How to Update a Node Dependency with NPM

It’s important to keep your dependencies up-to-date in your package.json file. When relying on 3rd-party code you want to make sure you’re pulling in security fixes, performance improvements, and general bug fixes. However, since your project’s package-lock.json file pins a specific version of a package you’ll occasionally need to update those records to pull in the latest compatible version, test it, and deploy it to your project.

In this tutorial we’ll:

• Use npm outdated to get a list of a project’s dependencies that can be updated
• Update an existing Node dependency to a new version
• Update an existing Node dependency to a new major version

By the end of this tutorial, you’ll be able to update dependency versions in your package.json file with npm.

Goal

Update an existing dependency to a new version, and require a specific version of a package be installed.

Prerequisites

• Introduction to the Node Package Manager (NPM)
• How to Install NPM Packages
• What Is Semantic Versioning (SemVer)?

Watch: Update a dependency

Update dependencies in a Node project

Check for outdated packages

To see if any packages in your project are outdated, run npm outdated. This will show the current installed versions of all packages, the wanted version (what npm update would update to), and the latest available version.

In this example we install an outdated version of a package and then check for new versions:

$ npm i request@2.0.0

$ npm outdated
> Package  Current  Wanted  Latest  Location
> request    2.0.0  2.88.0  2.88.0  myprojectdir

Update packages

You can update all packages at once to their wanted versions by running npm update. Or pass a package name to update the specified package.

Example:

# Updates all dependencies in project.
$ npm update

# Update just the request package.
$ npm update request

The updated packages will be downloaded to the node_modules/ directory, and their versions updated in package.json, and your package-lock.json file will be updated.

Note: Make sure to commit the changes made to both package.json and package-lock.json files.

To update globally installed packages use the --global flag.

Example:

npm update --global nodemon

Update package to the latest major release

Running npm update will respect the version ranges you have pinned in package.json. Typically, this means that npm update won’t update to a new major release (e.g. v1.x.x to 2.x.x).

If you’d like to update to a major release, you use npm install instead.

For the latest version, you can use the tag @latest to install the latest version, regardless of which version you already have installed. This will fetch the latest version from the npm registry then overwrite the installed version in your package.json and node_modules/.

Example:

$ npm install request@latest

You should see npm download the package, and if you check your package.json, you will see the package is tagged to the latest major release.

Be careful though! This sidesteps the safeties put in place by Semantic Versioning. Major releases are likely to contain breaking changes, so only do this if you are aware of what might break. A good way to figure that out would be checking the changelog or release notes, if available, for the package.

Test your updates

While the standard is that packages in the NPM registry use Semanatic Versioning, and that packages within the same major version shouldn’t break anything, there’s no guarantee that’s the case. The ecosystem has no way of enforcing this policy so it’s up to the individual package maintainers to decide what is or is not a breaking change.

This means you shouldn’t just blindly update a package, even a minor version, without first testing it either automatically with continuous integration or manually in a development environment. Better safe than sorry.

Recap

In this tutorial you learned about how to check if packages in your project are out of date by running npm outdated. Once you have identified dependencies to update, you use npm update to update all the dependencies in your project, or just a single one. If you need to update to the next major version of a dependency, reinstall the package with the @latest tag to overwrite the existing dependency record in package.json.

Further your understanding

• Run the command npm help update to learn more about additional flags for the update command.
• Run the command npm help outdated to learn more about the what the outdated command does.
• How does Semantic Versioning affect how npm update works?

Additional resources

• npm update docs (docs.npmjs.com)
• NPM SemVer calculator (semver.npmjs.com)
• npm audit command (docs.npmjs.com
• npm-merge-driver (npmjs.com)