Skip to content

Automated Dependency Updates for Npm

Renovate supports updating Npm dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)package\.json$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: github-tags, npm.

References## Default config

  "fileMatch": [
  "rollbackPrs": true,
  "versioning": "npm",
  "digest": {
    "prBodyDefinitions": {
      "Change": "{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}"
  "prBodyDefinitions": {
    "Change": "[{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}]({{#if depName}}{{replace '/' '%2f' depName}}/{{{currentVersion}}}/{{{newVersion}}}{{/if}})"

Additional Information

The following depTypes are currently supported by the npm manager :

  • dependencies
  • devDependencies
  • optionalDependencies
  • peerDependencies
  • engines : Renovate will update any node, npm and yarn version specified under engines.
  • volta : Renovate will update any node, npm and yarn version specified under volta.
  • packageManager

Open items

The below list of features and bugs were current when this page was generated on March 30, 2023.

Feature requests

  • Renovate Yarn's packageExtensions in .yarnrc.yml #19163
  • Default npm to use default version from node #19044
  • Support version pinning for pnpm #19038
  • PNPM + package from GIT using YARN #18005
  • Support for pnpm.overrides #17298
  • Support node_modules that live in source control #13926
  • Option to regenerate lock files during updates #13470
  • Handle more complex yarn resolutions #12605
  • Add source URL compare links for npm digest updates #12112
  • Logging installed binary version and constraints mismatch #10382
  • Support npmv7 (lock file v2) for transitiveRemediation #10371
  • Support npm registries with a general hostRule authentication #9941
  • Detect if npm package file is nodejs-only #9616
  • Upgrade yarn when version policy is on #7429
  • chore commit type when only the lockfile is updated #6791
  • Add NPM Audit data to add more detail to Renovate PRs or limit to merge requests to only vulnerability fixes #6027
  • Improve story for creating PRs to update to nightly builds #5872
  • Update github hashes in npm package.json files #5640
  • Semver-compatible branch committish incorrectly getting rolled back to tagged versions #5170
  • npm: Add support for node compatibility checks #4826
  • latest is not supported as a valid version spec for dependencies in a package.json file #3945
  • Feature request: Rushjs monorepo support #3681
  • feat(pnpm): support package.yaml and package.json5 #3653
  • Vulnerability remediation using Yarn resolutions #3093
  • Update dependencies to resolve security vulnerabilities in sub-dependencies #3080
  • Feature Request: Add tag after bumpVersion and automerge #2928
  • bumping the version doesn't execute npm preversion hook #2463
  • Group remaining @types PR's #1799
  • Suppress @types versions that are greater than companion package version #1372
  • Special handling for npm @types #519

Bug reports

  • Mismatch between PR title/body and bumped version when remediating yarn range #20929
  • npm install should be scoped to workspaces #20469
  • Cannot handle yarn v3 and private registry #14756
  • Renovate cannot upgrade npm to an incompatible version when engine-strict=true is in .npmrc #12068
  • Invalid Yarn v1 lock file maintenance result #10331
  • Renovate removed a or clause when updating node engines in package.json #7469
  • Private dependencies are not updated #7354