Update only dependencies that satisfies declared version range

[ealves-pt]

• [x] I have read the list of known issues before filing this issue.

• [x] I have searched for similiar issues before filing this issue.

• node version: v6.9.4

• npm version: v4.1.2

• npm-check-updates version: v2.10.2

---

This is more a doubt than another thing. In my project I run ncu and I get the following output:

 vue-i18n                    ^4.9.0  →        ^5.0.1
 babel-plugin-istanbul       ^3.0.0  →        ^4.0.0
 cross-spawn                 ^4.0.2  →        ^5.0.1
 eslint-plugin-html          ^1.3.0  →        ^2.0.1
 file-loader                 ^0.9.0  →       ^0.10.0
 inject-loader               ^2.0.1  →  ^3.0.0-beta4
 karma-webpack               ^1.7.0  →        ^2.0.2
 ora                         ^0.3.0  →        ^1.1.0
 sass-loader                 ^4.0.2  →        ^6.0.1
 selenium-server             2.53.1  →         3.0.1
 stylelint-config-standard  ^15.0.1  →       ^16.0.0
 stylelint-webpack-plugin    ^0.5.1  →        ^0.6.0
 vue-loader                 ^10.0.0  →       ^11.0.0
 vue-style-loader            ^1.0.0  →        ^2.0.0
 webpack                    ^1.13.2  →        ^2.2.1
 webpack-merge              ^0.14.1  →        ^2.6.1

The following dependencies are satisfied by their declared version range, but the installed versions are behind. You can install the latest versions without modifying your package file by using npm update. If you want to update the dependencies in your package file anyway, run ncu -a.

 admin-lte                                ^2.3.8  →          ^2.3.11
 ajv                                     ^4.10.4  →          ^4.11.3
 feathers-authentication-client           ^0.1.6  →           ^0.1.8
 raven-js                                ^3.10.0  →          ^3.11.0
 socket.io-client                         ^1.7.2  →           ^1.7.3
 vue                                      ^2.1.4  →          ^2.1.10
 vue-router                               ^2.1.1  →           ^2.2.1
 vuex                                     ^2.0.0  →           ^2.1.2
 vuex-router-sync                         ^4.1.1  →           ^4.1.2
 autoprefixer                             ^6.4.0  →           ^6.7.3
 babel-core                               ^6.0.0  →          ^6.23.1
 babel-loader                             ^6.0.0  →           ^6.3.2
 babel-plugin-transform-runtime           ^6.0.0  →          ^6.23.0
 babel-preset-es2015                      ^6.0.0  →          ^6.22.0
 babel-preset-stage-2                     ^6.0.0  →          ^6.22.0
 babel-register                           ^6.0.0  →          ^6.23.0
 chromedriver                            ^2.21.2  →          ^2.27.3
 connect-history-api-fallback             ^1.2.0  →           ^1.3.0
 cross-env                                ^3.1.3  →           ^3.1.4
 eslint                                   ^3.7.1  →          ^3.15.0
 eslint-config-standard                   ^6.1.0  →           ^6.2.1
 eslint-friendly-formatter                ^2.0.5  →           ^2.0.7
 eslint-loader                            ^1.5.0  →           ^1.6.1
 eslint-plugin-promise                    ^3.4.0  →           ^3.4.2
 express                                 ^4.13.3  →          ^4.14.1
 friendly-errors-webpack-plugin           ^1.1.2  →           ^1.3.1
 function-bind                            ^1.0.2  →           ^1.1.0
 html-webpack-plugin                      ^2.8.1  →          ^2.28.0
 http-proxy-middleware                   ^0.17.2  →          ^0.17.3
 karma                                    ^1.3.0  →           ^1.4.1
 karma-mocha                              ^1.2.0  →           ^1.3.0
 karma-phantomjs-launcher                 ^1.0.0  →           ^1.0.2
 karma-sinon-chai                         ^1.2.0  →           ^1.2.4
 lolex                                    ^1.4.0  →           ^1.5.2
 mocha                                    ^3.1.0  →           ^3.2.0
 nightwatch                               ^0.9.8  →          ^0.9.12
 node-sass                                ^4.3.0  →           ^4.5.0
 phantomjs-prebuilt                       ^2.1.3  →          ^2.1.14
 shelljs                                  ^0.7.4  →           ^0.7.6
 sinon                                   ^1.17.3  →          ^1.17.7
 stylelint                                ^7.7.1  →           ^7.8.0
 vue-template-compiler                    ^2.1.0  →          ^2.1.10
 webpack-dev-middleware                   ^1.8.3  →          ^1.10.0
 webpack-hot-middleware                  ^2.12.2  →          ^2.17.0

Run ncu with -u to upgrade package.json

How can I just update the versions that satisfy the declared semver? This ones:

 admin-lte                                ^2.3.8  →          ^2.3.11
 ajv                                     ^4.10.4  →          ^4.11.3
 feathers-authentication-client           ^0.1.6  →           ^0.1.8
 raven-js                                ^3.10.0  →          ^3.11.0
 socket.io-client                         ^1.7.2  →           ^1.7.3
 vue                                      ^2.1.4  →          ^2.1.10
 vue-router                               ^2.1.1  →           ^2.2.1
 vuex                                     ^2.0.0  →           ^2.1.2
 vuex-router-sync                         ^4.1.1  →           ^4.1.2
 autoprefixer                             ^6.4.0  →           ^6.7.3
 babel-core                               ^6.0.0  →          ^6.23.1
 babel-loader                             ^6.0.0  →           ^6.3.2
 babel-plugin-transform-runtime           ^6.0.0  →          ^6.23.0
 babel-preset-es2015                      ^6.0.0  →          ^6.22.0
 babel-preset-stage-2                     ^6.0.0  →          ^6.22.0
 babel-register                           ^6.0.0  →          ^6.23.0
 chromedriver                            ^2.21.2  →          ^2.27.3
 connect-history-api-fallback             ^1.2.0  →           ^1.3.0
 cross-env                                ^3.1.3  →           ^3.1.4
 eslint                                   ^3.7.1  →          ^3.15.0
 eslint-config-standard                   ^6.1.0  →           ^6.2.1
 eslint-friendly-formatter                ^2.0.5  →           ^2.0.7
 eslint-loader                            ^1.5.0  →           ^1.6.1
 eslint-plugin-promise                    ^3.4.0  →           ^3.4.2
 express                                 ^4.13.3  →          ^4.14.1
 friendly-errors-webpack-plugin           ^1.1.2  →           ^1.3.1
 function-bind                            ^1.0.2  →           ^1.1.0
 html-webpack-plugin                      ^2.8.1  →          ^2.28.0
 http-proxy-middleware                   ^0.17.2  →          ^0.17.3
 karma                                    ^1.3.0  →           ^1.4.1
 karma-mocha                              ^1.2.0  →           ^1.3.0
 karma-phantomjs-launcher                 ^1.0.0  →           ^1.0.2
 karma-sinon-chai                         ^1.2.0  →           ^1.2.4
 lolex                                    ^1.4.0  →           ^1.5.2
 mocha                                    ^3.1.0  →           ^3.2.0
 nightwatch                               ^0.9.8  →          ^0.9.12
 node-sass                                ^4.3.0  →           ^4.5.0
 phantomjs-prebuilt                       ^2.1.3  →          ^2.1.14
 shelljs                                  ^0.7.4  →           ^0.7.6
 sinon                                   ^1.17.3  →          ^1.17.7
 stylelint                                ^7.7.1  →           ^7.8.0
 vue-template-compiler                    ^2.1.0  →          ^2.1.10
 webpack-dev-middleware                   ^1.8.3  →          ^1.10.0
 webpack-hot-middleware                  ^2.12.2  →          ^2.17.0

Thanks in advance.

[raineorshine]

You can install the latest versions without modifying your package file by using npm update. If you want to update the dependencies in your package file anyway, run ncu -a.

What were the results from running ncu -a?

[ealves-pt]

Sorry for taking so long to get back to you.

Running that command will update all the dependencies (including the ones that don't respect the semver), for example running ncu:

 vue-i18n                      ^4.9.0  →  ^6.0.0-alpha.2
 babel-plugin-istanbul         ^3.0.0  →          ^4.0.0
 cross-spawn                   ^4.0.2  →          ^5.1.0
 eslint-plugin-html            ^1.3.0  →          ^2.0.1
 extract-text-webpack-plugin   ^1.0.1  →          ^2.0.0
 inject-loader                 ^2.0.1  →    ^3.0.0-beta4
 karma-spec-reporter           0.0.26  →          0.0.30
 karma-webpack                 ^1.7.0  →          ^2.0.2
 ora                           ^0.3.0  →          ^1.1.0
 selenium-server              ^2.53.1  →          ^3.1.0
 stylelint-webpack-plugin      ^0.6.0  →          ^0.7.0
 webpack                      ^1.14.0  →          ^2.2.1
 webpack-merge                ^0.14.1  →          ^3.0.0

The following dependencies are satisfied by their declared version range, but the installed versions are behind. You can install the latest versions without modifying your package file by using npm update. If you want to update the dependencies in your package file anyway, run ncu -a.

 feathers-socketio                ^1.4.2  →   ^1.4.3
 vue                             ^2.1.10  →   ^2.2.1
 vue-router                       ^2.2.1  →   ^2.3.0
 vuex                             ^2.1.2  →   ^2.2.1
 autoprefixer                     ^6.7.3  →   ^6.7.5
 css-loader                      ^0.26.1  →  ^0.26.2
 eslint                          ^3.15.0  →  ^3.16.1
 eslint-loader                    ^1.6.1  →   ^1.6.3
 file-loader                     ^0.10.0  →  ^0.10.1
 friendly-errors-webpack-plugin   ^1.3.1  →   ^1.4.0
 karma                            ^1.4.1  →   ^1.5.0
 lolex                            ^1.5.2  →   ^1.6.0
 sass-loader                      ^6.0.1  →   ^6.0.2
 stylelint                        ^7.8.0  →   ^7.9.0
 stylelint-scss                   ^1.4.1  →   ^1.4.3
 url-loader                       ^0.5.7  →   ^0.5.8
 vue-loader                      ^11.0.0  →  ^11.1.3
 vue-style-loader                 ^2.0.0  →   ^2.0.3
 vue-template-compiler           ^2.1.10  →   ^2.2.1
 webpack-dev-middleware          ^1.10.0  →  ^1.10.1
 webpack-hot-middleware          ^2.17.0  →  ^2.17.1

Run ncu with -u to upgrade package.json

Running ncu -a updates my package.json and sets all the above versions (which is the expected result). But in my case I was wondering if it is possible to just update the versions that respect the semver. So, cases like webpack ^1.14.0 → ^2.2.1 are not updated.

[karanjthakkar]

@ealves-pt AFAIK, ncu by default always looks for the latest stable versions for each of the packages in your package.json. If you want to target specific semver ranges, then you can use either:

1. ncu --semverLevel major: If your declaration is ^2.1.2, then this will search for all upgrades that match ^2.x.x.

2. ncu --semverLevel minor: If your declaration is ^2.1.2, then this will search for all upgrades that match ^2.1.x.

There isnt any option right now that would do what you expect it to do. Maybe @raineorshine has a better answer for why that is the case?

[raineorshine]

If you would like to update the installed packages while respecting the semver range, run npm update. This is the default behavior of npm. npm-check-updates was designed solely to update your packages beyond the specified version ranges.

There is no need to update ^1.0.0 to ^1.1.0, for example, in your package.json, since the upper bound of both version ranges are identical.

npm update This command will update all the packages listed to the latest version (specified by the tag config), respecting semver. https://docs.npmjs.com/cli/update

[ealves-pt]

Cheers, this definitely answers my question.

On my specific case the sole behaviour of npm update is not enough because I need to make sure that the package.json is also updated. My CI depends on this to decide wether if it should install the vendors or use the latest cached version.

I already have a workaround but I was just looking for a more "clean" way to do it.

Thank you very much for your help.

[raineorshine]

My CI depends on this to decide wether if it should install the vendors or use the latest cached version.

Aha! The missing piece of information. I'm sorry I didn't get the picture sooner. There are many questions from people who do not understand npm or the behavior of npm-check-updates so I don't always know what level to speak towards.

I'm glad you found a workaround. If this is a need shared by other users I would consider an addition. It may be a relatively isolated use case though.

[billyjanitsch]

I'd also appreciate the addition of this feature, for the following use case. When I make code changes involving lib dependencies, I'm usually consulting the documentation for their latest version (e.g. I may depend on ^1.0.0 but consult the docs for v1.4.1), so it's possible that I start to rely on features that were only introduced in an intervening version (e.g. v1.2.0). Without updating the dependency, my package.json could now be incorrect, falsely claiming that my library supports older versions without such features (e.g. v1.0.0).

This can be a problem in at least couple of cases: (1) an older version is depended on exactly by a sibling and npm's deduping causes my package to use it as well, (2) the consumer already has an older version installed which my package claims to support, so npm install doesn't bother to upgrade it.

Bumping dependencies to their latest semver-supported range ensures that you have the expected feature coverage and npm install always brings your consumers to a valid state (though not necessarily the latest valid state).

[raineorshine]

@billyjanitsch Thanks for the use case explanation. That does make sense. I will mark this as an enhancement and remain open to pull requests. Until known bugs/issues are solved, realistically I won't be able to tackle this myself, but I hope it can be incorporated in the future.

[billyjanitsch]

Thanks @raineorshine! I appreciate all the work you do maintaining this package.

I don't expect to have time to tackle this any time soon either, but maybe someday. :)

[pongells]

I am looking for a solution that does exactly what asked here: update the package.json to whatever latest versions which respect the semver.

I need this because then I can tell my CI to rebuild only if there are new valid dependencies to update.

[williamukoh]

@ealves-pt Do you mind sharing your workaround?