updates is a CLI tool which checks for dependency updates. It is typically able to complete in less than a second.
package.json- npm dependenciespyproject.toml-uvdependenciesgo.mod- go dependenciesCargo.toml- Cargo dependencies.{github,gitea,forgejo}/workflows- Actions and Docker imagesDockerfile*,docker-*.{yml,yaml}- Docker images
# check for updates npx updates # update package.json and install new dependencies npx updates -u && npm i| Option | Description |
|---|---|
-u, --update | Update versions and write dependency file |
-f, --file <path,...> | File or directory to use, defaults to current directory |
-M, --modes <mode,...> | Which modes to enable. Either npm, pypi, go, cargo, actions, docker. Default: npm,pypi,go,cargo,actions,docker |
-i, --include <dep,...> | Include only given dependencies |
-e, --exclude <dep,...> | Exclude given dependencies |
-l, --pin <dep=range> | Pin dependency to given semver range |
-C, --cooldown <duration> | Minimum dependency age, e.g. 7, 1w, 2d, 6h |
-p, --prerelease [<dep,...>] | Consider prerelease versions |
-R, --release [<dep,...>] | Only use release versions, may downgrade |
-g, --greatest [<dep,...>] | Prefer greatest over latest version |
-t, --types <type,...> | Dependency types to update |
-P, --patch [<dep,...>] | Consider only up to semver-patch |
-m, --minor [<dep,...>] | Consider only up to semver-minor |
-d, --allow-downgrade [<dep,...>] | Allow version downgrades when using latest version |
-S, --sockets <num> | Maximum number of parallel HTTP sockets opened. Default: 96 |
-T, --timeout <ms> | Network request timeout in ms (go probes use half). Default: 5000 |
-r, --registry <url> | Override npm registry URL |
-I, --indirect | Include indirect Go dependencies |
-E, --error-on-outdated | Exit with code 2 when updates are available and 0 when not |
-U, --error-on-unchanged | Exit with code 0 when updates are available and 2 when not |
-j, --json | Output a JSON object |
-n, --no-color | Disable color output |
-v, --version | Print the version |
-V, --verbose | Print verbose output to stderr |
-h, --help | Print the help |
Options that take multiple arguments can take them either via comma-separated value or by specifying the option multiple times. If an option has a optional dep argument but none is given, the option will be applied to all dependencies instead. All dep options support glob matching via * or regex (on CLI, wrap the regex in slashes, e.g. '/^foo/').
The module can be configured with updates.config.{ts,js,mjs,mts} in your repo root.
import type {Config} from "updates"; export default { exclude: [ "semver", "@vitejs/*", /^react(-dom)?$/, ], pin: { "typescript": "^5.0.0", }, } satisfies Config;includeArray<string | RegExp>: Array of dependencies to includeexcludeArray<string | RegExp>: Array of dependencies to excludetypesArray<string>: Array of dependency types to useregistrystring: URL to npm registryminAgenumber: Minimum dependency age in hourspinRecord<string, string>: Pin dependencies to semver ranges
CLI arguments have precedence over options in the config file. include, exclude, and pin options are merged.
| Variable | Description |
|---|---|
UPDATES_FORGE_TOKENS | Comma-separated list of host:token pairs for authenticating against forge APIs (e.g. github.com:ghp_xxx,gitea.example.com:tok_xxx) |
UPDATES_GITHUB_API_TOKEN | GitHub API token for authenticating forge API requests |
GITHUB_API_TOKEN | Fallback GitHub API token |
GH_TOKEN | Fallback GitHub API token |
GITHUB_TOKEN | Fallback GitHub API token |
HOMEBREW_GITHUB_API_TOKEN | Fallback GitHub API token |
GOPROXY | Go module proxy URL. Default: https://proxy.golang.org,direct |
GONOPROXY | Comma-separated list of Go module patterns to fetch directly, bypassing the proxy |
GOPRIVATE | Fallback for GONOPROXY when not set |
Token resolution order for forge APIs: UPDATES_FORGE_TOKENS (matched by hostname) > UPDATES_GITHUB_API_TOKEN > GITHUB_API_TOKEN > GH_TOKEN > GITHUB_TOKEN > HOMEBREW_GITHUB_API_TOKEN.
© silverwind, distributed under BSD licence
