Skip to content

Automated Dependency Updates for npm

Categories: js

Renovate supports updating npm dependencies.

File Matching

By default, Renovate will check any files matching any of the following regular expressions:

/(^|/)package\.json$/
/(^|/)pnpm-workspace\.yaml$/
/(^|/)\.yarnrc\.yml$/

For details on how to extend a manager's managerFilePatterns value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: github-tags, npm, node-version.

Default config

{
  "managerFilePatterns": [
    "/(^|/)package\\.json$/",
    "/(^|/)pnpm-workspace\\.yaml$/",
    "/(^|/)\\.yarnrc\\.yml$/"
  ],
  "digest": {
    "prBodyDefinitions": {
      "Change": "{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}"
    }
  },
  "prBodyDefinitions": {
    "Change": "[{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}]({{#if depName}}https://renovatebot.com/diffs/npm/{{replace '/' '%2f' depName}}/{{{currentVersion}}}/{{{newVersion}}}{{/if}})"
  }
}

Additional Information

The following depTypes are currently supported by the npm manager :

  • dependencies
  • devDependencies
  • optionalDependencies
  • peerDependencies
  • engines : Renovate will update any node, npm and yarn version specified under engines.
  • volta : Renovate will update any node, npm, pnpm and yarn version specified under volta.
  • packageManager
  • overrides
  • resolutions
  • pnpm.overrides
  • pnpm.catalog or pnpm.catalog.<name>. Matches any default and named pnpm catalogs.
  • yarn.catalog or yarn.catalogs.<name>. Matches any default and named yarn catalogs.

npm problems and workarounds

Invalid lock file (npm ci fails)

Unfortunately, npm itself sometimes generates invalid lock files which fail npm ci. Try adding "postUpdateOptions": ["npmInstallTwice"] to tell Renovate run any npm install command (which is used to update lock files) twice. This is less efficient than running npm once, but has been known to fix most problems of this type.

If this npm bug remains unfixed, and it becomes too frequent for Renovate users, then we may need to modify Renovate to do this by default. Please post feedback to the Renovate repository "Discussions" if you're needing to use this feature frequently or widely.

Yarn

Version Selection / Installation

If Renovate detects a packageManager setting for Yarn in package.json then it will use Corepack to install Yarn.

HTTP Proxy Support

Yarn itself does not natively recognize/support the HTTP_PROXY and HTTPS_PROXY environment variables.

You can configure RENOVATE_X_YARN_PROXY=true as an environment variable to enable configuring of Yarn proxy (e.g. if you cannot configure these proxy settings yourself in ~/.yarnrc.yml).

If set, and Renovate detects Yarn 2+, and one or both of those variables are present, then Renovate will run commands like yarn config set --home httpProxy http://proxy prior to executing yarn install. This will result in the ~/.yarnrc.yml file being created or modified with these settings, and the settings are not removed afterwards.

Configuration/conversion of NO_PROXY to Yarn config is not supported.

Open items

The below list of features and bugs were current when this page was generated on December 11, 2025.

Feature requests

  • Update the packageManager and runtime versions in devEngines #38067
  • Extract pnpm overrides from pnpm-workspace.yaml #36834
  • Support updating pnpm.executionEnv.nodeVersion #32632
  • Node.js | Follow dist tag automatically #29303
  • Support pnpm aliases #28541
  • Renovate Yarn's packageExtensions in .yarnrc.yml #19163
  • PNPM + package from GIT using YARN #18005
  • Support node_modules that live in source control #13926
  • Option to regenerate lock files during updates #13470
  • Add source URL compare links for npm digest updates #12112
  • Feature request: Rushjs monorepo support #3681

Bug reports

  • lockFileMaintenance modifies package-lock.json in an invalid way #37531
  • Catalog version not applying to all packages in pnpm workspace when shared-workspace-lockfile = false #37485
  • Avoid accidental commit of .yarnrc.yml modifications #29325
  • In workspaces, Renovate sources "major updates" from the package-lock.json rather than package.json #26312
  • Yarn: Error updating complex resolutions when yarn@4.0.1 is defined as packageManager #25853
  • Mismatch between PR title/body and bumped version when remediating yarn range #20929
  • Cannot handle yarn v3 and private registry #14756
  • Renovate cannot upgrade npm to an incompatible version when engine-strict=true is in .npmrc #12068