courses.reviews - My new website for finding the best coding courses, with reviews & exclusive discounts. It's free!

Published
4 min read
Up to date

Trevor I. Lasn

Staff Engineer, EM & Entrepreneur

dependency-time-machine: An Easier Way to Update NPM packages

Automatically update your package.json dependencies one by one in chronological order, ensuring compatibility and reducing errors

Updating Node dependencies is a headache. Things often break, or dependencies conflict because they’ve been updated at different times. It’s frustrating when you run into issues after an update, especially when you don’t know which package caused the problem.

Managing dependencies manually is time-consuming, and figuring out the right order to update them in is tricky. One outdated dependency can throw off your entire project, and fixing it can feel like you’re playing whack-a-mole with bugs.

I came across a handy package called dependency-time-machine (thanks pilotpirxie). It streamlines the process by updating your dependencies one at a time in the order they were released, making sure everything remains compatible and works together seamlessly.

How dependency-time-machine works:

  • Reads your package.json
  • Finds the release dates for each dependency.
  • Updates them one by one, in the order they were released.
  • Runs your tests after each update to check for compatibility issues.

dependency-time-machine diagram

Usage

Run dependency-time-machine with npx to find the next recommended dependency to update.

Terminal window
 npx dependency-time-machine --update --install


Need to install the following packages:
[email protected]
Ok to proceed? (y) y


Fetching remote dependencies...
[1/8] apollo-server-hapi
[2/8] graphql
[3/8] hapi
[4/8] hapi-swagger
[5/8] inert
[6/8] mongoose
[7/8] nodemon
[8/8] vision
New version found: [email protected] (2018-05-21T17:59:05.432Z)
Updating [email protected] in /Users/trevorindreklasn/Projects/labs/graphql-nodejs-hapi-api/package.json...
Installing new version...
npm warn deprecated [email protected]: This version contains severe security issues and defects and should not be used! Please upgrade to the latest version of @hapi/hapi or consider a commercial license (https://github.com/hapijs/hapi/issues/4114)
Installed

dependency-time-machine finds that hapi has a new version (17.5.0) released on May 21, 2018. It updates hapi in the package.json, installs the new version, and issues a warning that this version has known security defects and should be updated to a more secure version.

Terminal window
  graphql-nodejs-hapi-api git:(master)  npx dependency-time-machine --update --install


Fetching remote dependencies...
[1/8] apollo-server-hapi
[2/8] graphql
[3/8] hapi
[4/8] hapi-swagger
[5/8] inert
[6/8] mongoose
[7/8] nodemon
[8/8] vision
New version found: [email protected] (2018-05-21T20:19:18.763Z)
Updating [email protected] in /Users/trevorindreklasn/Projects/labs/graphql-nodejs-hapi-api/package.json...
Installing new version...
Installed

Skipping Major Versions

Use the --stop-if-higher-major-number flag to skip over major versions. This will prevent the tool from updating to the next major version and instead keep it within the current major version range, ensuring more stable updates. Here’s an example:

Terminal window
  graphql-nodejs-hapi-api git:(master)  npx dependency-time-machine --update --install --stop-if-higher-major-number


Fetching remote dependencies...
[1/7] apollo-server-hapi
[2/7] graphql
[3/7] hapi
[4/7] hapi-swagger
[5/7] inert
[6/7] mongoose
[7/7] vision
New version found: [email protected] (2018-07-30T23:51:37.527Z)
Updating [email protected] in /Users/trevorindreklasn/Projects/labs/graphql-nodejs-hapi-api/package.json...
Installing new version...
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
Installed

In this case, we updated to [email protected], staying within the same major version (5.x.x), skipping any updates that would have moved to a higher major version (like 6.x.x or higher). This helps keep updates stable and avoids breaking changes from major version bumps.

Excluding Dependencies

To skip certain dependencies from being updated, use the -e flag:

Terminal window
  graphql-nodejs-hapi-api git:(master)  npx dependency-time-machine --update --install -e hapi


Fetching remote dependencies...
[1/8] apollo-server-hapi
[2/8] graphql
[3/8] hapi (excluded)
[4/8] hapi-swagger
[5/8] inert
[6/8] mongoose
[7/8] nodemon
[8/8] vision
New version found: [email protected] (2018-06-08T13:26:01.447Z)
Updating [email protected] in /Users/trevorindreklasn/Projects/labs/graphql-nodejs-hapi-api/package.json...
Installing new version...
npm warn deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
Installed

Hapi was excluded from the update process:

Terminal window
[3/8] hapi (excluded)

What about private registries? Not a problem.

Use the -r flag to specify your own private registry URL. Replace the example URL with your own.

Terminal window
  graphql-nodejs-hapi-api git:(master)  npx dependency-time-machine --timeline -r https://npm.mycompany.com


Fetching remote dependencies...
[1/8] apollo-server-hapi
Error fetching data https://npm.mycompany.com/apollo-server-hapi
Error: getaddrinfo ENOTFOUND npm.mycompany.com
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26) {
  errno: -3008,
  code: 'ENOTFOUND',
  syscall: 'getaddrinfo',
  hostname: 'npm.mycompany.com'
}

Sources

If you found this article helpful, you might enjoy my free newsletter. I share developer tips and insights to help you grow your skills and career.

open source node.js

Related Articles

If you enjoyed this article, you might find these related pieces interesting as well.

Can OSSPledge Fix Open Source Sustainability?

The Open Source Pledge aims to address open source sustainability challenges by encouraging companies to pay $2,000 per developer per year

Nov 17, 2024 5 min read

Secure Your Repositories: Prevent Credential Leaks with Gitleaks

Automate security flows and ensure your team follows security best practices

Aug 6, 2024 9 min read

SecretLint — A Linter for Preventing Committing Credentials

A guide to catching and preventing credential leaks in your code using Secretlint

Oct 22, 2024 5 min read

Pkl: Apple's New Configuration Language That Could Replace JSON and YAML

A deep dive into Pkl, Apple's configuration language that aims to replace JSON and YAML

Nov 1, 2024 5 min read

Remove Unnecessary NPM Packages with eslint-plugin-depend

We don't need packages to handle basic JavaScript tasks

Aug 13, 2024 4 min read

Repopack: Pack Your Entire Repository Into A Single File

A tool that packages your code to easily share with LLM models.

Oct 21, 2024 5 min read
all articles

This article was originally published on https://www.trevorlasn.com/blog/dependency-time-machine. It was written by a human and polished using grammar tools for clarity.