Automated Dependency Updates for Npm
Renovate supports updating Npm dependencies.
File Matching¶
By default, Renovate will check any files matching the following regular expression: (^|/)package\.json$
.
For details on how to extend a manager's fileMatch
value, please follow this link.
Supported datasources¶
This manager supports extracting the following datasources: github-tags
, npm
.
References## Default config¶
{
"fileMatch": [
"(^|/)package\\.json$"
],
"rollbackPrs": true,
"versioning": "npm",
"digest": {
"prBodyDefinitions": {
"Change": "{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}"
}
},
"prBodyDefinitions": {
"Change": "[{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}]({{#if depName}}https://renovatebot.com/diffs/npm/{{replace '/' '%2f' depName}}/{{{currentVersion}}}/{{{newVersion}}}{{/if}})"
}
}
Additional Information¶
The following depTypes
are currently supported by the npm manager :
dependencies
devDependencies
optionalDependencies
peerDependencies
engines
: Renovate will update anynode
,npm
andyarn
version specified underengines
.volta
: Renovate will update anynode
,npm
andyarn
version specified undervolta
.packageManager
Open items¶
The below list of features and bugs were current when this page was generated on March 30, 2023.
Feature requests¶
- Renovate Yarn's
packageExtensions
in .yarnrc.yml #19163 - Default npm to use default version from node #19044
- Support version pinning for pnpm #19038
- PNPM + package from GIT using YARN #18005
- Support for pnpm.overrides #17298
- Support
node_modules
that live in source control #13926 - Option to regenerate lock files during updates #13470
- Handle more complex yarn resolutions #12605
- Add source URL compare links for npm digest updates #12112
- Logging installed binary version and constraints mismatch #10382
- Support npmv7 (lock file v2) for transitiveRemediation #10371
- Support npm registries with a general hostRule authentication #9941
- Detect if npm package file is nodejs-only #9616
- Upgrade yarn when version policy is on #7429
chore
commit type when only the lockfile is updated #6791- Add NPM Audit data to add more detail to Renovate PRs or limit to merge requests to only vulnerability fixes #6027
- Improve story for creating PRs to update to nightly builds #5872
- Update github hashes in npm package.json files #5640
- Semver-compatible branch committish incorrectly getting rolled back to tagged versions #5170
- npm: Add support for node compatibility checks #4826
latest
is not supported as a valid version spec for dependencies in apackage.json
file #3945- Feature request: Rushjs monorepo support #3681
- feat(pnpm): support package.yaml and package.json5 #3653
- Vulnerability remediation using Yarn resolutions #3093
- Update dependencies to resolve security vulnerabilities in sub-dependencies #3080
- Feature Request: Add tag after bumpVersion and automerge #2928
- bumping the version doesn't execute npm preversion hook #2463
- Group remaining @types PR's #1799
- Suppress @types versions that are greater than companion package version #1372
- Special handling for npm
@types
#519
Bug reports¶
- Mismatch between PR title/body and bumped version when remediating yarn range #20929
- npm install should be scoped to workspaces #20469
- Cannot handle yarn v3 and private registry #14756
- Renovate cannot upgrade npm to an incompatible version when
engine-strict=true
is in.npmrc
#12068 - Invalid Yarn v1 lock file maintenance result #10331
- Renovate removed a or clause when updating node engines in package.json #7469
- Private dependencies are not updated #7354