Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.
raineorshine/npm-check-updates (npm-check-updates)
Compare Source
Compare Source
Compare Source
Thanks to community members for raising awareness and to @SebastianSedzik for the implementation.
See: #1547
Feature: --cooldown
Usage:
ncu --cooldown [n]
ncu -c [n]
The cooldown option helps protect against supply chain attacks by requiring package versions to be published at least the given number of days before considering them for upgrade.
Note that previous stable versions will not be suggested. The package will be completely ignored if its latest published version is within the cooldown period. This is due to a limitation of the npm registry, which does not provide a way to query previous stable versions.
Example:
Let's examine how cooldown works with a package that has these versions available:
1.0.0 Released 7 days ago (initial version)
1.1.0 Released 6 days ago (minor update)
1.1.1 Released 5 days ago (patch update)
1.2.0 Released 5 days ago (minor update)
2.0.0-beta.1 Released 5 days ago (beta release)
1.2.1 Released 4 days ago (patch update)
1.3.0 Released 4 days ago (minor update) [latest]
2.0.0-beta.2 Released 3 days ago (beta release)
2.0.0-beta.3 Released 2 days ago (beta release) [beta]
With default target (latest):
No update will be suggested because:
- Latest version (1.3.0) is only 4 days old.
- Cooldown requires versions to be at least 5 days old
- Use
--cooldown 4
or lower to allow this update
With @beta
/@tag
target:
$ ncu --cooldown 3 --target @​beta
No update will be suggested because:
- Current beta (2.0.0-beta.3) is only 2 days old
- Cooldown requires versions to be at least 3 days old
- Use
--cooldown 2
or lower to allow this update
With other targets:
$ ncu --cooldown 5 --target greatest|newest|minor|patch|semver
Each target will select the best version that is at least 5 days old:
greatest → 1.2.0 (highest version number outside cooldown)
newest → 2.0.0-beta.1 (most recently published version outside cooldown)
minor → 1.2.0 (highest minor version outside cooldown)
patch → 1.1.1 (highest patch version outside cooldown)
Note for latest/tag targets:
⚠️ For packages that update frequently (e.g. daily releases), using a long cooldown period (7+ days) with the default --target latest
or --target @​tag
may prevent all updates since new versions will be published before older ones meet the cooldown requirement. Please consider this when setting your cooldown period.
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Breaking
The only breaking change in v18 is with the -g/--global
flag.
npm-check-updates -g
will now auto-detect your package manager based on the execution path. Previously, it defaulted to npm
.
yarn dlx ncu -g --packageManager yarn
→ yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm
→ pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm
→ bunx ncu -g
If for some reason you were running ncu -g
with an alternative package manager and relying on it checking the global npm
packages, you will need to now explicitly specify npm:
ncu -g
→ ncu -g--packageManager npm
Thanks to @LuisFerLCC for the improvement (#1514).
raineorshine/npm-check-updates@v17.1.18...v18.0.0
Compare Source
Breaking
The only breaking change in v18 is with the -g/--global
flag.
npm-check-updates -g
will now auto-detect your package manager based on the execution path. Previously, it defaulted to npm
.
yarn dlx ncu -g --packageManager yarn
→ yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm
→ pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm
→ bunx ncu -g
If for some reason you were running ncu -g
with an alternative package manager and relying on it checking the global npm
packages, you will need to now explicitly specify npm:
ncu -g
→ ncu -g--packageManager npm
Thanks to @LuisFerLCC for the improvement (#1514).
raineorshine/npm-check-updates@v17.1.18...v18.0.0
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Breaking
The only breaking change in v18 is with the -g/--global
flag.
npm-check-updates -g
will now auto-detect your package manager based on the execution path. Previously, it defaulted to npm
.
yarn dlx ncu -g --packageManager yarn
→ yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm
→ pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm
→ bunx ncu -g
If for some reason you were running ncu -g
with an alternative package manager and relying on it checking the global npm
packages, you will need to now explicitly specify npm:
ncu -g
→ ncu -g--packageManager npm
Thanks to @LuisFerLCC for the improvement (#1514).
raineorshine/npm-check-updates@v17.1.18...v18.0.0
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Breaking
- Require node >= 18.18.0
- Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
- You can opt in with
--no-deprecated
in the CLI or deprecated: false
in your ncurc
config.
- In workspaces mode,
--root
is now set by default (#1353)
- To not check the root package.json, use
--no-root
.
- If you have a packageManager field in your package.json, it is now upgraded by default (#1390)
- Use
--dep prod,dev,optional
for the old behavior.
raineorshine/npm-check-updates@v16.14.20...v17.0.0
Compare Source
Breaking
- Require node >= 18.18.0
- Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
- You can opt in with
--no-deprecated
in the CLI or deprecated: false
in your ncurc
config.
- In workspaces mode,
--root
is now set by default (#1353)
- To not check the root package.json, use
--no-root
.
- If you have a packageManager field in your package.json, it is now upgraded by default (#1390)
- Use
--dep prod,dev,optional
for the old behavior.
raineorshine/npm-check-updates@v16.14.20...v17.0.0
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Breaking
- Require node >= 18.18.0
- Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
- You can opt in with
--no-deprecated
in the CLI or deprecated: false
in your ncurc
config.
- In workspaces mode,
--root
is now set by default (#1353)
- To not check the root package.json, use
--no-root
.
- If you have a packageManager field in your package.json, it is now upgraded by default (#1390)
- Use
--dep prod,dev,optional
for the old behavior.
raineorshine/npm-check-updates@v16.14.20...v17.0.0
Compare Source
Compare Source
bun
Feature
- Added experimental support for bun package manager.
- Automatically used if
bun.lockb
is detected.
- Assistance needed to test it out on different platforms.
$ ncu --packageManager bun
$ ncu -p bun
Thanks to @ImBIOS for the PR!
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Feature
- Added
--install
option to control auto-install behavior.
Usage:
Default: prompt
Control the auto-install behavior.
always Runs your package manager's install command automatically after upgrading.
never Does not install and does not prompt.
prompt Shows a message after upgrading that recommends an install, but does not install. In interactive mode, prompts for install. (default)
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Compare Source
Uh oh!
There was an error while loading. Please reload this page.
Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.
This PR contains the following updates:
^16.9.0
->^18.0.0
Release Notes
raineorshine/npm-check-updates (npm-check-updates)
v18.3.0
Compare Source
v18.2.1
Compare Source
v18.2.0
Compare Source
Thanks to community members for raising awareness and to @SebastianSedzik for the implementation.
See: #1547
Feature:
--cooldown
Usage:
The cooldown option helps protect against supply chain attacks by requiring package versions to be published at least the given number of days before considering them for upgrade.
Note that previous stable versions will not be suggested. The package will be completely ignored if its latest published version is within the cooldown period. This is due to a limitation of the npm registry, which does not provide a way to query previous stable versions.
Example:
Let's examine how cooldown works with a package that has these versions available:
With default target (latest):
No update will be suggested because:
--cooldown 4
or lower to allow this updateWith
@beta
/@tag
target:No update will be suggested because:
--cooldown 2
or lower to allow this updateWith other targets:
Each target will select the best version that is at least 5 days old:
Note for latest/tag targets:
v18.1.1
Compare Source
v18.1.0
Compare Source
v18.0.3
Compare Source
v18.0.2
Compare Source
v18.0.1
Compare Source
v18.0.0
Compare Source
Breaking
The only breaking change in v18 is with the
-g/--global
flag.npm-check-updates -g
will now auto-detect your package manager based on the execution path. Previously, it defaulted tonpm
.yarn dlx ncu -g --packageManager yarn
→yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm
→pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm
→bunx ncu -g
If for some reason you were running
ncu -g
with an alternative package manager and relying on it checking the globalnpm
packages, you will need to now explicitly specify npm:ncu -g
→ncu -g--packageManager npm
Thanks to @LuisFerLCC for the improvement (#1514).
raineorshine/npm-check-updates@v17.1.18...v18.0.0
v17.1.18
Compare Source
Breaking
The only breaking change in v18 is with the
-g/--global
flag.npm-check-updates -g
will now auto-detect your package manager based on the execution path. Previously, it defaulted tonpm
.yarn dlx ncu -g --packageManager yarn
→yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm
→pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm
→bunx ncu -g
If for some reason you were running
ncu -g
with an alternative package manager and relying on it checking the globalnpm
packages, you will need to now explicitly specify npm:ncu -g
→ncu -g--packageManager npm
Thanks to @LuisFerLCC for the improvement (#1514).
raineorshine/npm-check-updates@v17.1.18...v18.0.0
v17.1.17
Compare Source
v17.1.16
Compare Source
v17.1.15
Compare Source
v17.1.14
Compare Source
v17.1.13
Compare Source
v17.1.12
Compare Source
v17.1.11
Compare Source
v17.1.10
Compare Source
v17.1.9
Compare Source
v17.1.8
Compare Source
v17.1.7
Compare Source
v17.1.6
Compare Source
v17.1.5
Compare Source
v17.1.4
Compare Source
v17.1.3
Compare Source
v17.1.2
Compare Source
v17.1.1
Compare Source
Breaking
The only breaking change in v18 is with the
-g/--global
flag.npm-check-updates -g
will now auto-detect your package manager based on the execution path. Previously, it defaulted tonpm
.yarn dlx ncu -g --packageManager yarn
→yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm
→pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm
→bunx ncu -g
If for some reason you were running
ncu -g
with an alternative package manager and relying on it checking the globalnpm
packages, you will need to now explicitly specify npm:ncu -g
→ncu -g--packageManager npm
Thanks to @LuisFerLCC for the improvement (#1514).
raineorshine/npm-check-updates@v17.1.18...v18.0.0
v17.1.0
Compare Source
v17.0.6
Compare Source
v17.0.5
Compare Source
v17.0.4
Compare Source
v17.0.3
Compare Source
v17.0.2
Compare Source
v17.0.1
Compare Source
v17.0.0
Compare Source
Breaking
--no-deprecated
in the CLI ordeprecated: false
in yourncurc
config.--root
is now set by default (#1353)--no-root
.--dep prod,dev,optional
for the old behavior.raineorshine/npm-check-updates@v16.14.20...v17.0.0
v16.14.20
Compare Source
Breaking
--no-deprecated
in the CLI ordeprecated: false
in yourncurc
config.--root
is now set by default (#1353)--no-root
.--dep prod,dev,optional
for the old behavior.raineorshine/npm-check-updates@v16.14.20...v17.0.0
v16.14.19
Compare Source
v16.14.18
Compare Source
v16.14.17
Compare Source
v16.14.16
Compare Source
v16.14.15
Compare Source
v16.14.14
Compare Source
v16.14.13
Compare Source
v16.14.12
Compare Source
v16.14.11
Compare Source
v16.14.10
Compare Source
v16.14.9
Compare Source
v16.14.8
Compare Source
v16.14.7
Compare Source
v16.14.6
Compare Source
v16.14.5
Compare Source
v16.14.4
Compare Source
v16.14.3
Compare Source
v16.14.2
Compare Source
Breaking
--no-deprecated
in the CLI ordeprecated: false
in yourncurc
config.--root
is now set by default (#1353)--no-root
.--dep prod,dev,optional
for the old behavior.raineorshine/npm-check-updates@v16.14.20...v17.0.0
v16.14.1
Compare Source
v16.14.0
Compare Source
bun
Feature
bun.lockb
is detected.Thanks to @ImBIOS for the PR!
v16.13.4
Compare Source
v16.13.3
Compare Source
v16.13.2
Compare Source
v16.13.1
Compare Source
v16.13.0
Compare Source
Feature
--install
option to control auto-install behavior.Usage:
Default: prompt
Control the auto-install behavior.
v16.12.3
Compare Source
v16.12.2
Compare Source
v16.12.1
Compare Source
v16.12.0
Compare Source
v16.11.2
Compare Source
v16.11.1
Compare Source
v16.11.0
Compare Source
v16.10.19
Compare Source
v16.10.18
Compare Source
v16.10.17
Compare Source
v16.10.16
Compare Source
v16.10.15
Compare Source
v16.10.14
Compare Source
v16.10.13
Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.