Automated Dependency Updates for Npm
Renovate supports updating Npm dependencies.
File Matching¶
By default, Renovate will check any files matching the following regular expression: (^|/)package\.json$
.
For details on how to extend a manager's fileMatch
value, please follow this link.
Supported datasources¶
This manager supports extracting the following datasources: github-tags
, npm
.
Additional Information¶
The following depTypes
are currently supported by the npm manager :
dependencies
devDependencies
optionalDependencies
peerDependencies
engines
: Renovate will update anynode
,npm
andyarn
version specified underengines
.volta
: Renovate will update anynode
,npm
andyarn
version specified undervolta
.packageManager
Open feature requests¶
- Special handling for npm
@types
#519 - Suppress @types versions that are greater than companion package version #1372
- Group remaining @types PR's #1799
- bumping the version doesn't execute npm preversion hook #2463
- Feature Request: Add tag after bumpVersion and automerge #2928
- Update dependencies to resolve security vulnerabilities in sub-dependencies #3080
- Vulnerability remediation using Yarn resolutions #3093
- feat(pnpm): support package.yaml and package.json5 #3653
- Feature request: Rushjs monorepo support #3681
latest
is not supported as a valid version spec for dependencies in apackage.json
file #3945- npm: Add support for node compatibility checks #4826
- Semver-compatible branch committish incorrectly getting rolled back to tagged versions #5170
- Update github hashes in npm package.json files #5640
- Improve story for creating PRs to update to nightly builds #5872
- Add NPM Audit data to add more detail to Renovate PRs or limit to merge requests to only vulnerability fixes #6027
chore
commit type when only the lockfile is updated #6791- Upgrade yarn when version policy is on #7429
- Detect if npm package file is nodejs-only #9616
- Support npmv7 (lock file v2) for transitiveRemediation #10371
- Handle more complex yarn resolutions #12605
- Support
node_modules
that live in source control #13926 - Parse registryUrls from .yarnrc.yml #16353
Open bug reports¶
- yarn lockfile update fails with skipInstalls and high trust #6443
- Private dependencies are not updated #7354
- Renovate removed a or clause when updating node engines in package.json #7469
- Invalid Yarn v1 lock file maintenance result #10331
- Renovate doesn't update yarn.lock anymore with
--install.frozen-lockfile true
in .yarnrc #11356 - Renovate cannot upgrade npm to an incompatible version when
engine-strict=true
is in.npmrc
#12068 - Renovate removing dependencies in "unaffected" package in monorepo #12891
- Cannot handle yarn v3 and private registry #14756
- Unrelated package-lock files get updated (lerna) #16850
The above list of features and bugs were current when this page was generated on August 15, 2022.