th0r / npm-upgrade Goto Github PK
View Code? Open in Web Editor NEWInteractive CLI utility to easily update outdated NPM dependencies
License: MIT License
Interactive CLI utility to easily update outdated NPM dependencies
License: MIT License
I have a project with Next.js and Preact and I have to map react to preact in package.json
like:
"react": "npm:@preact/[email protected]"
When I add it to .npm-upgrade.json
to be ignored, even when I use "*"
in "versions"
npm-upgrade doesn't see it and proposes to install a newer version.
.npm-upgrade.json
{
"ignore": {
"react": {
"versions": "*",
"reason": "version 17.0.3 breaks Next.js"
}
}
I tried multiple combinations with provided "versions"
and none of them work.
Babel Upgrades point to the old Changelog: https://github.com/babel/babel/blob/master/CHANGELOG.md
This is the new one: https://github.com/babel/babel/blob/main/CHANGELOG.md
The branch name changed from master to main.
Would it be possible to enable setting a repository flag (like npm)?
I am currently using a private repo that does not support npm update (thx nexus).
And therefore usually switch to the official npm repo for that.
Could you put that functionality into npm-upgrade?
Just want to file the issue as the log asks for - but it was no problem ๐
Great Tool ๐
? Update "@nrwl/nx-cloud" in package.json from 14.2.0 to 14.3.0? Show changelog
Trying to find changelog URL...
Sorry, we haven't found any changelog URL for @nrwl/nx-cloud module.
It would be great if you could fill an issue about this here: https://github.com/th0r/npm-upgrade/issues
Thanks a lot!
In my package I specify a peer dependency to a React version:
{
"peerDependencies": {
"react": ">=16.3"
}
}
For development I've also installed React as a dev dependency:
{
"devDependencies": {
"react": "16.11.0"
}
}
Now, when I run npm-upgrade
it suggest bumping the devDependencies
React to >=16.12
instead of 16.12.0
.
In my opinion, it should always respect the scheme of the version to be bumped, instead of in this case using the scheme from peerDependencies
.
I am pointing npm to another registry (verdaccio) by running
npm set cafile <local/path>/ca-certificates.crt
$ npm set registry https://npm-registry.foo.bar.com:1337/
$ npm login
Using the private registry works like charm.
If I run npm-upgrade, it throws
FetchError: request to https://npm-registry.foo.bar.com:1337//some-package failed, reason: self signed certificate in certificate chain
at ClientRequest.<anonymous> (C:\tools\node\node_modules\npm-upgrade\node_modules\minipass-fetch\lib\index.js:97:14)
Any Idea how to fix this?
I tried npm-upgrade
the arrow it doesn't move but I can hit enter for Yes.
I tried on Win64bit using Cygwin
Recently the ecosystem is getting quite a lot of packages hijacked.
One way I try to prevent using those packages is not updating to any version released less than 72 hours ago, which is time enough for the maintainers of any big package to realize what's up and unpublish the contaminated version on npm.
This could be also very useful for people that like to download only versions that have already passed the "real world smoke test".
I propose that on the update prompt, you warn if the package was released less than 72 (blue), 48 (yellow) or 24 (red) hours ago.
% npm-upgrade --version
3.1.0
% npm-upgrade fastly
Checking for outdated production, optional, development, peer and bundled dependencies filtered with fastly for "xxxx/package.json"...
[====================] 85/85 100%
New versions of active modules available:
fastly ^3.3.1 โ ^4.2.2
? Update "fastly" in package.json from ^3.3.1 to ^4.2.2? Show changelog
Trying to find changelog URL...
Sorry, we haven't found any changelog URL for fastly module.
It would be great if you could fill an issue about this here: https://github.com/th0r/npm-upgrade/issues
Thanks a lot!
Thanks for this great tool!
I'm using dependencies
, peerDependencies
and devDependencies
in my project. Whenever I have one module in more than one of the dependency blocks, it is updated only in the first block. Could you please add an option, so I can update dependencies in all blocks simultaneously?
When I run the latest version it finds the two that need updating and on each one I select yes. It says yes in the console output. Nothing happens and then the package json prompt comes up and a "Y" here does change the file. I am using node v4, npm 3, and npm-upgrade 0.6.1.
Also,
I find that npm upgrade fails often especially node-gyp stuff. So, can there be an option to uninstall and install instead of upgrade. Thanks
Hello,
Could you please add support for a timeout option such as ncu --timeout 100000
Iโve never used this feature but often I want to check versions of updated packages before and after. So a short summary would be more useful in my opinion.
I think something like this would be more useful:
These packages will be updated:
jss ^9.3.3 โ ^9.4.0
jss-default-unit ^8.0.0 โ ^8.0.2
q-i ^1.2.0 โ ^2.0.0
babel-jest ^21.2.0 โ ^22.0.3
? Update packages?
โฏ Yes
No
Show package.json
What do you think?
The projects I'm working on use 4 space indentation for package.json
, using npm-upgrade
on these files will result in a package.json
with 2 space indentation.
Would you be interested in a PR implementing detect-indent
to fix this annoyance?
see:
PS D:\csharp\git\github\common\astexplorer\website> npm-upgrade
Checking for outdated production, optional, development, peer and bundled dependencies for "D:\csharp\git\github\common\astexplorer\website\package.json"...
[====================] 160/160 100%
TypeError: Invalid Version: undefined
at new SemVer (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\semver\classes\semver.js:38:13)
at outside (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\semver\ranges\outside.js:12:13)
at Object.ltr (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\semver\ranges\ltr.js:3:42)
at isUpgradeable (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\versionmanager.js:120:17)
at C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\versionmanager.js:65:67
at C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:13658:16
at basePickBy (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:3825:13)
at Function.pickBy (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:13657:14)
at C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:4430:28
at arrayReduce (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:697:21)
at baseWrapperValue (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:4429:14)
at LodashWrapper.wrapperValue (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\lodash\lodash.js:9114:14)
at Object.upgradeDependencies (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\versionmanager.js:73:6)
at Object.<anonymous> (C:\Users\jkuehner\AppData\Roaming\npm\node_modules\npm-upgrade\lib\commands\check.js:154:51)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
PS D:\csharp\git\github\common\astexplorer\website>
After running
npx npm-upgrade
running
npm ci
fails as the lock file is out-of-date (storybook dependency example)
npm ERR! Invalid: lock file's @[email protected] does not satisfy @storybook@^5.0.5
To rectify this one must either install the modules with those versions, negating the reason to use this package, or use the default npm i
which will update to the latest minor versions, but this not ideal as this will also update many other packages.
Please consider updating the lock file after a package has been upgraded?
? Update "eslint-plugin-jsdoc" in package.json from ^22.0.1 to ^22.1.0? Show changelog Trying to find changelog URL... Sorry, we haven't found any changelog URL for eslint-plugin-jsdoc module. It would be great if you could fill an issue about this here: https://github.com/th0r/npm-upgrade/issues Thanks a lot!
the github page is here: https://github.com/gajus/eslint-plugin-jsdoc
but it should point to here: https://github.com/gajus/eslint-plugin-jsdoc/releases
Would be nice to have an option that automatically accepts all available upgrades, e.g.;
$ npm-upgrade -y -p
$ npm-upgrade -y -do
$ npm-upgrade -y
Update npm-check-updates dependency to avoid ANSI-REGEX vulnerabilities:
The updates are all applied at once. It would be great if it applied them to the package.json file as you go.
can we have "--yes" argv for auto choose yes
and a "--install" agrv for auto run npm install after
Hi, I have set in the .npmrc
of my progect the authentication to my private registry //private_registry.example.com/:_authToken=${NPM_TOKEN}
and in the .env
file NPM_TOKEN="MY_SECRET_NPM_TOKEN"
.
I have also the authentication setted in the global .npmrc
in C:\Users\myusername
with //private_registry.example.com/:_authToken="MY_SECRET_NPM_TOKEN"
Infact I can run npm install
without problem, but when I run npm-upgrade
I get this error:
HttpErrorAuthUnknown: Unable to authenticate, need: Basic, Bearer
at C:\Users\...\node_modules\npm-upgrade\node_modules\npm-registry-fetch\check-response.js:113:17
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async viewMany (C:\Users\...\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\package-managers\npm.js:136:18)
at async viewOne (C:\Users\...\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\package-managers\npm.js:119:18)
at async latest (C:\Users\...\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\package-managers\npm.js:272:20)
at async getPackageVersionProtected (C:\Users\...\node_modules\npm-upgrade\node_modules\npm-check-updates\lib\versionmanager.js:403:22)
at async C:\Users\...\node_modules\npm-upgrade\node_modules\p-map\index.js:57:22
{
headers: [Object: null prototype] {
server: [ 'nginx/1.18.0' ],
date: [ 'Fri, 01 Jul 2022 07:26:01 GMT' ],
'content-type': [ 'application/json; charset=utf-8' ],
'content-length': [ '82' ],
connection: [ 'keep-alive' ],
'x-powered-by': [ 'verdaccio/4.11.0' ],
'access-control-allow-origin': [ '*' ],
'www-authenticate': [ 'Basic, Bearer' ],
etag: [ 'W/"52-tcacakHnqE02WGK7MdceFfe1RVE"' ],
vary: [ 'Accept-Encoding' ],
'x-fetch-attempts': [ '1' ]
},
statusCode: 401,
code: 'E401',
method: 'GET',
uri: 'https:///private_registry.example.com/@somepackage',
body: {
error: 'authorization required to access package @somepackage'
},
pkgid: '@somepackage'
}
Probably would be cool if it is an answer, so when you select it, it will run npm test
(by default) and if it breaks it probably ask you if you are sure to upgrade or not.
I got that idea from next-update
, but i want to use npm-upgrade
.
Hello thank for your great package
But it's possible to upgrade without ask if i want upgrade on each packages ?
like npm-upgrade -y
for "yes for all"
It will help a lot when you want to postprone updating of some modules and not to answer N
every time you run npm-upgrade
.
This all that outputed when parsing of json fails. Full path to parsed file should be enough.
Checking for outdated dependencies filtered with @boxy/* for "C:\CSSSR\portal-web\package.json"...
[====================] 745/748 99%SyntaxError: Unexpected end of JSON input while parsing near '...eact-spring/sponsor/0'
at JSON.parse (<anonymous>)
at parseJson (C:\Users\Mikhail\AppData\Roaming\npm-cache\_npx\13788\node_modules\npm-upgrade\node_modules\json-parse-better-errors\index.js:7:17)
at consumeBody.call.then.buffer (C:\Users\Mikhail\AppData\Roaming\npm-cache\_npx\13788\node_modules\npm-upgrade\node_modules\node-fetch-npm\src\body.js:96:50)
at process._tickCallback (internal/process/next_tick.js:68:7)
Hello, thanks for an amazing tool.
I want to update packages with separate commits (including lockfile) per package and I recently started working on a PoC for that feature in a fork.
However, I thought you might actually find this feature useful because it's such a tiny addition.
My PoC that works assuming yarn
:
master...olpeh:5897e9f68c5d6d4d1d4f3afccdd0ba7579e82f95
What do you think about this?
If this is something that sounds useful, I can try to improve this PoC and create a PR about it.
Some things to be solved though:
yarn.lock
or package-lock.json
exists?Hi! When I run npm-upgrade
, after I choose what to do with the first dependency, the process shows me the dialog to choose what to do with the next one, but it also exits the program, giving me the command prompt again. Should I use another key instead of enter?
// npm-upgrade 1.3.0
// Windows 10 64
// Node 10.7.0
// npm 6.2.0
Hi,
We have an issue :
npm-upgrade 2.0.3
npm-upgrade
Checking for outdated dependencies for "package.json"...
[--------------------] 0/64 0%(node:9572) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
FetchError: request to https://nexus/repository/npm-all/@date-io%2fdate-fns failed, reason: unable to verify the first certificate
at ClientRequest.<anonymous> (\npm\node_modules\npm-upgrade\node_modules\minipass-fetch\lib\index.js:97:14)
at ClientRequest.emit (events.js:315:20)
at TLSSocket.socketErrorListener (_http_client.js:426:9)
at TLSSocket.emit (events.js:327:22)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:84:21) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
errno: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
type: 'system'
}
How can I disable https certification verification ?
Thanks,
It would be useful to have a 'report' command that just outputs the 'tables with update info' but does not require user interaction. Same as 'check' command but with automatic finish and no update.
One can then use it in CI tools to remind us of packages that should be upgraded.
As a workaround for now one can pipe ctrl-C before invoking npm-upgrade
printf '^C' | npm-upgrade
It would be awesome if this library could support NPM 7 Workspaces, allowing its users to easily upgrade dependencies in a monorepo project.
Please consider supporting NPM workspaces.
https://docs.npmjs.com/cli/v7/using-npm/workspaces
Assuming most of the tool works off of package-lock.json
, then this affects the question at the end to update package.json
, which should also ask to update other package.json
files in the workspace packages.
I was prompted to update supertest
to v6.1.1
even though it was deprecated.
dot-prop
is pulled in to this module by the dependency chain [email protected] > [email protected] > [email protected] > [email protected] > dot-prop@^4.1.0
.
dot-prop
at 5.1.0 and earlier is subject to CVE-2020-8116:
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
This is resolved in npm-check-updates
in version 4. I've made PR #40 as a speculative fix.
? Update "clipboard" in package.json from ~1.5.3 to ~1.5.5? Show changelog
Trying to find changelog URL...
Sorry, we haven't found changelog URL for clipboard module.
It would be great if you could fill an issue about this here: [object Object]
Thanks a lot!
Clipboard.js doesn't have any URLs in the package.json.
Looking into a fix
? Update "xo" in package.json from ^0.29.0 to ^0.30.0? Show changelog
Trying to find changelog URL...
Sorry, we haven't found any changelog URL for xo module.
It would be great if you could fill an issue about this here: https://github.com/th0r/npm-upgrade/issues
Thanks a lot!
Sorry, we haven't found any changelog URL for html-validate module.
Repo: https://gitlab.com/html-validate/html-validate/
Package: https://gitlab.com/html-validate/html-validate/-/blob/master/package.json
Changelog: https://gitlab.com/html-validate/html-validate/-/blob/master/CHANGELOG.md
First of all thanks for this tool, its is a real time saver.
Have you considered upgrading packages installed globally with -g
flag?
The version update for babel cli seems to be correct but "show changelog" links to the wrong branch "master", but the new one is "main".
I'm not sure if this is a config issue in babel cli or an auto resolve issue in npm-upgrade. I would guess the later one, because I could not find any reference to the change log in the package file in babel.
Would be nice other option in the upgrade menu, to list and select different versions of package to update, between the current and latest ou even previous
Hi,
my changelog is https://github.com/fibo/algebra/blob/master/gh-pages/changelog.md
Can npm-upgrade support it?
A part that the filename is not in the list of known changelog filenames, it is in a subfolder.
In particular, I want the changelog to be available on GitHub Pages project website, hence it is in a subfolder.
Tried with different projects and packages.
โฏ npm-upgrade
Checking for outdated dependencies for "/Users/sapegin/izumi/concord-app/package.json"...
New versions of modules available:
babel-core 5.8.33 โ 6.3.17
babel-loader 5.3.2 โ 6.2.0
history 1.13.1 โ 1.16.0
immutable 3.7.5 โ 3.7.6
raven-js ~1.2.0 โ ~2.0.0-rc1
react-day-picker 1.1.5 โ 1.2.0
vis 4.8.2 โ 4.10.0
babel ^5.8.3 โ ^6.3.13
babel-eslint ~4.1.6 โ ~5.0.0-beta6
postcss ^5.0.12 โ ^5.0.13
? Update "babel-core" in package.json from 5.8.33 to 6.3.17? Show changelog
Trying to find changelog URL...
Error: Call npm.load(config, cb) before using this command.
See the README.md or cli.js for example usage.
at Object.defineProperty.get [as view] (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/npm/lib/npm.js:179:15)
at /Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/lib/packageUtils.js:86:50
at new Promise (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/core-js/library/modules/es6.promise.js:197:7)
at Object.callee$0$0$ (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/lib/packageUtils.js:83:50)
at tryCatch (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:72:40)
at GeneratorFunctionPrototype.invoke [as _invoke] (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:334:22)
at GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:105:21)
at tryCatch (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:72:40)
at invoke (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:146:20)
at /Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:191:11
at new Promise (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/core-js/library/modules/es6.promise.js:197:7)
at callInvokeWithMethodAndArg (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:190:16)
at AsyncIterator.enqueue (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:211:37)
at AsyncIterator.prototype.(anonymous function) [as next] (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:105:21)
at Object.runtime.async (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/node_modules/babel-runtime/regenerator/runtime.js:228:12)
at Object.callee$0$0 (/Users/sapegin/.nvm/versions/node/v0.12.8/lib/node_modules/npm-upgrade/lib/packageUtils.js:79:32)
โฏ node -v
v0.12.8
โฏ npm -v
3.5.3
Hi,
I'm working with this project mui-datatables npm versions
that change it's name convention not a long time ago using the right semver convention
https://semver.org/#spec-item-11
And when I try using npm-upgrade, it propose me an older version (and didn't find newer starting with -beta-54
Can you help with that ?
Thanks,
It would be nice if the tool asked what to do for a package before asking what to do with the corresponding @types
package.
For example, suppose that I am using yargs in a TypeScript project. If it needs to be updated, it is likely that both yargs
and @types/yargs
will need to be updated.
Since the tool walks through the dependencies alphabetically, it will ask about @types/yargs
before yargs
. The problem is that the @types
packages does not have a changelog that can help me understand if the update is safe or needs attention. Ideally, I would like to first review the main package, possibly looking at the changelog, and only then decide on updating the @types
.
Setting progress = false
config setting should fix it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.