce (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:697:21)
    at baseWrapperValue (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:4429:14)
    at LodashWrapper.wrapperValue (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:9114:14)
    at Object.upgradeDependencies (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\versionmanager.js:73:6)
    at Object.<anonymous> (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\lib\commands\check.js:154:51)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
PS D:\csharp\git\github\common\astexplorer\website>

Update lock file after update

After running

npx npm-upgrade

running

npm ci

fails as the lock file is out-of-date (storybook dependency example)

npm ERR! Invalid: lock file's @[email protected] does not satisfy @storybook@^5.0.5

To rectify this one must either install the modules with those versions, negating the reason to use this package, or use the default npm i which will update to the latest minor versions, but this not ideal as this will also update many other packages.

Please consider updating the lock file after a package has been upgraded?

Differences between npm-check-updates?

https://github.com/tjunnone/npm-check-updates

Cant find changelog URL for eslint-plugin-jsdoc

? Update "eslint-plugin-jsdoc" in package.json from ^22.0.1 to ^22.1.0? Show changelog Trying to find changelog URL... Sorry, we haven't found any changelog URL for eslint-plugin-jsdoc module. It would be great if you could fill an issue about this here: https://github.com/th0r/npm-upgrade/issues Thanks a lot!

the github page is here: https://github.com/gajus/eslint-plugin-jsdoc

but it should point to here: https://github.com/gajus/eslint-plugin-jsdoc/releases

-y, --yes option

Would be nice to have an option that automatically accepts all available upgrades, e.g.;

$ npm-upgrade -y -p
$ npm-upgrade -y -do
$ npm-upgrade -y

Update npm-check-updates dependency to avoid ANSI-REGEX vulnerabilities

Update npm-check-updates dependency to avoid ANSI-REGEX vulnerabilities:

Filename: ansi-regex:3.0.0 | Reference: 1081982 | CVSS Score: 7.0 | Category: | ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service.
Filename: ansi-regex:4.1.0 | Reference: 1081983 | CVSS Score: 7.0 | Category: | ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service

Allow partial updates

The updates are all applied at once. It would be great if it applied them to the package.json file as you go.

-yes argv for auto yes

can we have "--yes" argv for auto choose yes
and a "--install" agrv for auto run npm install after

Unable to use npm-upgrade on private registry - error E401 authorization required

Hi, I have set in the .npmrc of my progect the authentication to my private registry //private_registry.example.com/:_authToken=${NPM_TOKEN} and in the .env file NPM_TOKEN="MY_SECRET_NPM_TOKEN" .

I have also the authentication setted in the global .npmrc in C:\Users\myusername with //private_registry.example.com/:_authToken="MY_SECRET_NPM_TOKEN"

Infact I can run npm install without problem, but when I run npm-upgrade I get this error:

HttpErrorAuthUnknown: Unable to authenticate, need: Basic, Bearer

at C:\Users\...\node_modules\npm-upgrade\node_modules\npm-registry-fetch\check-response.js:113:17
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async viewMany (C:\Users\...\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\package-managers\npm.js:136:18)
at async viewOne (C:\Users\...\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\package-managers\npm.js:119:18)
at async latest (C:\Users\...\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\package-managers\npm.js:272:20)
at async getPackageVersionProtected (C:\Users\...\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\versionmanager.js:403:22)
at async C:\Users\...\node_modules\npm-upgrade\node_modules\p-map\index.js:57:22

{
  headers: [Object: null prototype] {
    server: [ 'nginx/1.18.0' ],
    date: [ 'Fri, 01 Jul 2022 07:26:01 GMT' ],
    'content-type': [ 'application/json; charset=utf-8' ],
    'content-length': [ '82' ],
    connection: [ 'keep-alive' ],
    'x-powered-by': [ 'verdaccio/4.11.0' ],
    'access-control-allow-origin': [ '*' ],
    'www-authenticate': [ 'Basic, Bearer' ],
    etag: [ 'W/"52-tcacakHnqE02WGK7MdceFfe1RVE"' ],
    vary: [ 'Accept-Encoding' ],
    'x-fetch-attempts': [ '1' ]
  },
  statusCode: 401,
  code: 'E401',
  method: 'GET',
  uri: 'https:///private_registry.example.com/@somepackage',
  body: {
    error: 'authorization required to access package @somepackage'
  },
  pkgid: '@somepackage'
}

Test if newer version break the tests before update

Probably would be cool if it is an answer, so when you select it, it will run npm test (by default) and if it breaks it probably ask you if you are sure to upgrade or not.

I got that idea from next-update, but i want to use npm-upgrade.

Upgrade without ask at each packages

Hello thank for your great package

But it's possible to upgrade without ask if i want upgrade on each packages ?
like npm-upgrade -y for "yes for all"

Add feature to postprone module updates

It will help a lot when you want to postprone updating of some modules and not to answer N every time you run npm-upgrade.

Not enough information in error message for `invalid json`

This all that outputed when parsing of json fails. Full path to parsed file should be enough.

Checking for outdated dependencies filtered with @boxy/* for "C:\CSSSR\portal-web\package.json"...

[====================] 745/748 99%SyntaxError: Unexpected end of JSON input while parsing near '...eact-spring/sponsor/0'
    at JSON.parse (<anonymous>)
    at parseJson (C:\Users\Mikhail\AppData\Roaming\npm-cache\_npx\13788\node_modules\npm-upgrade\node_modules\json-parse-better-errors\index.js:7:17)
    at consumeBody.call.then.buffer (C:\Users\Mikhail\AppData\Roaming\npm-cache\_npx\13788\node_modules\npm-upgrade\node_modules\node-fetch-npm\src\body.js:96:50)
    at process._tickCallback (internal/process/next_tick.js:68:7)

Feature suggestion: Create separate commits per upgraded package

Hello, thanks for an amazing tool.

I want to update packages with separate commits (including lockfile) per package and I recently started working on a PoC for that feature in a fork.

However, I thought you might actually find this feature useful because it's such a tiny addition.

My PoC that works assuming yarn:
master...olpeh:5897e9f68c5d6d4d1d4f3afccdd0ba7579e82f95

What do you think about this?
If this is something that sounds useful, I can try to improve this PoC and create a PR about it.

Some things to be solved though:

How to know if the user wants to use yarn or npm?
How to check if a yarn.lock or package-lock.json exists?

Exits dialog too soon (after first interaction)

Hi! When I run npm-upgrade, after I choose what to do with the first dependency, the process shows me the dialog to choose what to do with the next one, but it also exits the program, giving me the command prompt again. Should I use another key instead of enter?

// npm-upgrade 1.3.0
// Windows 10 64
// Node 10.7.0
// npm 6.2.0

Bypass SSL security for internal use

Hi,

We have an issue :
npm-upgrade 2.0.3

npm-upgrade
Checking for outdated dependencies for "package.json"...
[--------------------] 0/64 0%(node:9572) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
FetchError: request to https://nexus/repository/npm-all/@date-io%2fdate-fns failed, reason: unable to verify the first certificate
    at ClientRequest.<anonymous> (\npm\node_modules\npm-upgrade\node_modules\minipass-fetch\lib\index.js:97:14)
    at ClientRequest.emit (events.js:315:20)
    at TLSSocket.socketErrorListener (_http_client.js:426:9)
    at TLSSocket.emit (events.js:327:22)
    at emitErrorNT (internal/streams/destroy.js:92:8)
    at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
    at processTicksAndRejections (internal/process/task_queues.js:84:21) {
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  errno: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  type: 'system'
}

How can I disable https certification verification ?
Thanks,

'report' command

It would be useful to have a 'report' command that just outputs the 'tables with update info' but does not require user interaction. Same as 'check' command but with automatic finish and no update.
One can then use it in CI tools to remind us of packages that should be upgraded.

As a workaround for now one can pipe ctrl-C before invoking npm-upgrade
printf '^C' | npm-upgrade

Support NPM 7 Workspaces

It would be awesome if this library could support NPM 7 Workspaces, allowing its users to easily upgrade dependencies in a monorepo project.

Support NPM workspaces

Please consider supporting NPM workspaces.

https://docs.npmjs.com/cli/v7/using-npm/workspaces

Assuming most of the tool works off of package-lock.json, then this affects the question at the end to update package.json, which should also ask to update other package.json files in the workspace packages.

Should take deprecated notices into account

I was prompted to update supertest to v6.1.1 even though it was deprecated.

ladjs/supertest#700

Match indentation in .npm-upgrade.json to package.json

Related to #21, I was wondering if we could use the same technique to specify the indentation for the generated .npm-upgrade.json.

@th0r, would you be interested in a PR for this as well?

Using v3 of npm-check-updates is vulnerable to CVE-2020-8116.

dot-prop is pulled in to this module by the dependency chain [email protected] > [email protected] > [email protected] > [email protected] > dot-prop@^4.1.0.

dot-prop at 5.1.0 and earlier is subject to CVE-2020-8116:

Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

This is resolved in npm-check-updates in version 4. I've made PR #40 as a speculative fix.

It would be great if you could fill an issue about this here: [object Object]

? Update "clipboard" in package.json from ~1.5.3 to ~1.5.5? Show changelog
Trying to find changelog URL...
Sorry, we haven't found changelog URL for clipboard module.
It would be great if you could fill an issue about this here: [object Object]
Thanks a lot!

Clipboard.js doesn't have any URLs in the package.json.

ERROR: Error loading package.json: Unexpected token } in JSON at position 766

Looking into a fix

no changelog found for xo

? Update "xo" in package.json from ^0.29.0 to ^0.30.0? Show changelog
Trying to find changelog URL...
Sorry, we haven't found any changelog URL for xo module.
It would be great if you could fill an issue about this here: https://github.com/th0r/npm-upgrade/issues
Thanks a lot!

https://github.com/xojs/xo

No changelog found for html-validate

Sorry, we haven't found any changelog URL for html-validate module.

Repo: https://gitlab.com/html-validate/html-validate/
Package: https://gitlab.com/html-validate/html-validate/-/blob/master/package.json
Changelog: https://gitlab.com/html-validate/html-validate/-/blob/master/CHANGELOG.md

Support global packages

First of all thanks for this tool, its is a real time saver.

Have you considered upgrading packages installed globally with -g flag?

Wrong change log resolve for babel cli

The version update for babel cli seems to be correct but "show changelog" links to the wrong branch "master", but the new one is "main".

I'm not sure if this is a config issue in babel cli or an auto resolve issue in npm-upgrade. I would guess the later one, because I could not find any reference to the change log in the package file in babel.

Feature sugestion: Select version

Would be nice other option in the upgrade menu, to list and select different versions of package to update, between the current and latest ou even previous

changelog in a subfolder

Hi,

my changelog is https://github.com/fibo/algebra/blob/master/gh-pages/changelog.md

Can npm-upgrade support it?

A part that the filename is not in the list of known changelog filenames, it is in a subfolder.
In particular, I want the changelog to be available on GitHub Pages project website, hence it is in a subfolder.

Changelogs do not work anymore

Tried with different projects and packages.

❯ npm-upgrade
Checking for outdated dependencies for "/Users/sapegin/izumi/concord-app/package.json"...

New versions of modules available:

  babel-core          5.8.33   →         6.3.17
  babel-loader         5.3.2   →          6.2.0
  history             1.13.1   →         1.16.0
  immutable            3.7.5   →          3.7.6
  raven-js            ~1.2.0   →     ~2.0.0-rc1
  react-day-picker     1.1.5   →          1.2.0
  vis                  4.8.2   →         4.10.0
  babel               ^5.8.3   →        ^6.3.13
  babel-eslint        ~4.1.6   →   ~5.0.0-beta6
  postcss            ^5.0.12   →        ^5.0.13

? Update "babel-core" in package.json from 5.8.33 to 6.3.17? Show changelog
Trying to find changelog URL...
Error: Call npm.load(config, cb) before using this command.
See the README.md or cli.js for example usage.
    at Object.defineProperty.get [as view] (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/npm/lib/npm.js:179:15)
    at /Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/lib/packageUtils.js:86:50
    at new Promise (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/core-js/library/modules/es6.promise.js:197:7)
    at Object.callee$0$0$ (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/lib/packageUtils.js:83:50)
    at tryCatch (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:72:40)
    at GeneratorFunctionPrototype.invoke [as _invoke] (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:334:22)
    at GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:105:21)
    at tryCatch (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:72:40)
    at invoke (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:146:20)
    at /Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:191:11
    at new Promise (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/core-js/library/modules/es6.promise.js:197:7)
    at callInvokeWithMethodAndArg (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:190:16)
    at AsyncIterator.enqueue (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:211:37)
    at AsyncIterator.prototype.(anonymous function) [as next] (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:105:21)
    at Object.runtime.async (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:228:12)
    at Object.callee$0$0 (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/lib/packageUtils.js:79:32)

❯ node -v
v0.12.8
❯ npm -v
3.5.3

Semver issue..

Hi,

I'm working with this project mui-datatables npm versions
that change it's name convention not a long time ago using the right semver convention
https://semver.org/#spec-item-11

Problem is here :

And when I try using npm-upgrade, it propose me an older version (and didn't find newer starting with -beta-54

Can you help with that ?
Thanks,

Ask about @types after asking about the main package

It would be nice if the tool asked what to do for a package before asking what to do with the corresponding @types package.

For example, suppose that I am using yargs in a TypeScript project. If it needs to be updated, it is likely that both yargs and @types/yargs will need to be updated.

Since the tool walks through the dependencies alphabetically, it will ask about @types/yargs before yargs. The problem is that the @types packages does not have a changelog that can help me understand if the update is safe or needs attention. Ideally, I would like to first review the main package, possibly looking at the changelog, and only then decide on updating the @types.

`npm 3` progress bar appears during upgrade process

Setting progress = false config setting should fix it.

th0r / npm-upgrade Goto Github PK

npm-upgrade's People

Contributors

Stargazers

Watchers

Forkers

npm-upgrade's Issues

Recommend Projects

Recommend Topics

Recommend Org