How to update a Node dependency - NPM?

Keeping dependencies up-to-date is important, to get the latest security fixes, performance improvements, and general bug fixes for the packages installed. There is one thing to consider though. The package-lock.json is locking/pinning a specific version of a package. On a regular basis these records need to be updated to pull the latest compatible version.

How to update dependencies

To update a dependency in a Node.js project you have to follow these steps:

Check for outdated packages

Update packages to a specific version or update packages to the latest major release

Test your updates

Check for outdated packages

To check if any packages in your Node.js project are outdated, run npm outdated in the root folder (where the package.json file is). This command will output the current installed versions of all packages, the wanted version (npm update would want to update to this version), and the latest available version. For example, we have the following package.json (created with npm init -y and version 4.8.1 of lodash installed):

{
  "name": "node-test",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "lodash": "^4.8.1"
  }
}

When we run npm outdated we get the following output:

Package Current Wanted Latest Location
lodash 4.8.1 4.17.21 4.17.21 node-test

Update packages

To update all packages at once to their wanted version run npm update. If you just want to update one package you have to specify the package npm update <package-name>.

# Updates all dependencies in project.
npm update

# Update just the lodash package.
npm update lodash

To update a globally installed package add the --global flag in the update command.

npm update --global <package-name>

Important: Both changes in the package.json and package-lock.json have to be committed to version control (GIT).

Update package to the latest major release

When you run npm update the version ranges in package.json will be respected. Typically, updates to a major version are not allowed. If you'd like to update to a major release, use npm install with the tag @latest. This will install the latest version regarding of which version you already have installed.

For example, if you want to install the latest version of lodash.

npm install lodash@latest

Important: Installing the latest version of a package puts the safeties provided by semantic versioning aside and can introduce major code changes into your project.

Test your updates

The general rule in software development is Better safe than sorry. Hence, don't just blindly update your packages without testing the application. The NPM registry uses semantic versioning, and packages within the same major version shouldn't break anything, but the ecosystem has no way of enforcing this policy.

TL;DR

Check outdated packages with npm outdated.

Update all packages with npm update.

Update individual packages with npm update <package-name>.

Install latest package version with the @latest flag - npm install <package-name>@latest.

Thanks for reading and if you have any questions , use the comment function or send me a message @mariokandut.

If you want to know more about Node, have a look at these Node Tutorials.

References (and Big thanks):