One challenge we are facing when working on React/NodeJS application is how to keep dependencies of our application up to date.
One thing I like after Github bought NPM is that Github will send the pull request to you when it detects that your hosted NodeJS repository has a potential security vulnerability. For example, recently I received one for nextfeathers - [deniapps/nextfeathers] Bump lodash from 4.17.15 to 4.17.19 in /next (#2)
In this case, we could just approve the pull-request and get the dependencies bumped to the new version. But most of the time, we have to take care of this by ourselves.
If we use a third-party framework, like NextJS and Feathers, then it may save us a lot of time to upgrade all the dependencies because we could rely on them, and just make sure to keep eyes on them, and bump the versions when needed. Of course, we should make sure their upgrade guide for the breaking change, and then update our application accordingly.
I should mention that some third-party frameworks also provide the auto-upgrade, for example, feathersjs. But again, we should check their Migrating note for any breaking changes.
Unfortunately, these do not cover all cases, as we build up the application, less or more, we would install other NPM packages, no one but use should upgrade them.
Then, I would suggest doing this often. npm-check-updates (ncu) is a very handy NPM, which I recommend you to install.
npm i npm-check-updates -g
Then in your project folder, where package.json locates, run the commands:
It will show any new dependencies. Then if you feel comfortable, you can run this:
The above command only upgrades your package.json, then you need to run
to install new versions of npm packages.
NOTE: Remember check the release pages of those packages which will be upgraded, to make sure there are not any breaking changes. You may end up manually upgrading some of them.
Finally, make sure you test your application before committing your code.
To check global package versions and available versions.
To upgrade global package, using the command:
ncu -g -u
To check the package version of the particular packages installed in your node modules, for example: check the version of semantic-ui-react:
npm list semantic-ui-react
To check the version of all global packages installed:
npm list -g --depth 0