| 1 | # Up'em
|
| 2 |
|
| 3 | _Ups your package.json dependencies to latest. Opinionated. Respectless._
|
| 4 |
|
| 5 | [](https://travis-ci.org/sverweij/upem)
|
| 6 | [](https://codeclimate.com/github/sverweij/upem/maintainability)
|
| 7 | [](https://codeclimate.com/github/sverweij/upem/test_coverage)
|
| 8 | [](https://npmjs.com/package/upem)
|
| 9 | [](LICENSE)
|
| 10 |
|
| 11 | ## What
|
| 12 |
|
| 13 | You brush your teeth every day. You keep your dependencies up to date.
|
| 14 | Brushing your teeth is hard to automate. Keeping dependencies up to date
|
| 15 | is not.
|
| 16 |
|
| 17 | _up'em_ updates your dependencies to latest, so you don't have to manually.
|
| 18 |
|
| 19 | ### Respectless
|
| 20 |
|
| 21 | _up'em_ does not respect your current version preferences. `^`, `~`, `*` =>
|
| 22 | they all get updated to the _latest_ version. It will leave the `^` and `~`
|
| 23 | in place as per your `npm config` settings, though.
|
| 24 |
|
| 25 | If `npm outdated` says:
|
| 26 |
|
| 27 | ```
|
| 28 | Package Current Wanted Latest Location
|
| 29 | midash 1.8.2 ^1.8.0 2.0.1 your-golden-package
|
| 30 | ```
|
| 31 |
|
| 32 | With the default `npm config`, running `npm outdated --json | upem` will
|
| 33 | set midash' version to ^2.0.1
|
| 34 |
|
| 35 | ```json
|
| 36 | "dependencies"{
|
| 37 | ...
|
| 38 | "midash": "^2.0.1"
|
| 39 | ...
|
| 40 | }
|
| 41 | ```
|
| 42 |
|
| 43 | There's no warning system for major version upgrades. I've found the most
|
| 44 | reliable way to find out if nothing breaks is to run your automated QA
|
| 45 | after updates.
|
| 46 |
|
| 47 | ### Heeding `save-exact` and `save-prefix`, though
|
| 48 |
|
| 49 | From version 2.0.0 _up'em_ heeds the `save-exact` and `save-prefix` npm config
|
| 50 | settings, just like `npm --save` and `npm --save-dev` would do:
|
| 51 |
|
| 52 | - if `save-exact = true` it will pin the version. In the above example it will
|
| 53 | pin `midash` to `2.0.1`
|
| 54 | - if `save-exact = false` it will look at `save-prefix` in your npm config:
|
| 55 | - if `save-prefix = '^'` or save-prefix isn't specified, it'll caret-prefix
|
| 56 | the version: `^2.0.1`
|
| 57 | - if `save-prefix = '~'` it'll tilde-prefix the version: `~2.0.1`
|
| 58 |
|
| 59 | ### Advice: commit an `.npmrc` to the root of your repo
|
| 60 |
|
| 61 | Commit the relevant parts of the npm config in an `.npmrc` in the root of your
|
| 62 | repo. That way both _up'em_ and the `npm` (or `yarn`) install/ add commands
|
| 63 | will always heed it - and other collaborators will automatically follow your
|
| 64 | standards. E.g. most of my repos have this:
|
| 65 |
|
| 66 | ```ini
|
| 67 | save-exact = true
|
| 68 | ```
|
| 69 |
|
| 70 | If you want to be sure of npm's 'default' behaviour over all machines
|
| 71 | and collaborators, use this one:
|
| 72 |
|
| 73 | ```ini
|
| 74 | save-exact = false
|
| 75 | save-prefix = '^'
|
| 76 | ```
|
| 77 |
|
| 78 | ## Typical use
|
| 79 |
|
| 80 | - Run the output from `npm outdated --json` through _up'em_.
|
| 81 | - When it's done `npm install` and re-run your automated quality
|
| 82 | - Check the changes in.
|
| 83 |
|
| 84 | I have some npm scripts set up so I can just `npm run upem`
|
| 85 | and watch cat videos in the mean time:
|
| 86 |
|
| 87 | ```json
|
| 88 | "scripts": {
|
| 89 | "check": "npm-run-all --parallel depcruise lint test",
|
| 90 | "depcruise": "depcruise --validate -- bin src test",
|
| 91 | "lint": "eslint bin src test",
|
| 92 | "lint:fix": "eslint --fix bin src test",
|
| 93 | "test": "jest --collectCoverage --config ./jest.config.js",
|
| 94 | "upem": "npm-run-all upem:update upem:install lint:fix check",
|
| 95 | "upem:update": "npm outdated --json | upem",
|
| 96 | "upem:install": "npm install"
|
| 97 | }
|
| 98 | ```
|
| 99 |
|
| 100 | ... but a similar approach in a `Makefile` would do the trick as well.
|
| 101 |
|
| 102 | ## Options
|
| 103 |
|
| 104 | If you want to keep versions untouched by _up'em_, put an `upem` section
|
| 105 | in your `package.json` with a `donotup` key listing the stuff you don't
|
| 106 | want to upgrade e.g.
|
| 107 |
|
| 108 | ```json
|
| 109 | ...
|
| 110 | "upem": {
|
| 111 | "donotup": ["glowdash"]
|
| 112 | }
|
| 113 | ...
|
| 114 | ```
|
| 115 |
|
| 116 | You might want to document why you don't up a package. You can do that like this:
|
| 117 |
|
| 118 | ```json
|
| 119 | ...
|
| 120 | "upem": {
|
| 121 | "donotup": [{
|
| 122 | "package": "glowdash",
|
| 123 | "because": "version >2 of glowdash doesn't support node 6 anymmore, but we still have to"
|
| 124 | }]
|
| 125 | }
|
| 126 | ...
|
| 127 | ```
|
| 128 |
|
| 129 | ## Why
|
| 130 |
|
| 131 | I've been a happy user of [npm-check-updates](https://github.com/tjunnone/npm-check-updates)
|
| 132 | for a long time. It's getting out of date, though. It's using npm 3 (which has not caused
|
| 133 | troubles yet, but it might) and its dependencies have serious security issues.
|
| 134 | I have been looking into jumping into fixing it, but I soon found out it would take
|
| 135 | a serious commitment to do so.
|
| 136 |
|
| 137 | I realized I used only a subset of npm-check-updates' capabilities, and rolling
|
| 138 | my own would only take a sunday afternoon...
|
| 139 |
|
| 140 | ## Alternatives
|
| 141 |
|
| 142 | - [npm-check-updates](https://github.com/tjunnone/npm-check-updates) - use that if you
|
| 143 | need something more feature rich and less opinionated and don't mind the outdated
|
| 144 | (/ insecure) dependencies.
|
| 145 | - [npm-check](https://github.com/dylang/npm-check) - never used but has a lot of stars
|
| 146 | & downloads, so probably legit. Feature rich.
|
| 147 | - Cloud services (like [greenkeeper](https://greenkeeper.io) and
|
| 148 | [renovate](https://renovatebot.com)) will be happy to do this
|
| 149 | trivial task for you as well.
|