Skip to content

Automated Dependency Updates for Npm

Renovate supports updating Npm dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)package\.json$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: github-tags, npm.

Additional Information

The following depTypes are currently supported by the npm manager :

  • dependencies
  • devDependencies
  • optionalDependencies
  • peerDependencies
  • engines : Renovate will update any node, npm and yarn version specified under engines.
  • volta : Renovate will update any node, npm and yarn version specified under volta.
  • packageManager

Open feature requests

  • Special handling for npm @types #519
  • Suppress @types versions that are greater than companion package version #1372
  • Group remaining @types PR's #1799
  • bumping the version doesn't execute npm preversion hook #2463
  • Feature Request: Add tag after bumpVersion and automerge #2928
  • Update dependencies to resolve security vulnerabilities in sub-dependencies #3080
  • Vulnerability remediation using Yarn resolutions #3093
  • feat(pnpm): support package.yaml and package.json5 #3653
  • Feature request: Rushjs monorepo support #3681
  • latest is not supported as a valid version spec for dependencies in a package.json file #3945
  • npm: Add support for node compatibility checks #4826
  • Semver-compatible branch committish incorrectly getting rolled back to tagged versions #5170
  • Update github hashes in npm package.json files #5640
  • Improve story for creating PRs to update to nightly builds #5872
  • Add NPM Audit data to add more detail to Renovate PRs or limit to merge requests to only vulnerability fixes #6027
  • chore commit type when only the lockfile is updated #6791
  • Upgrade yarn when version policy is on #7429
  • Detect if npm package file is nodejs-only #9616
  • Support npmv7 (lock file v2) for transitiveRemediation #10371
  • Handle more complex yarn resolutions #12605
  • Support node_modules that live in source control #13926
  • Parse registryUrls from .yarnrc.yml #16353

Open bug reports

  • yarn lockfile update fails with skipInstalls and high trust #6443
  • Private dependencies are not updated #7354
  • Renovate removed a or clause when updating node engines in package.json #7469
  • Invalid Yarn v1 lock file maintenance result #10331
  • Renovate doesn't update yarn.lock anymore with --install.frozen-lockfile true in .yarnrc #11356
  • Renovate cannot upgrade npm to an incompatible version when engine-strict=true is in .npmrc #12068
  • Renovate removing dependencies in "unaffected" package in monorepo #12891
  • Cannot handle yarn v3 and private registry #14756
  • Unrelated package-lock files get updated (lerna) #16850

The above list of features and bugs were current when this page was generated on August 15, 2022.