Skip to content

Automated Dependency Updates for Npm

Renovate supports updating Npm dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)package\.json$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: github-tags, npm.

Default config

  "fileMatch": [
  "rollbackPrs": true,
  "versioning": "npm",
  "digest": {
    "prBodyDefinitions": {
      "Change": "{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}"
  "prBodyDefinitions": {
    "Change": "[{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}]({{#if depName}}{{replace '/' '%2f' depName}}/{{{currentVersion}}}/{{{newVersion}}}{{/if}})"

Additional Information

The following depTypes are currently supported by the npm manager :

  • dependencies
  • devDependencies
  • optionalDependencies
  • peerDependencies
  • engines : Renovate will update any node, npm and yarn version specified under engines.
  • volta : Renovate will update any node, npm and yarn version specified under volta.
  • packageManager

Open feature requests

  • Special handling for npm @types #519
  • Suppress @types versions that are greater than companion package version #1372
  • Group remaining @types PR's #1799
  • bumping the version doesn't execute npm preversion hook #2463
  • Feature Request: Add tag after bumpVersion and automerge #2928
  • Update dependencies to resolve security vulnerabilities in sub-dependencies #3080
  • Vulnerability remediation using Yarn resolutions #3093
  • feat(pnpm): support package.yaml and package.json5 #3653
  • Feature request: Rushjs monorepo support #3681
  • latest is not supported as a valid version spec for dependencies in a package.json file #3945
  • npm: Add support for node compatibility checks #4826
  • Semver-compatible branch committish incorrectly getting rolled back to tagged versions #5170
  • Update github hashes in npm package.json files #5640
  • Improve story for creating PRs to update to nightly builds #5872
  • Add NPM Audit data to add more detail to Renovate PRs or limit to merge requests to only vulnerability fixes #6027
  • chore commit type when only the lockfile is updated #6791
  • Upgrade yarn when version policy is on #7429
  • Detect if npm package file is nodejs-only #9616
  • Support npm registries with a general hostRule authentication #9941
  • Support npmv7 (lock file v2) for transitiveRemediation #10371
  • Logging installed binary version and constraints mismatch #10382
  • Add source URL compare links for npm digest updates #12112
  • Handle more complex yarn resolutions #12605
  • Option to regenerate lock files during updates #13470
  • Support node_modules that live in source control #13926
  • Parse registryUrls from .yarnrc.yml #16353
  • Support for pnpm.overrides #17298
  • PNPM + package from GIT using YARN #18005
  • Support version pinning for pnpm #19038
  • Default npm to use default version from node #19044
  • Renovate Yarn's packageExtensions in .yarnrc.yml #19163

Open bug reports

  • yarn lockfile update fails with skipInstalls and high trust #6443
  • Private dependencies are not updated #7354
  • Renovate removed a or clause when updating node engines in package.json #7469
  • Invalid Yarn v1 lock file maintenance result #10331
  • Renovate cannot upgrade npm to an incompatible version when engine-strict=true is in .npmrc #12068
  • Renovate removing dependencies in "unaffected" package in monorepo #12891
  • Cannot handle yarn v3 and private registry #14756
  • Renovate PRs failing to update artifact with error about --ignore-platform #16535

The above list of features and bugs were current when this page was generated on December 08, 2022.