npm-update

Update all packages in the current project

$ npm [[up|update]]

$ npm [[up|update]] [package]

$ npm [[up|update]] [[-g|--global]] [package]

$ npm [[up|update]] [package1 package2 ...]

npm update [pkg...]
alias: npm up

--global, -g
    Updates global packages installed on your system.

...
    Specifies one or more packages to update; if omitted, all dependencies are updated.

--save, -S
    (Deprecated) Historically used to save updated versions to dependencies in package.json.

--save-dev, -D
    (Deprecated) Historically used to save updated versions to devDependencies in package.json.

--save-exact, -E
    Saves the exact version of the updated package to package.json, without a version range (e.g., 1.2.3 instead of ^1.2.3).

--dry-run
    Simulates the update process without making any actual changes.

--json
    Outputs the update results in JSON format.

--audit
    Performs a security audit after the update completes (default behavior since npm 6).

--force
    Bypasses certain checks and forces fetching remote resources or installing, ignoring peer dependency conflicts.

--workspace
    Updates dependencies within a specific workspace in a monorepo.

--workspaces
    Updates dependencies within all configured workspaces in a monorepo.

--legacy-peer-deps
    Ignores peerDependencies conflicts, allowing installation to proceed.

--no-audit
    Prevents a security audit from being performed after the update.

npm update updates all packages listed in the package.json file to their latest compatible versions, according to the semantic versioning ranges specified. It can also update specific packages if provided as arguments. When executed without arguments, it scans the node_modules directory and package.json for all dependencies (including dependencies, devDependencies, optionalDependencies, and peerDependencies). It then attempts to download and install newer versions of these packages that satisfy the declared version ranges. This command also updates the package-lock.json file to reflect the new resolved dependency tree, ensuring reproducible builds. For global packages, npm update -g updates packages installed in the global node_modules directory. It's crucial for keeping project dependencies secure and up-to-date while respecting declared version constraints.

npm update only updates packages within the version ranges specified in package.json. If you want to update to a major new version (which often introduces breaking changes), you might need to manually edit package.json or use tools like npm install <package-name>@latest. It is recommended to run npm outdated first to see which packages are out of date and by how much. Always test your application thoroughly after running npm update, especially for large dependency trees, as even minor version updates can sometimes introduce subtle regressions or unexpected behavior due to complex dependency interactions.

npm update strictly adheres to semantic versioning rules defined in package.json (e.g., ^1.2.3, ~1.2.3). A ^ (caret) allows updates to non-breaking new versions (patches and minor releases, e.g., 1.x.x). A ~ (tilde) allows only patch releases (e.g., 1.2.x). This design choice aims to prevent accidental breaking changes to your project. To update to a new major version, you typically need to manually adjust the version in package.json or use npm install <package-name>@latest.

When npm update runs, it not only modifies the node_modules directory but also updates the package-lock.json file. This lock file records the exact version of every package in the dependency tree, ensuring that subsequent installations (e.g., npm ci or npm install on another machine) will use the identical set of dependencies, guaranteeing reproducibility across different environments. It's crucial to commit package-lock.json to version control.

The npm update command has been a fundamental part of the npm CLI since its early days, evolving alongside npm itself. Its core functionality of updating dependencies within specified semantic versioning ranges has remained consistent. Significant changes primarily revolved around how npm handles package-lock.json (introduced in npm 5), peer dependencies (changes in npm 7), and the default behavior of running security audits (enabled by default in npm 6). Its continued development reflects npm's commitment to providing a robust and reliable package management experience for Node.js developers.

npm install(1), npm outdated(1), npm audit(1), npm prune(1), npm config(1)