How to update npm packages in Node.js
Łukasz Holeczek
Follow Łukasz Holeczek on GitHub
Connect with Łukasz Holeczek on LinkedIn
Follow Łukasz Holeczek on X (Twitter)
Updating npm packages in Node.js is crucial for maintaining security, getting bug fixes, accessing new features, and keeping your project dependencies current. As the creator of CoreUI, a widely used open-source UI library, I’ve managed npm package updates across hundreds of Node.js projects, ensuring security patches are applied, dependencies stay compatible, and development teams have access to the latest features. From my expertise, the most effective approach is to use npm update with careful version control and testing. This method provides controlled updates, maintains compatibility, and ensures security while preventing breaking changes from disrupting your application.
Use npm update command with version checking and testing to safely update packages while maintaining compatibility.
# 1. Check for outdated packages
npm outdated # Show outdated packages
npm outdated --depth=0 # Only top-level packages
npm outdated --json # JSON format output
# Sample output of npm outdated:
# Package Current Wanted Latest Location
# express 4.17.1 4.18.2 4.18.2 my-app
# lodash 4.17.15 4.17.21 4.17.21 my-app
# 2. Update all packages to wanted versions
npm update # Update all packages
npm update --save # Update and save to package.json
npm update --save-dev # Update dev dependencies
# 3. Update specific packages
npm update express # Update specific package
npm update express lodash # Update multiple packages
npm update @types/node # Update scoped packages
# 4. Update to latest versions (potentially breaking)
npm install express@latest # Update to latest version
npm install lodash@^4.17.21 # Update with version range
npm install react@beta # Update to beta version
# 5. Global package updates
npm update -g # Update all global packages
npm update -g npm # Update npm itself
npm update -g @angular/cli # Update specific global package
# 6. Check which packages need updates
npm list --outdated # Alternative to npm outdated
npm ls --depth=0 # Show installed versions
# 7. Interactive package updates (using npm-check-updates)
# Install npm-check-updates first
npm install -g npm-check-updates
# Check for updates
ncu # Show available updates
ncu -u # Update package.json to latest
ncu --target minor # Only minor updates
ncu --target patch # Only patch updates
# 8. Selective updates with version ranges
npm install express@">=4.17.0 <5.0.0" # Range update
npm install lodash@~4.17.21 # Patch updates only
npm install react@^18.0.0 # Minor updates allowed
# Example workflow for updating packages safely
echo "Starting package update process..."
# Step 1: Check current status
echo "Current package status:"
npm list --depth=0
# Step 2: Check for outdated packages
echo "Checking for outdated packages:"
npm outdated
# Step 3: Create backup of package.json
cp package.json package.json.backup
cp package-lock.json package-lock.json.backup
# Step 4: Update packages incrementally
echo "Updating patch versions first..."
npm update
# Step 5: Check for major version updates
echo "Checking for major updates with ncu:"
npx npm-check-updates
# Step 6: Update major versions selectively
echo "Updating major versions one by one..."
npx npm-check-updates -u --target minor
npm install
# Step 7: Test after updates
echo "Running tests after updates..."
npm test
# Step 8: Verify application still works
npm start &
sleep 5
curl -f http://localhost:3000 || echo "App might be broken"
kill %1
# Advanced update strategies
# 9. Update with audit fix
npm audit # Check for vulnerabilities
npm audit fix # Fix vulnerabilities automatically
npm audit fix --force # Force fixes (may cause breaking changes)
# 10. Update production vs development dependencies
npm update --production # Update only production deps
npm update --only=dev # Update only dev dependencies
# 11. Batch update with specific strategies
# Update all patch versions
npm update --save
# Update minor versions for specific packages
npm install express@^4.18.0
npm install lodash@^4.17.0
# Update major versions cautiously
npm install react@^18.0.0
npm test # Test after each major update
# 12. Using package-lock.json effectively
# Update package-lock.json without changing package.json
npm ci # Clean install from lockfile
npm install --package-lock-only # Update lockfile only
# 13. Automated update workflows
cat > update-packages.sh << 'EOF'
#!/bin/bash
echo "Automated package update script"
# Backup current state
git stash push -m "Pre-update backup"
# Update packages
npm outdated
npm update
# Run tests
if npm test; then
echo "Tests passed, committing updates"
git add package.json package-lock.json
git commit -m "Update npm packages"
else
echo "Tests failed, reverting updates"
git stash pop
exit 1
fi
# Check for major updates
npx npm-check-updates --target minor
EOF
chmod +x update-packages.sh
# 14. Dependency analysis and cleanup
# Find unused dependencies
npx depcheck
# Analyze bundle size impact
npx bundlephobia lodash # Check package size
# Find duplicate dependencies
npm ls --depth=0 | grep -E "├──|└──" | sort
# 15. Version pinning strategies
# Pin exact versions for critical dependencies
npm install --save-exact [email protected]
# Use caret for compatible updates
npm install --save express@^4.18.2
# Use tilde for patch updates only
npm install --save-exact express@~4.18.2
{
"scripts": {
"update-check": "npm outdated",
"update-packages": "npm update && npm audit fix",
"update-major": "npx npm-check-updates -u && npm install",
"test-after-update": "npm test && npm run lint",
"preinstall": "npm outdated || true"
},
"dependencies": {
"express": "^4.18.2",
"lodash": "^4.17.21",
"moment": "^2.29.4"
},
"devDependencies": {
"jest": "^29.5.0",
"eslint": "^8.39.0",
"nodemon": "^2.0.22"
}
}
# 16. Monitoring and maintenance
# Set up automatic security updates
npm audit --audit-level moderate
# Create update schedule
# Weekly patch updates
npm update
# Monthly minor updates
npx npm-check-updates --target minor -u
npm install
# Quarterly major updates (with thorough testing)
npx npm-check-updates -u
npm install
npm test
# 17. Troubleshooting update issues
# Clear npm cache if updates fail
npm cache clean --force
# Reinstall node_modules
rm -rf node_modules package-lock.json
npm install
# Fix peer dependency warnings
npm install --legacy-peer-deps
# Resolve version conflicts
npm ls # Show dependency tree
npm dedupe # Remove duplicate packages
# 18. Rollback strategies
# Revert to previous versions
npm install [email protected] # Downgrade specific package
# Use git for complete rollback
git checkout -- package.json package-lock.json
npm install
# 19. CI/CD integration
# Update check in CI pipeline
- name: Check for outdated packages
run: |
npm outdated || true
npm audit --audit-level moderate
# Automated security updates
- name: Security updates
run: |
npm audit fix
git add .
git commit -m "Security updates" || exit 0
Regular package updates are essential for security, performance, and feature access. Use npm outdated to identify packages needing updates, then use npm update for compatible updates or npm install package@version for specific versions. Always test thoroughly after updates, especially major version changes. Use tools like npm-check-updates for comprehensive update analysis. Implement a regular update schedule: weekly for patches, monthly for minor versions, and quarterly for major versions. Always backup package.json and test your application after updates to ensure compatibility.
Best Practice Note:
This is the same npm update strategy we use for CoreUI Node.js projects and enterprise dependency management. Check for updates regularly, test thoroughly after updates, use semantic versioning for safe updates, prioritize security patches, backup before major updates, and maintain a consistent update schedule across your development team.
