How to keep his NPM dependencies up-to-date ?

Août 17, 2016
Sébastien Berten

After we have installed NPM dependencies, we don’t take care of their new versions. After some months, we realize that the project is completely outdated and needs to be upgraded. The problem is that many dependencies contain breaking changes and it becomes a real pain to upgrade.

To avoid this kind of problems, updating regularly is important. And rather than go yourself check each version of dependency, you can use one of the many solutions described here :

npm-check-updates

0788a4d8-3171-11e5-9881-8f7dcf634d14Currently in version 2.8.0, this NPM package can be used in command line directly if you install it in global. As you can see on the right, you just have to tap the ncu command in the root of your project, and npm-check-updates will verify for you if it exists more recent version of your NPM dependencies defined in your package.json. It’s probably the most simple solution at all. (The official NPM page : npm-check-update)

Note : Despite being a global command usable in any projects, I don’t advise you to install it in global, and neither other NPM packages by the way. Install in global will constrain you to use the same version of the NPM in all your local projects, while not any project depends on different versions.

updtr

updtrUptr looks like ncu but run the test after each attempt of upgrading. In fact, uptr will try to replace the current version with the lastest of each dependency and will execute the tests after each try. If the tests failed, it will rollback the upgrade and it will continue to the end. It is very useful, because when you use a tool like ncu you have no idea if your project will continue to work after upgrading. Here, updtr will check with your automated test, then, it is your business to ensure that the “npm test” (default command to run the test) runs correctly and complete the test suite.

next-update

Is the most complete tool suite. It does not only check if it can install newer version of NPM dependencies while test pass. It can also watch many Github repositories (like Greenkeeper that we will see in a moment) thanks to next-updater, checks if your code is going to break everyone who depends on it with dont-break and retrieves commit’s comments between two versions of a NPM package by using changed-log.

Each tool is usable separately. This suite can be really useful for company strongly using NodeJS and NPM, because you can check the interaction between all of your NPM packages and understand the impact of an upgrade.

Greenkeeper

greenkeeper.ioGreenkeeper is different of the others because it is more a Sofware as a service (aka Saas) than a local tool. The first step to use Greenkeeper, is to connect it to your Github account, then you have to choose one or more repositories (depends on the price plan you choose) that you want to see watched by Greenkeeper. And that’s all. From this point, Greenkeeper bot will watch the selected repositories and offer you to upgrade the packages by sending you pull-requests ! These pull requests look like that :
Greenkeeper bot's pull-requestsIt is up to you to merge or not the pull-request. As Greenkeeper recommends on its main page, It is better to have a Continuous Integration service to run automated test againts the pull-requests (like TravisCI or Codeship). Any way, if you want to check by yourself, or make some modifications on the upgrade, feel free to checkout the pull-request’s branch and update it before merging. This solution is greatly appreciated by many big open source project like Lodash, Request, or Modernizr. One con, you need a Github public or private on the web or in the enterprise.

Conclusion

I don’t advise you to use npm-check-update, because it doesn’t take in count the automated tests present in your project. The simplest and efficient solutions stay for me updtr or next-update, except next-update will be more interesting in a real enterprise context where you have to deal with your own enterprise NPM dependencies. If you are looking for something which work with Github, and you already have a Continuous Integration service, Greenkeeper can be the best solution.
By Mathieu Breton, CTO Js-Republic

Tags: