Update NPM Packages


Update NPM Packages

A few months ago, I began using Node.js to compile my WordPress themes. Today, GitHub began warning me about security vulnerabilities in one of my projects. Whenever I do something for the first time, I document it. Here’s how to update NPM Packages.

The Warnings

I’m pretty new to GitHub and even newer to Node.js. Today was the first time I’d seen a GitHub security warning in a repository. Clicking through to an individual alert makes it clear I need to update my Node.js packages.

Like all of my notes-to-self,  I’m writing this in real-time … here I go 🙂

Before making any changes, always create a backup – I’ve pushed the project to its repository and am ready to try this locally in VS Code.

GitHub vulnerability warning
GitHub vulnerability warning
GitHub Security Alerts
GitHub Security Alerts
GitHub security warning for lodash
GitHub security warning for lodash

npm audit & npm audit fix

When you’re really new to something, even figuring out what to Google can be a challenge. Before setting out, I consider what I do know …

  • I know I’ve got packages installed globally and locally.
  • I know I’ve got a package.json and a package-lock.json where package versions are managed.
  • I know I’ve been prompted to run npm audit fix after installing some packages and that this relates to security vulnerabilities – the problem I’m being warned about.
  • I’m willing to bet money there’s at least 3 ways to go about this 🙂

I decide to start with that 3rd point and run npm audit and npm audit fix.

npm audit
npm audit
npm audit fix
npm audit fix

npm outdated & npm update

At this point I’m not sure everything’s been updated – in fact, I’m pretty sure it hasn’t been. Google suggests npm outdated to check and npm update to update all or individual packages.

npm outdated
npm outdated
npm update
npm update

After running npm update, I look at package.json and package-lock.json and see the new versions numbers in both.

But it’s clear that something still needs to happen with the del-cli package – it’s shown in a different color in npm outdated and it’s not listed at all in npm update.

A bit more Googling and I find the reason – npm update only handles minor versions and patches. Major versions are a separate process because these, by definition, may introduce breaking changes into a project.

I deal with this further down – first I try npm update -g to see if any global packages need updating … turns out some do.

npm update -g
npm update -g

Major Version: Manual Update

At this point I’m pretty sure everything except the del-cli package has been updated. Looking inpackage.json and package-lock.json, I see this package listed in my devDependencies.

My first thought is to simply uninstall and reinstall the package. Since the package is in my devDependencies, the commands would be:

npm uninstall del-cli --save-dev
npm install del-cli --save-dev

The shorthand for these commands is:

npm install del-cli@latest --save-dev

While this is an easy way to update a package or two, what if I had several, or even dozens, of packages to update?

Major Versions: npm-check-updates

To update major versions for several packages, Google suggests either npm-check-updates or npm-check.

I decide to try npm-check-updates because it appears better maintained.  The following screenshot shows running these commands:

npm install -g npm-check-updates  to install the package.

ncu to check for updates.

ncu -u to update package.json.

npm install to update package-lock.json.

npm-check-updates package
npm-check-updates package


At this point I think everything’s been updated, but I’m not exactly sure how to test that.

So I start with npm audit and npm outdated – I see no vulnerabilities or updates.

Next I test my scripts – the project compiles without errors.

Last, I commit the changes, push the project to GitHub, and check for the security warnings that started this journey – they’ve been resolved.

I’m as assured as I can be that everything’s been updated, but a little more Googling and I’m finding some great stuff about automating updates and tests … Since this is a simple project, I’m gonna stop here 🙂


I always include a ‘quick-grab’ in my notes. To update all NPM packages – local, global, major, minor, and patches, use these commands:

npm audit – Review security vulnerabilities.

npm outdated – See all packages with available updates.

npm update – Perform minor and patch updates on local packages.

npm update -g – Perform minor and patch updates on global packages.

npm install -g npm-check-updates – Install the ncu package.

ncu – In this example, check for major version updates.

ncu -u – Update package.json version numbers.

npm install – Install updates and update package-lock.json.

I document this kind of stuff for my own benefit – 3 months from now I won’t remember what I did 😛 If you’ve made it this far, thanks and I hope it’s helped you in some way!

Post Comment

Your email address will not be visible to others or sold to 3rd parties.