Npm how to update package

Get the latest bug fixes and performance improvements.

By Mario Kandut

Posted March 17, 2021

Updated June 19, 2022

Europe’s developer-focused job platform

Let companies apply to you

Developer-focused, salary and tech stack upfront.

Just one profile, no job applications!

This article is based on Node v16.14.0.

Keeping dependencies up-to-date is important, to get the latest security fixes, performance improvements, and general bug fixes for the packages installed. There is one thing to consider though. The package-lock.json is locking/pinning a specific version of a package. On a regular basis these records need to be updated to pull the latest compatible version.

How to update dependencies

💰 The Pragmatic Programmer: journey to mastery. 💰 One of the best books in software development, sold over 200,000 times.

To update a dependency in a Node.js project you have to follow these steps:

Check for outdated packages

When we run npm outdated we get the following output:

Important: Both changes in the package.json and package-lock.json have to be committed to version control (GIT).

Update package to the latest major release

Important: Installing the latest version of a package puts the safeties provided by semantic versioning aside and can introduce major code changes into your project.

Test your updates

The general rule in software development is Better safe than sorry. Hence, don’t just blindly update your packages without testing the application. The NPM registry uses semantic versioning, and packages within the same major version shouldn’t break anything, but the ecosystem has no way of enforcing this policy.

Thanks for reading and if you have any questions, use the comment function or send me a message @mariokandut.

If you want to know more about Node, have a look at these Node Tutorials.

NPM — Update All Node.js Dependencies to Their Latest Version

Moonshoot

Moonshoot is a
Student Feature.

The development lifecycle of NPM packages is fast. You’ll regularly notice releases that contain new features or bug fixes. Over time, your project’s dependencies go out of date and you need to invest time into updating the third-party packages.

Show Outdated NPM Packages

The NPM CLI shows outdated packages in your project. Run npm outdated in a project directory to show a list of outdated packages.

Review the installed version of a module, the wanted version satisfying the package’s version range and the latest version.

The downside: there’s no command in NPM’s CLI to update all packages to their latest version. You need to manually go through your package.json file and bump all versions. But wait, there’s help!

NPM-Check-Updates

The npm-check-updates package is a convenient helper providing useful features for dependency upgrades. Install the command line tool globally on your machine with this command:

As soon as the package installation finished, you’ll have the ncu command available on your computer. Run it in your project’s folder to check the project’s dependencies for updates:

Notice that the list of outdated packages is different from NPM’s overview. The first list includes all packages that can’t be installed due to the defined version range in your package.json file.

You can see the leading tilde symbol

for each version which means only patch updates satisfy the range. Each item in the list is either a minor or major update.

Update All Dependencies

npm-check-updates comes with handy flags to conveniently update your packages. The following command will update all your dependencies to their latest version:

That’s it! All your dependencies are up to date and require the latest version.

Mentioned Resources

Get Notified on New Future Studio
Content and Platform Updates

Get your weekly push notification about new and trending
Future Studio content and recent platform enhancements

Update package to a major release with NPM

Inside a Node.js project, it’s not clear to me what is the correct workflow to ugpgrade a package to a major release.

If I check with npm outdated and it comes out that I could update to 9.0.0, npm update wouldn’t work because of the restriction depicted above.

So, if I want to upgrade, what am I supposed to do?

Or maybe I have just to remove the ^ character to let npm update do its job?

What is the common/best practice to adopt?

4 Answers 4

Trending sort

Trending sort is based off of the default sorting method — by highest score — but it boosts votes that have happened recently, helping to surface more up-to-date answers.

It falls back to sorting by highest score if no posts are trending.

Switch to Trending sort

So, if I want to upgrade, what am I supposed to do?

Say you have «the-package» installed at version 3.x and want to upgrade to 5.x

You would do this:

it will update package.json and package-lock.json as well.

Or maybe I have just to remove the ^ character to let npm update do its job?

What is the common/best practice to adopt?

The most common/best practice is to never allow automatic updates to versions that have potentially breaking changes. Workflows are all over the map, from; manual test and then update packages.json, to fully automated detect, test, update and submission of packages.json.

Many Java/JavaScript environments are particularly sensitive to transitive dependency changes due to the lack of side by side versioning support. If your package brings in a breaking change of one of its own dependencies, then your package has introduced a breaking change to the system. If your 1.y.z causes an update of one of its dependencies from X.Y.Z to X+1.Y.Z it introduces a breaking change and is therefore not a stable version 1.y.z. Other packages that depend on the same package name as yours could potentially be broken whenever the developers of that package released a breaking change. Never let the world get into that state!

I recommend you study the Diamond Dependency Problem and take to heart. You should always carefully test breaking changes and never try to force them on your customers.

As pointed out by @ShaharShokrani, this answer gives a good workflow for manually updating your package. And to remain in compliance with SemVer 2.0.0 #8, don’t forget to bump your own major version number.

Command «npm update» vs package «npm-check-updates»

What is the difference between the command npm update and the package npm-check-updates? Is it fully safe to use the latter?

It seems after executing npm update not all packages are updated, thus it seem it is incomplete. Many other popular SO answers refer to use first the prior command and then the latter, but I still do not understand what the latter does that the prior does not.

3 Answers 3

Trending sort

Trending sort is based off of the default sorting method — by highest score — but it boosts votes that have happened recently, helping to surface more up-to-date answers.

It falls back to sorting by highest score if no posts are trending.

Switch to Trending sort

A bit late to the party but I felt like the previously accepted answer is outdated and slightly lacking.

What npm Offers

Key features of npm update :

What npm-check-updates Offers

Running ncu without any flags will print a list of all the outdated packages and the version to which it would update, but will not apply any changes.

npm vs. ncu

npm-check-updates will only modify your package.json file. Once you’ve run that command, you’ll then need to run a separate npm install to grab those changes. On the other hand, npm update will do all of that, and not give you the chance to check what is being updated beforehand.

There used to be an annoyance that npm update did not update the package.json file but this is no longer the case from 5.0.0. And way back when, it also looked at package dependencies which caused no end of problems for a lot of people.

For example, below is the output from one of my legacy projects. Here, you can see that a few grunt packages are out of date, mainly because I no longer work on this project, prefer write build scripts in npm, and haven’t had the time to update older projects.

How do I update an NPM module that I published?

I created a NPM module and I published it at version 0.0.1

I made some changes and pushed those to github, and I would like it so that when one uses npm install myModule the new version is used.

How do I tell NPM that there is a version 0.0.2?

5 Answers 5

Trending sort

Trending sort is based off of the default sorting method — by highest score — but it boosts votes that have happened recently, helping to surface more up-to-date answers.

It falls back to sorting by highest score if no posts are trending.

Switch to Trending sort

npm install will install the latest version in the NPM repository.

npm install yourModule will then install the latest version from the NPM registry.

I found the last answer a little misleading, sorry.

For me, updating the version in the package.json still resulted in the «You cannot publish over. » error.

The steps to resolve were (based on ops version number):

npm version 0.0.2

If it is an patch release (small changes) use following:

It will increment the last part of version number.

If it is a minor release (new features) use following:

It will increment the middle part of version number.

If it is a major release (major features or major issue fixes) use following:

It will increment the first part of version number.