npm-check-updates upgrades your package.json dependencies to the latest versions, ignoring specified versions.

• maintains existing semantic versioning policies, i.e. "react": "^17.0.2" to "react": "^18.3.1".
• only modifies package.json file. Run npm install to update your installed packages and package-lock.json.
• sensible defaults, but highly customizable
• compatible with npm, yarn, pnpm, deno, and bun
• CLI and module usage
• Pure ESM architecture with dual-build support (ESM/CJS)

⚠️ v21.0.0 Breaking Changes (ESM Migration)

npm-check-updates is now a dual ESM/CJS module. If you use a .ncurc.js config or programmatic imports, please see the ESM Migration Guide in the CHANGELOG for required updates.

$${\color{red}Red}$$ major upgrade (and all major version zero)
$${\color{cyan}Cyan}$$ minor upgrade
$${\color{green}Green}$$ patch upgrade

• Node.js: ^20.19.0 || ^22.12.0 || >=24.0.0
• npm: >=10.0.0

npm-check-updates v21+ requires modern Node.js and npm versions to support native ESM and Vite 8's Rolldown bundler.

Install globally to use npm-check-updates or the shorter ncu:

npm install -g npm-check-updates

Or run with npx (only the long form is supported):

npx npm-check-updates

Check the latest versions of all project dependencies:

$ ncu
Checking package.json
[====================] 5/5 100%

 eslint             7.32.0  →    8.0.0
 prettier           ^2.7.1  →   ^3.0.0
 svelte            ^3.48.0  →  ^3.51.0
 typescript         >3.0.0  →   >4.0.0
 untildify          <4.0.0  →   ^4.0.0
 webpack               4.x  →      5.x

Run ncu -u to upgrade package.json

Upgrade a project's package file:

Make sure your package file is in version control and all changes have been committed. This will overwrite your package file.

$ ncu -u
Upgrading package.json
[====================] 1/1 100%

 express           4.12.x  →   4.13.x

Run npm install to install new versions.

$ npm install      # update installed packages and package-lock.json

Check global packages:

ncu -g

Choose which packages to update in interactive mode:

ncu --interactive
ncu -i

Combine with --format group for a truly luxe experience:

• ↑↓ Select a package
• Space Toggle selection
• a Toggle all
• Enter Upgrade

Filter packages using the --filter option or adding additional cli arguments:

# upgrade only mocha
ncu mocha
ncu -f mocha
ncu --filter mocha

# upgrade only chalk, mocha, and react
ncu chalk mocha react
ncu chalk, mocha, react
ncu -f "chalk mocha react"

Filter with wildcards or regex:

# upgrade packages that start with "react-"
ncu react-*
ncu "/^react-.*$/"

Exclude specific packages with the --reject option or prefixing a filter with !. Supports strings, wildcards, globs, comma-or-space-delimited lists, and regex:

# upgrade everything except nodemon
ncu \!nodemon
ncu -x nodemon
ncu --reject nodemon

# upgrade packages that do not start with "react-".
ncu \!react-*
ncu '/^(?!react-).*$/' # mac/linux
ncu "/^(?!react-).*$/" # windows

Advanced filters: filter, filterResults, filterVersion

• Direct dependencies are updated to the latest stable version:
  • 2.0.1 → 2.2.0
  • 1.2 → 1.3
  • 0.1.0 → 1.0.1
• Range operators are preserved and the version is updated:
  • ^1.2.0 → ^2.0.0
  • 1.x → 2.x
  • >0.2.0 → >0.3.0
• "Less than" is replaced with a wildcard:
  • <2.0.0 → ^3.0.0
  • 1.0.0 < 2.0.0 → ^3.0.0
• "Any version" is preserved:
  • * → *
• Prerelease versions are ignored by default.
  • Use --pre to include prerelease versions (e.g. alpha, beta, build1235)
• Choose what level to upgrade to:
  • With --target semver, update according to your specified semver version ranges:
    • ^1.1.0 → ^1.9.99
  • With --target minor, strictly update the patch and minor versions (including major version zero):
    • 0.1.0 → 0.2.1
  • With --target patch, strictly update the patch version (including major version zero):
    • 0.1.0 → 0.1.2
  • With --target @next, update to the version published on the next tag:
    • 0.1.0 -> 0.1.1-next.1

Options are merged with the following precedence:

1. Command line options
2. Local Config File (current working directory)
3. Project Config File (next to package.json)
4. User Config File ($HOME)

Options that take no arguments can be negated by prefixing them with --no-, e.g. --no-peer.

Some options have advanced usage, or allow per-package values by specifying a function in your .ncurc.js file.

Run ncu --help [OPTION] to view advanced help for a specific option, or see below:

Usage:

ncu --cooldown [period]
ncu -c [period]

The cooldown option helps protect against supply chain attacks by requiring package versions to be published at least the given amount of time before considering them for upgrade.

The value can be a plain number (days) or a string with a unit suffix:

--cooldown 7       7 days
--cooldown 7d      7 days (same as above)
--cooldown 12h     12 hours
--cooldown 30m     30 minutes

With the default --target latest, if the latest dist-tag version is within the cooldown window, ncu falls back to the greatest version that passes the cooldown threshold. To instead skip the package entirely (strict behaviour), use --target "@latest".

Example:

Let's examine how cooldown works with a package that has these versions available:

1.0.0          Released 7 days ago    (initial version)
1.1.0          Released 6 days ago    (minor update)
1.1.1          Released 5 days ago    (patch update)
1.2.0          Released 5 days ago    (minor update)
2.0.0-beta.1   Released 5 days ago    (beta release)
1.2.1          Released 4 days ago    (patch update)
1.3.0          Released 4 days ago    (minor update) [latest]
2.0.0-beta.2   Released 3 days ago    (beta release)
2.0.0-beta.3   Released 2 days ago    (beta release) [beta]

With default target (latest):

$ ncu --cooldown 5

Falls back to 1.2.0 because:

• Latest version (1.3.0) is only 4 days old (within 5-day cooldown)
• 1.2.0 is the greatest version that is at least 5 days old

With @latest strict target:

$ ncu --cooldown 5 --target @latest

No update will be suggested because:

• Latest version (1.3.0) is only 4 days old
• Cooldown requires versions to be at least 5 days old
• @latest is strict: no fallback to older versions

With @beta/@tag target:

$ ncu --cooldown 3 --target @beta

No update will be suggested because:

• Current beta (2.0.0-beta.3) is only 2 days old
• Cooldown requires versions to be at least 3 days old
• Use --cooldown 2 or lower to allow this update

With other targets:

$ ncu --cooldown 5 --target greatest|newest|minor|patch|semver

Each target will select the best version that is at least 5 days old:

greatest → 1.2.0        (highest version number outside cooldown)
newest   → 2.0.0-beta.1 (most recently published version outside cooldown)
minor    → 1.2.0        (highest minor version outside cooldown)
patch    → 1.1.1        (highest patch version outside cooldown)

You can also provide a custom function in your .ncurc.js file or when importing npm-check-updates as a module.

⚠️ The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/** Set cooldown to 3 days but skip it for `@my-company` packages.
  @param packageName     The name of the dependency.
  @returns               Cooldown days restriction for given package.
*/
cooldown: packageName => (packageName.startsWith('@my-company') ? 0 : 3)

If --cooldown is not set explicitly, ncu automatically reads the cooldown configuration from your package manager's config file:

When using --format cooldown alongside the --cooldown option, ncu will show a list of packages that were skipped due to the --cooldown threshold.

Example:

ncu --format cooldown --cooldown 7

Output:

Skipped due to 7-day cooldown
 @typescript-eslint/parser  ^8.50.0  →  ^8.59.1      5 days ago
 eslint                     ^10.0.1  →  ^10.3.0      1 day ago

Usage:

ncu --doctor -u
ncu --no-doctor
ncu -du

Iteratively installs upgrades and runs your project's tests to identify breaking upgrades. Reverts broken upgrades and updates package.json with working upgrades.

Requires -u to execute (modifies your package file, lock file, and node_modules)

To be more precise:

1. Runs npm install and npm test to ensure tests are currently passing.
2. Runs ncu -u to optimistically upgrade all dependencies.
3. If tests pass, hurray!
4. If tests fail, restores package file and lock file.
5. For each dependency, install upgrade and run tests.
6. Prints broken upgrades with test error.
7. Saves working upgrades to package.json.

Additional options:

Example:

$ ncu --doctor -u
Running tests before upgrading
npm install
npm run test
Upgrading all dependencies and re-running tests
ncu -u
npm install
npm run test
Tests failed
Identifying broken dependencies
npm install
npm install --no-save react@16.0.0
npm run test
  ✓ react 15.0.0 → 16.0.0
npm install --no-save react-redux@7.0.0
npm run test
  ✗ react-redux 6.0.0 → 7.0.0

/projects/myproject/test.js:13
  throw new Error('Test failed!')
  ^

npm install --no-save react-dnd@11.1.3
npm run test
  ✓ react-dnd 10.0.0 → 11.1.3
Saving partially upgraded package.json

Usage:

ncu --filter [p]
ncu -f [p]

Include only package names matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function. Only included packages will be checked with --peer.

--filter runs before new versions are fetched, in contrast to --filterResults which runs after.

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

⚠️ The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/**
  @param name     The name of the dependency.
  @param semver   A parsed Semver array of the current version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        True if the package should be included, false if it should be excluded.
*/
filter: (name, semver) => {
  if (name.startsWith('@myorg/')) {
    return false
  }
  return true
}

Filters results based on a user provided predicate function after fetching new versions.

filterResults runs after new versions are fetched, in contrast to filter, reject, filterVersion, and rejectVersion, which run before. This allows you to exclude upgrades with filterResults based on how the version has changed (e.g. a major version change).

⚠️ The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/** Exclude major version updates. Note this could also be achieved with --target semver.
  @param {string} packageName               The name of the dependency.
  @param {string} current                   Current version declaration (may be a range).
  @param {SemVer[]} currentVersionSemver    Current version declaration in semantic versioning format (may be a range).
  @param {string} upgraded                  Upgraded version.
  @param {SemVer} upgradedVersionSemver     Upgraded version in semantic versioning format.
  @returns {boolean}                        Return true if the upgrade should be kept; otherwise, it will be ignored.
*/
filterResults: (packageName, { current, currentVersionSemver, upgraded, upgradedVersionSemver }) => {
  const currentMajor = parseInt(currentVersionSemver[0]?.major, 10)
  const upgradedMajor = parseInt(upgradedVersionSemver?.major, 10)
  if (currentMajor && upgradedMajor) {
    return currentMajor >= upgradedMajor
  }
  return true
}

For the SemVer type definition, see: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring

Usage:

ncu --filterVersion [p]

Include only versions matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function.

--filterVersion runs before new versions are fetched, in contrast to --filterResults which runs after.

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

⚠️ The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions. This function is an alias for the filter option function.

/**
  @param name     The name of the dependency.
  @param semver   A parsed Semver array of the current version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        True if the package should be included, false if it should be excluded.
*/
filterVersion: (name, semver) => {
  if (name.startsWith('@myorg/') && parseInt(semver[0]?.major) > 5) {
    return false
  }
  return true
}

Usage:

ncu --format [value]

Modify the output formatting or show additional information. Specify one or more comma-delimited values.

Customize how packages are divided into groups when using --format group.

Only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/**
  @param name             The name of the dependency.
  @param defaultGroup     The predefined group name which will be used by default.
  @param currentSpec      The current version range in your package.json.
  @param upgradedSpec     The upgraded version range that will be written to your package.json.
  @param upgradedVersion  The upgraded version number returned by the registry.
  @returns                A predefined group name ('major' | 'minor' | 'patch' | 'majorVersionZero' | 'none') or a custom string to create your own group.
*/
groupFunction: (name, defaultGroup, currentSpec, upgradedSpec, upgradedVersion) => {
  if (name === 'typescript' && defaultGroup === 'minor') {
    return 'major'
  }
  if (name.startsWith('@myorg/')) {
    return 'My Org'
  }
  return defaultGroup
}

Usage:

ncu --install [value]

Default: prompt

Control the auto-install behavior.

Usage:

ncu --packageManager [s]
ncu -p [s]

Specifies the package manager to use when looking up versions.

Usage:

ncu --peer
ncu --no-peer

Check peer dependencies of installed packages and filter updates to compatible versions.

Example:

The following example demonstrates how --peer works, and how it uses peer dependencies from upgraded modules.

The package ncu-test-peer-update has two versions published:

• 1.0.0 has peer dependency "ncu-test-return-version": "1.0.x"
• 1.1.0 has peer dependency "ncu-test-return-version": "1.1.x"

Our test app has the following dependencies:

"ncu-test-peer-update": "1.0.0",
"ncu-test-return-version": "1.0.0"

The latest versions of these packages are:

"ncu-test-peer-update": "1.1.0",
"ncu-test-return-version": "2.0.0"

With --peer:

ncu upgrades packages to the highest version that still adheres to the peer dependency constraints:

ncu-test-peer-update     1.0.0  →  1.1.0
ncu-test-return-version  1.0.0  →  1.1.0

Without --peer:

As a comparison: without using the --peer option, ncu will suggest the latest versions, ignoring peer dependencies:

ncu-test-peer-update     1.0.0  →  1.1.0
ncu-test-return-version  1.0.0  →  2.0.0

Usage:

ncu --registryType [type]

Specify whether --registry refers to a full npm registry or a simple JSON file.

// local file
$ ncu --registryType json --registry ./registry.json

// url
$ ncu --registryType json --registry https://api.mydomain/registry.json

// you can omit --registryType when the registry ends in .json
$ ncu --registry ./registry.json
$ ncu --registry https://api.mydomain/registry.json

{
  "prettier": "2.7.1",
  "typescript": "4.7.4"
}

Usage:

ncu --reject [p]
ncu -x [p]

The inverse of --filter. Exclude package names matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function. This will also exclude them from the --peer check.

--reject runs before new versions are fetched, in contrast to --filterResults which runs after.

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

⚠️ The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/**
  @param name     The name of the dependency.
  @param semver   A parsed Semver array of the current version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        True if the package should be excluded, false if it should be included.
*/
reject: (name, semver) => {
  if (name.startsWith('@myorg/')) {
    return true
  }
  return false
}

Usage:

ncu --rejectVersion [p]

The inverse of --filterVersion. Exclude versions matching the given string, wildcard, glob, comma-or-space-delimited list, /regex/, or predicate function.

--rejectVersion runs before new versions are fetched, in contrast to --filterResults which runs after.

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

⚠️ The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions. This function is an alias for the reject option function.

/**
  @param name     The name of the dependency.
  @param semver   A parsed Semver array of the current version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        True if the package should be excluded, false if it should be included.
*/
rejectVersion: (name, semver) => {
  if (name.startsWith('@myorg/') && parseInt(semver[0]?.major) > 5) {
    return true
  }
  return false
}

Usage:

ncu --target [value]
ncu -t [value]

Determines the version to upgrade to. (default: "latest")

e.g.

ncu --target semver

You can also specify a custom function in your .ncurc.js file, or when importing npm-check-updates as a module.

⚠️ The predicate function is only available in .ncurc.js or when importing npm-check-updates as a module, not on the command line. To convert a JSON config to a JS config, follow the instructions at https://github.com/raineorshine/npm-check-updates#config-functions.

/** Upgrade major version zero to the next minor version, and everything else to latest.
  @param name     The name of the dependency.
  @param semver   A parsed Semver object of the upgraded version.
    (See: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring)
  @returns        One of the valid target values (specified in the table above).
*/
target: (name, semver) => {
  if (parseInt(semver[0]?.major) === '0') return 'minor'
  return 'latest'
}

Add a .ncurc or .ncurc.{json,yaml,yml,js,mjs,cjs} file to your project directory to specify configuration information.

.ncurc without an extension can be in JSON or YAML format. For example:

.ncurc:

upgrade: true
filter: svelte
reject:
  - '@types/estree'
  - ts-node

.ncurc.json:

{
  "upgrade": true,
  "filter": "svelte",
  "reject": ["@types/estree", "ts-node"]
}

Options are merged with the following precedence:

1. Command line options
2. Local Config File (current working directory)
3. Project Config File (next to package.json)
4. User Config File ($HOME)

You can also specify a custom config file name or path using the --configFileName or --configFilePath command line options.

Some options offer more advanced configuration using a function definition. These include filter, filterVersion, filterResults, reject, rejectVersion, and groupFunction. To define these, use a JavaScript-based configuration file.

Rename your config to .ncurc.js (if using "type": "module") or .ncurc.mjs.

import { defineConfig } from 'npm-check-updates'

export default defineConfig({
  upgrade: true,
  filter: name => name.startsWith('@myorg/'),
})

Use the .ncurc.cjs extension or a standard .ncurc.js file (if useing "type": "commonjs").

const { defineConfig } = require('npm-check-updates')

module.exports = defineConfig({
  upgrade: true,
  filter: name => name.startsWith('@myorg/'),
})

Alternatively, if you prefer not to use the helper, you can use JSDoc for IntelliSense:

/** @type {import('npm-check-updates').RcOptions} */
export default {
  upgrade: true,
  filter: name => name.startsWith('@myorg/'),
}

/** @type {import('npm-check-updates').RcOptions} */
module.exports = {
  upgrade: true,
  filter: name => name.startsWith('@myorg/'),
}

If you write .ncurc config files using json or yaml, you can add the JSON Schema to your IDE settings for completions.

e.g. for VS Code:

  "json.schemas": [
    {
      "fileMatch": [
        ".ncurc",
        ".ncurc.json",
      ],
      "url": "https://raw.githubusercontent.com/raineorshine/npm-check-updates/main/src/types/RunOptions.json"
    }
  ],
  "yaml.schemas": {
    "https://raw.githubusercontent.com/raineorshine/npm-check-updates/main/src/types/RunOptions.json": [
        ".ncurc.yml",
    ]
  },

npm-check-updates can be imported as a module in both ESM and CommonJS environments.

Use this for modern projects using "type": "module" in package.json or .mjs files.

import * as ncu from 'npm-check-updates'

const upgraded = await ncu.run({
  // Pass any cli option
  packageFile: '../package.json',
  upgrade: true,
  // Defaults:
  // jsonUpgraded: true,
  // silent: true,
})

console.log(upgraded) // { "mypackage": "^2.0.0", ... }

Use this for legacy projects using "type": "commonjs" or scripts using the .cjs extension.

const ncu = require('npm-check-updates')

// Since ncu.run() is an async function
ncu
  .run({
    packageFile: './package.json',
    upgrade: true,
  })
  .then(upgraded => {
    console.log(upgraded)
  })

Contributions are happily accepted. I respond to all PR's and can offer guidance on where to make changes. For contributing tips see CONTRIBUTING.md.

File an issue. Please search existing issues first.