Published on 24/09/2018
2 min read
You know that messsage which has been prompting you that
found 14 vulnerabilities (9 low, 5 high) in 22292 scanned packages every time you run
npm install or
npm update, well, you really should update them. That of course is an easy task, the hard part is piecing together all the broken bits afterwards.
This command will update all the packages listed to the latest version (specified by the tag config), respecting semver. src
The first step is to run
npm update on a regular basis. This should be safe as it respects sepmantic versioning which should not bring in breaking changes so long as your tags are setup correctly. This should be the case if you've left them as default.
Of course this may not be the latest versions and further steps are required in this case.
This command will check the registry to see if any (or, specific) installed packages are currently outdated. src
npm outdated command will check to see if there are any packages which require upgrades, ignoring semantic versioning (semver).
I recommend running
npm outdated after npm update as there may be no output in which case further steps are not needed and then it must be caffeine time.
If output is produced then there are a couple of options to upgrade packages.
- Overwrite each packages version tag with
After this, run
npm updatewhich will then download the latest version of each package and update the version tag again to default. NOTE: I'm not sure exactly what controls the default version tag behaviour, any further explanation welcome in the comments
- Use the npm-check-updates (
This can be installed globally for easy use among multiple projects.
npm install -g npm-check-updates.
package.jsondirectory. This will output a list of packages which can be updated.
Once you've checked for available updates, you can apply them with
ncu -uwhich will update your
package.jsonwith the latest versions, then run
npm iwhich will download the relevant versions for your
package.jsonThis option is slightly more involved but can save time with a large number of packages.
You're now done, kick off your tests and go have a coffee