Keeping the Packages in a Angular Project Up-To-Date

Question

I have to maintain a medium sized Angular project and I just don't know how to keep the packages up-to-date in a correct way. I have of course the usual Angular packages in my package.json, but there are also additional packages, that were inserted manually. When I update, there is always some problem with the version requirements of different packages, which usually means, that npm or ng update will refuse to do work.

How I Try to Do It

To update I usually follow this algorithm:

1. ng update: this seems to update the Angular packages and migrate the source code to the new Angular version.

2. npm update: this will update all the packages according to the semver specification. This usually mean that everything is only updated a little bit. But usually I want the newest version of all the packages, as there will be extensive testing that nothing broke in the update.

3. npm outdated and npm install: now I can update packages that are not updated manually because of semver incompatibility, by using the most recent version of npm outdated and using it to install the package like this: npm install thepackage@3.4.5 --save.

The Issues

1. When I update all of the packages that show up in npm outdated I can get to a point where ng update is refusing to work, because I updated Angular packages (like zone.js) too far and it cannot satisfy all the requirements. At the moment I am at this point and I really do not know how to downgrade the Angular packages, so ng update will work again. I am thinking about using ng update --force (to get the automatic source code changes) and then create a completely new Angular project as a basis and just merging in the files and changes.

2. There is regularly something reported by npm audit, that requires a package to be updated to a new version. Fortunately this has been only dev dependencies in the past. If this issue is fixed npm audit proposes a command line that will update the package. Usually this will not work for me immediately. I'll have to wait a few weeks until it succeedes. This might be ok for a dev dependency, but I am worried, that I am using it just wrongly.

Am I correct in the assumption, that npm only installs one version of a package and it gets really complex to satisfy all the requirements if many other packages have a specific package as their dependency?