Updating Node dependencies is a headache. Things often break, or dependencies conflict because they’ve been updated at different times. It’s frustrating when you run into issues after an update, especially when you don’t know which package caused the problem.
Managing dependencies manually is time-consuming, and figuring out the right order to update them in is tricky. One outdated dependency can throw off your entire project, and fixing it can feel like you’re playing whack-a-mole with bugs.
I came across a handy package called dependency-time-machine (thanks pilotpirxie). It streamlines the process by updating your dependencies one at a time in the order they were released, making sure everything remains compatible and works together seamlessly.
How dependency-time-machine works
- Reads your
package.json - Finds the release dates for each dependency.
- Updates them one by one, in the order they were released.
- Runs your tests after each update to check for compatibility issues.
Usage
Run dependency-time-machine with npx to find the next recommended dependency to update.
➜ npx dependency-time-machine --update --install
Need to install the following packages:Ok to proceed? (y) y
Fetching remote dependencies...[1/8] apollo-server-hapi[2/8] graphql[3/8] hapi[4/8] hapi-swagger[5/8] inert[6/8] mongoose[7/8] nodemon[8/8] visionUpdating [email protected] in /Users/trevorindreklasn/Projects/labs/graphql-nodejs-hapi-api/package.json...Installing new version...npm warn deprecated [email protected]: This version contains severe security issues and defects and should not be used! Please upgrade to the latest version of @hapi/hapi or consider a commercial license (https://github.com/hapijs/hapi/issues/4114)Installeddependency-time-machine finds that hapi has a new version (17.5.0) released on May 21, 2018. It updates hapi in the package.json, installs the new version, and issues a warning that this version has known security defects and should be updated to a more secure version.
➜ graphql-nodejs-hapi-api git:(master) ✗ npx dependency-time-machine --update --install
Fetching remote dependencies...[1/8] apollo-server-hapi[2/8] graphql[3/8] hapi[4/8] hapi-swagger[5/8] inert[6/8] mongoose[7/8] nodemon[8/8] visionUpdating [email protected] in /Users/trevorindreklasn/Projects/labs/graphql-nodejs-hapi-api/package.json...Installing new version...InstalledSkipping Major Versions
Use the --stop-if-higher-major-number flag to skip over major versions. This will prevent the tool from updating to the next major version and instead keep it within the current major version range, ensuring more stable updates. Here’s an example:
➜ graphql-nodejs-hapi-api git:(master) ✗ npx dependency-time-machine --update --install --stop-if-higher-major-number
Fetching remote dependencies...[1/7] apollo-server-hapi[2/7] graphql[3/7] hapi[4/7] hapi-swagger[5/7] inert[6/7] mongoose[7/7] visionUpdating [email protected] in /Users/trevorindreklasn/Projects/labs/graphql-nodejs-hapi-api/package.json...Installing new version...npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.npm warn deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.InstalledIn this case, we updated to [email protected], staying within the same major version (5.x.x), skipping any updates that would have moved to a higher major version (like 6.x.x or higher). This helps keep updates stable and avoids breaking changes from major version bumps.
Excluding Dependencies
To skip certain dependencies from being updated, use the -e flag:
➜ graphql-nodejs-hapi-api git:(master) ✗ npx dependency-time-machine --update --install -e hapi
Fetching remote dependencies...[1/8] apollo-server-hapi[2/8] graphql[3/8] hapi (excluded)[4/8] hapi-swagger[5/8] inert[6/8] mongoose[7/8] nodemon[8/8] visionUpdating [email protected] in /Users/trevorindreklasn/Projects/labs/graphql-nodejs-hapi-api/package.json...Installing new version...npm warn deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).InstalledHapi was excluded from the update process:
[3/8] hapi (excluded)What about private registries? Not a problem.
Use the -r flag to specify your own private registry URL. Replace the example URL with your own.
➜ graphql-nodejs-hapi-api git:(master) ✗ npx dependency-time-machine --timeline -r https://npm.mycompany.com
Fetching remote dependencies...[1/8] apollo-server-hapiError fetching data https://npm.mycompany.com/apollo-server-hapiError: getaddrinfo ENOTFOUND npm.mycompany.com at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26) { errno: -3008, code: 'ENOTFOUND', syscall: 'getaddrinfo', hostname: 'npm.mycompany.com'}