Update all NPM dependencies in NodeJS

Dependency management is the backbone of any NodeJS project. Your application's dependencies grow with your project. Periodic updates ensure that you remain compatible with new features, security patches, and performance improvements. In this blog post, we are discussing the good practices involved when updating your dependencies to their latest versions without killing stability in your NodeJS application.

Before jumping into the steps, let me briefly outline why updating your dependencies matters:

1. Security: Old dependencies may have weak spots that may make your application vulnerable.

2. New Features: Releases frequently accompany improved features and functionalities that can make your app more functional.

3. Bug fixes: Most updates do contain bug fixes that have at least some kind of impact on performance or are the cause for unexpected behavior.

Before diving into the steps, it's important to understand why updating your dependencies is essential

Updating dependencies is not a particularly complex operation, but you need to go through a structured process lest you introduce new bugs while updating the dependencies. Here's how to do this safely. 

Your package.json file is the heart of your NodeJS project’s dependency management. Dependencies are typically listed under two sections:

• Dependencies: Essential packages required for your application to run.

• DevDependencies: Packages needed only during development, such as testing frameworks or build tools.

Each dependency in package.json has a version specifier:

• Exact versions (e.g., "express": "4.17.1")

• Caret (^) or tilde (~) versions that allow automatic updates within specific ranges (e.g., "express": "^4.17.0").

Before doing that, let's first know which versions we're using. This can be obtained by running:

npm outdated

This command lists the dependencies, their current versions, and the latest available versions. Here’s an example of the output:

Package    Current  Wanted  Latest  Location

express    4.17.1   4.17.2  5.0.0   node_modules/express

mongoose   5.9.10   5.10.0  6.0.0   node_modules/mongoose

• Current: The version you are using.

• Wanted: The highest version that satisfies the version range specified in package.json.

• Latest: The latest version published to the npm registry.

To update dependencies, you can use one of the methods below:

3.1. Automated Update to the Latest Versions

You can update all your dependencies to their latest versions using:

This command will update packages to the latest version allowed by the version range defined in package.json.

3.2. Update Specific Dependencies

To update a specific package to its latest version, use:

For example, to update express to its latest version, you can run:

This will install the latest version and update your package.json accordingly.

3.3. Update to Exact Versions

This can be illustrated in an example below where one may want to update a dependency version as shown:

For example, to install version 4.17.2 of express, run:

Some upgrades may include breaking changes, especially when you move into a higher major version, like from 4.x.x to 5.x.x. The npm-check-updates utility updates dependencies beyond any range you've defined in your package.json.

Install it globally:

Then, check for all major version updates:

If you want to update all the dependencies to their latest versions (including major updates), run:

This command modifies the package.json file to point to the latest versions of all dependencies.

How SemVer applies to the reception of changes to your project. Very brief overview:

• Major Version (X.y.z): Introduces breaking changes.

• Minor Version (x.Y.z): Adds new features without breaking existing functionality.

• Patch Version (x.y.Z): Fixes bugs without introducing new features or breaking changes.

Using ^ or ~ before a version number in package.json lets you control which types of updates are applied automatically:

• Caret (^): Allows minor and patch updates (e.g., ^4.0.0 updates to 4.x.x, but not to 5.x.x).

• Tilde (~): Allows only patch updates (e.g., ~4.17.0 updates to 4.17.x, but not 4.18.x).

To make life easier, you can let dependency updates happen automatically with the following tools:

• Dependable: automatically opens pull requests for updates of dependencies in a GitHub project.

• Renovate: Another dependency automation tool that maintains your project in a stable state while updating dependencies.

These tools keep you updated without constantly keeping a look out for updates.

Updating dependencies is critical to keep a NodeJS project as secure, good and compatible with the newest features as possible. By performing these steps you will be able to systemically update your dependencies, minimize the inherent risk of doing so and ensure that your application remains stable during. Regular updates combined with proper testing will ensure you maintain a healthy project for the long term.

Remember to test your application after the dependencies update. That could be a broken in production after all. Have fun coding!

   Ready to transform your business with our technology solutions?   Contact Us today to Leverage Our NodeJS Expertise.