This note requires knowledge of SemVer (Semantic Versioning Specification). The purpose of SemVer is to help communicate what changed when a new version of a package is released. It splits software version numbers into 3 integers (seperated by points). A release is categorised as 1 of the following:Source
To list outdated packages within a project, in the terminal, enter:
> npm outdated_
For each package, this will display:
- Current: the current version of a package within the project.
- Wanted: the maximum version of the package that satisfies the SemVer range specified in package.json. For example:
~1.0.1tells npm to install
1.0.1or the latest PATCH version of a package.
^1.0.1tells npm to install
1.0.1or the latest PATCH version or the latest MINOR version of a package.
- Latest: the version of the package tagged as latest in the npm registry (publishers running
npm publishwith no special configuration will publish the package with a dist-tag of latest).
To update all packages, in the terminal, enter:
> npm update --dd_
This will update packages to the latest MINOR version.
If a publisher has done a MAJOR release since you installed it,
npm update will still only update to the lastest MINOR version.
This is to encourage doing major package upgrades 1 package at a time, manually.
There is a chance that a MAJOR upgrade will break your project.
Doing them 1 at a time makes it eaiser to identify & fix any resulting bugs.
--dd flag will provide error message if
npm update doesn’t work.
When installing packages,
npm install, you sometimes see this message:
This displays packages in your project that have released a new version that fixes vulnerabilities. This means your codebase will contain vulnerabilities until you upgrade certain packages. To fix this, in the terminal, run:
> npm audit fix_
This will upgrade packages to a version that includes the vulnerability fixes.
Vulnerabilities can also be displayed in the terminal by entering the command: