Best practice for updates

[diberry]

Is this correct?

The recommended workflow for updates is:

1. Verify your existing tests pass before starting this update process.
2. npm audit: to check for vulnerabilities in the current version you are using.
3. npm outdated: to list all the outdated packages. This command provides information in the Wanted, Latest, and Location columns.
4. The information from npm audit may recommend updating to a major version. You should carefully review the breaking changes if any are listed.
5. Update the version:
   • npm update <optional package name>: to update the installed packages. If you run this command with a package name specified, the command tries to update only the specified package. If you don't specify a package, the command tries to update all the packages in the package.json file.
   • npm audit fix --force: this command updates the major version of the package. This command can introduce breaking changes. Use this command only if you're aware of the breaking changes and are ready to update your code to accommodate them.
6. Verify your tests pass after the update.

[sinedied]

Small comments:

• npm update <optional package name> only updates according to the semantic versioning used: ~ allows patch updates, ^ allows minor version updates. For major version updates, usually the way is npm install <name>@latest

• npm audit fix --force does not necessarily updates packages, as it tries to fix security issues sometimes it reverts to an older packages version outside of the allowed semantic versioning specified in package.json.

Otherwise, the rest looks fine to me :)

[diberry]

Edited ...

The recommended workflow for updates is:

1. npm run test: Verify your existing tests pass before starting this update process.
2. npm audit: to check for vulnerabilities in the current version you are using. The information from npm audit may recommend updating to a major version. You should carefully review the breaking changes if any are listed.
3. npm outdated: to list all the outdated packages. This command provides information in the Wanted, Latest, and Location columns.
4. Update with npm update:
   • For smaller projects (a few dependencies in the package.json: you may try npm update to update all dependencies then run your tests.
   • For larger projects (with many dependencies in the package.json: update a single package or package family (such as Next.js and React) then run the tests.
5. npm audit: check there are no critical or high vulnerabilities. If vulnerabilities still exist, use npm update with the package name and the major version recommended in npm audit.
6. npm run test again.
7. Check in your package.json and package-lock.json.

[khaosdoctor]

I think the whole content is super good, adding a possible option for people to make it easier to update versions manually: VSCode has an extension called Version Lens, that allows you to see in realtime the current version, the latest version, and the version your package.json will satisfy.

https://marketplace.visualstudio.com/items?itemName=pflannery.vscode-versionlens

If your objective is to go to the latest version in all the dependencies, then just:

1. Open package.json
2. Manually click the inlay hints to update the text to the major versions (like @sinedied commented, major versions are usually updated by installing only)
3. Run npm update or npm install to update the versions to the latest ones

This works nicely when you have multiple packages and when you have big projects because you can actually see which are the most impactful dependencies in the system and manually check for major updates one by one.

[xirzec]

As a minor note I recall this CLI tool used to be handy: https://www.npmjs.com/package/npm-check-updates

Perhaps it would also be useful to have instructions for other package manager like yarn and pnpm. Also monorepo tools like rush could be good to mention as well.