DEV Community

Pablo
Pablo

Posted on

How do you keep your NPM packages update?

You have multiple projects going on and if you keep them always update to the last version, sometimes you expend some precious time trying to figure it out what and why your build broke (after the update).

Normally when I update I run npm-update, which it's a package that search for all last versions from your dependencies.

I don't know if this is a good practice, but I like to keep my dependencies always at the last version.

So... how do you manage this?

Discussion (9)

Collapse
alexanderjanke profile image
Alex Janke

Short answer: dependabot.com/
(Has been acquired by GitHub itself)

Creates a pull request whenever a new version gets released and also gives you an estimated value of compatibility. If you've got CI-Workflows setup in your project, every new PR would trigger your CI-pipeline and if your update broken something, the PR would be marked as failed. I personally never run npm-update as it updates all at once and is a pain to pinpoint specific errors

Collapse
guha profile image
Arghya Guha

I don't know of any way to handle this without putting your code on a hosting platform like github/gitlab.

I use and have used renovate on both github and gitlab.

Another option is dependabot that Alexander mentions but i don't think they support anything other than github yet.

Collapse
alexanderjanke profile image
Alex Janke

Good call, completely forgot about renovate! That's an option too

Collapse
gempain profile image
Geoffroy Empain

We launched pmbot.io just for that purpose, but it's compatible with more than Npm ! It works with Go and Maven, and you can extend to any language with a simple plugin. You can connect your private Gitlab and Github. The bot can merge automatically updates that pass your CI and you can configure it to execute any action plugin you'd like. You can self host it (docs.pmbot.io/core/installation) or use the cloud version.

Collapse
andrisladuzans profile image
Andris Laduzans

I don't. If there is a safe update i just rely on github's drpendabot. In cases where my app is based around a single library like 'gifted chat' ,i would subscribe on stable releases. Then just bump up the latest version in package.json ,test it, if all good then push to production

Collapse
andrewbaisden profile image
Andrew Baisden

I just let dependabot do its thing on GitHub since that is where the majority of my projects are anyway. I very rarely manually update all of the dependencies in a project to the latest version because you might accidentally break something it is very easy for there to be incompatibility issues.

Collapse
giologist profile image
Gio

In general, I tend not to update packages unless there are vulnerabilities (security exploits, etc) or new features that the project needs, from a business standpoint.

There are way too many updates that provide 0 business value and can cause compatibility issues. IMO its always best to consider the rate of diminishing return in these situations.

Collapse
pavelloz profile image
Paweł Kowalski • Edited on

ncu -u

Periodically. :)

Its a package: npmjs.com/package/npm-check-updates

Collapse
storytellercz profile image
Jan Dvorak

Yes! I do this as well, I like that compare to npm outdated it also updated your dependencies in package.json as well and then you just install the packages.