10

What is the difference between the command npm update and the package npm-check-updates? Is it fully safe to use the latter?

It seems after executing npm update not all packages are updated, thus it seem it is incomplete. Many other popular SO answers refer to use first the prior command and then the latter, but I still do not understand what the latter does that the prior does not.

João Pimentel Ferreira
  • 14,289
  • 10
  • 80
  • 109
  • 1
    npm update will update the minor versions but not major. This is explained here: https://nodejs.dev/learn/update-all-the-nodejs-dependencies-to-their-latest-version – John Gilmer Oct 22 '20 at 14:30

3 Answers3

12

A bit late to the party but I felt like the previously accepted answer is outdated and slightly lacking.

What npm Offers

npm update - updates the dependencies both in package.json and package-lock.json in accordance to the semantic version rules defined in package.json.

Key features of npm update:

  • It will never update to a breaking version.
  • (npm@7 and above) You can choose to update only the package.json file with npm update --package-lock false. However, this flag will completely ignore package-lock.json and hence automatic pruning of extraneous modules will also be disabled.
  • (npm@7 and above) You can see the changes npm update will perform with the flag --dry-run, without actually updating.

npm outdated - shows all the packages that have newer versions available, this includes breaking changes. It prints a table that includes the package, the current version, the wanted version - according to the semver rules in the package.json - the latest version and the location of the package.

npm outdated example

What npm-check-updates Offers

Running ncu without any flags will print a list of all the outdated packages and the version to which it would update, but will not apply any changes.

Example of ncu output

ncu --update - apply changes to the package.json file only. It will change the versions of all the dependencies in package.json to the latest (even if it's a breaking version!), but will not modify the package-lock.json file. For that, you will need to run npm install.

ncu --target [patch, minor, latest, newest, greatest] - choose which type of version to list/update.

npm vs. ncu

Feature npm ncu
Show Outdated Packages npm outdated - shows wanted & latest versions ncu - shows latest by default, can be customised
Update Packages npm update ncu -u
Breaking Versions Never updates to a breaking version, but shows them in npm outdated Updates to and shows breaking version by default, can be customised
package.json SemVer Rules npm outdated shows the "wanted" version according to SemVer rules, updates to "wanted" version Disregards SemVer rules (unless explicitly specified), can be customised to update to different types of versions
Files Modified Modifies package.json and package-lock.json and installs the updated modules Modifies package.json, doesn't change package-lock.json and doesn't automatically install
Customisation Can ignore package-lock.json (npm@7) and choose which packages to update Can choose what kind of version to update to (minor, patch, latest, greatest, newest) and which packages to update
Eldar B.
  • 1,097
  • 9
  • 22
  • So is there a reason why npm-check-updates does not automatically run npm install after making changes to package.json? Why would you update to the latest packages but NOT install them? – Meliovation Jun 24 '22 at 15:04
  • I am not the developer of this package, but I assume it's to avoid unnecessary side effects. – Eldar B. Jun 26 '22 at 10:41
  • I think ncu filled a gap that npm didn't address, but npm > 7 addresses much of it today. NCU still does what I Want - an interactive upgrader. But currently it doesn't really support workspaces: https://github.com/raineorshine/npm-check-updates/issues/1099 and the npm outdated command does exactly that. – httpete Jul 09 '22 at 15:40
  • I believe they will add that feature if enough people request it – Eldar B. Jul 10 '22 at 07:38
5

npm-check-updates will only modify your package.json file. Once you've run that command, you'll then need to run a separate npm install to grab those changes. On the other hand, npm update will do all of that, and not give you the chance to check what is being updated beforehand.

There used to be an annoyance that npm update did not update the package.json file but this is no longer the case from 5.0.0. And way back when, it also looked at package dependencies which caused no end of problems for a lot of people.

The key difference between the two is that you can run ncu (the alias for npm-check-updates) and, by default, it will not update your packages - merely tell you what packages need to be updated.

For example, below is the output from one of my legacy projects. Here, you can see that a few grunt packages are out of date, mainly because I no longer work on this project, prefer write build scripts in npm, and haven't had the time to update older projects.

λ ncu
Checking D:\Github\XQSF_Master\web\package.json
[====================] 10/10 100%

 grunt                 ^1.0.3  →  ^1.0.4
 grunt-contrib-clean   ^1.0.0  →  ^2.0.0
 grunt-contrib-cssmin  ^2.2.1  →  ^3.0.0
 grunt-contrib-uglify  ^3.2.1  →  ^4.0.1
 grunt-sass            ~2.0.0  →  ~3.0.2

Run ncu -u to upgrade package.json

No changes to my project were made - it simply told me what needed to be updated. This is why I prefer npm-check-updates. By default it doesn't make any changes.

If you DO want changes to be made by ncu, simply run ncu -u. This will update your package.json, but you will still need to run npm install for the node_modules folder to be updated to your new packages.

Dan Atkinson
  • 11,391
  • 14
  • 81
  • 114
  • are you thus saying that `ncu` is now mere informative? But I got the impression that `npm update` didn't update to the latest versions whereas `ncu` did. – João Pimentel Ferreira Jul 18 '19 at 11:29
  • @JoãoPimentelFerreira. No, I'm not. If you run it without any arguments, then it won't actually make changes to your `package.json` file or `node_modules` folder. This has always been the default behaviour, as far as I know. If you pass `ncu -u` it will modify your package.json file (although you'll still need to run `npm install` for your `node_modules` folder to get the new packages). **NB:** I've edited my answer to provide more information on this. – Dan Atkinson Jul 18 '19 at 12:13
  • On the 1st paragraph you say `npm update` will do "all of that". What do you mean? What is the difference between `npm update` and `ncu -u && npm update`? `npm update` does not change package.json? I still don't understand. – João Pimentel Ferreira Jul 18 '19 at 19:02
  • 1
    @JoãoPimentelFerreira `npm update` will change your `package.json` and update your `node_modules` folder. – Dan Atkinson Jul 19 '19 at 10:49
  • and `ncu -u` will also change your `package.json`. So what is the difference? – João Pimentel Ferreira Jul 19 '19 at 13:27
  • @JoãoPimentelFerreira There is no difference between `ncu -u` and `npm update`, but then, that wasn't your question. Your question was the difference between `ncu` (or its full name `npm-check-updates`) and `npm update`, and there are differences here which I laid out in my answer. – Dan Atkinson Jul 19 '19 at 13:37
  • thanks, I will put it as the solution, but I still get the impression that `ncu -u && npm update` does more than merely `npm update`. I think the latter keeps some inter-dependencies whilst the prior forces the update of all the packages to the latest version, but that's a "feeling". – João Pimentel Ferreira Jul 19 '19 at 13:42
  • @JoãoPimentelFerreira If you think there's more to it then you should definitely investigate. If it turns out that I'm wrong, come back, add your findings as a new answer and mark that as accepted. That way more people will be understand the differences. Thanks. – Dan Atkinson Jul 19 '19 at 14:00
0

Well, after some investigation and after a lot of misinformation I think I finally got it.

npm-check-updates will modify your package.json file with the latest updates of each package, and not respecting any npm semantic versioning, meaning that your project may break. Once you've run npm-check-updates, you'll then need to run a separate npm install to grab those changes to the latest versions.

On the other hand npm update updates the packages to its latest versions according to the semantic versioning set in the file package.json.

For example a major release in a dependency (an increase in the first digit in the 3 figures version) makes changes that may break backward compatibility. If you set that dependency in package.json with the caret symbol ^, the command npm install will not make an update of a major release whereas npm-check-updates will. Check this 5 minutes video of npm because it is very clarifying.

João Pimentel Ferreira
  • 14,289
  • 10
  • 80
  • 109