Automated Dependency Updates for Npm

Renovate supports updating Npm dependencies.

File Matching¶

By default, Renovate will check any files matching the following regular expression: (^|/)package\.json$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources¶

This manager supports extracting the following datasources: github-tags, npm.

Default config¶

{
  "fileMatch": [
    "(^|/)package\\.json$"
  ],
  "rollbackPrs": true,
  "versioning": "npm",
  "digest": {
    "prBodyDefinitions": {
      "Change": "{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}"
    }
  },
  "prBodyDefinitions": {
    "Change": "[{{#if displayFrom}}`{{{displayFrom}}}` -> {{else}}{{#if currentValue}}`{{{currentValue}}}` -> {{/if}}{{/if}}{{#if displayTo}}`{{{displayTo}}}`{{else}}`{{{newValue}}}`{{/if}}]({{#if depName}}https://renovatebot.com/diffs/npm/{{replace '/' '%2f' depName}}/{{{currentVersion}}}/{{{newVersion}}}{{/if}})"
  }
}

Additional Information¶

The following depTypes are currently supported by the npm manager :

dependencies
devDependencies
optionalDependencies
peerDependencies
engines : Renovate will update any node, npm and yarn version specified under engines.
volta : Renovate will update any node, npm and yarn version specified under volta.
packageManager

Open feature requests¶

Special handling for npm @types #519
Suppress @types versions that are greater than companion package version #1372
Group remaining @types PR's #1799
bumping the version doesn't execute npm preversion hook #2463
Feature Request: Add tag after bumpVersion and automerge #2928
Update dependencies to resolve security vulnerabilities in sub-dependencies #3080
Vulnerability remediation using Yarn resolutions #3093
feat(pnpm): support package.yaml and package.json5 #3653
Feature request: Rushjs monorepo support #3681
latest is not supported as a valid version spec for dependencies in a package.json file #3945
npm: Add support for node compatibility checks #4826
Semver-compatible branch committish incorrectly getting rolled back to tagged versions #5170
Update github hashes in npm package.json files #5640
Improve story for creating PRs to update to nightly builds #5872
Add NPM Audit data to add more detail to Renovate PRs or limit to merge requests to only vulnerability fixes #6027
chore commit type when only the lockfile is updated #6791
Upgrade yarn when version policy is on #7429
Detect if npm package file is nodejs-only #9616
Support npm registries with a general hostRule authentication #9941
Support npmv7 (lock file v2) for transitiveRemediation #10371
Logging installed binary version and constraints mismatch #10382
Add source URL compare links for npm digest updates #12112
Handle more complex yarn resolutions #12605
Option to regenerate lock files during updates #13470
Support node_modules that live in source control #13926
Parse registryUrls from .yarnrc.yml #16353
Support for pnpm.overrides #17298
PNPM + package from GIT using YARN #18005
Support version pinning for pnpm #19038
Default npm to use default version from node #19044
Renovate Yarn's packageExtensions in .yarnrc.yml #19163

Open bug reports¶

yarn lockfile update fails with skipInstalls and high trust #6443
Private dependencies are not updated #7354
Renovate removed a or clause when updating node engines in package.json #7469
Invalid Yarn v1 lock file maintenance result #10331
Renovate cannot upgrade npm to an incompatible version when engine-strict=true is in .npmrc #12068
Renovate removing dependencies in "unaffected" package in monorepo #12891
Cannot handle yarn v3 and private registry #14756
Renovate PRs failing to update artifact with error about --ignore-platform #16535

The above list of features and bugs were current when this page was generated on December 08, 2022.