Keeping your app's NPM packages always up-to-date

It is very common in software development to forget to keep NPM packages up-to-date. There can be many reasons to forget this, but more often than not this boils down to having too few resources dedicated to maintaining third-party packages and libraries in your software.

Why it is important to keep third-party packages up-to-date

Keeping third-party packages up-to-date is important for several reasons:

1. Security: Third-party packages may contain vulnerabilities that can be exploited by attackers. When you keep packages up-to-date, you ensure that any security vulnerabilities are patched, and you reduce the risk of a security breach.

2. Bug fixes: Third-party packages may contain bugs that can affect the functionality of your application. By keeping packages up-to-date, you ensure that any bugs are fixed, and your application runs smoothly.

3. Compatibility: Third-party packages may change their APIs, or require different dependencies. Keeping packages up-to-date ensures that your application remains compatible with the latest version of the packages it depends on.

4. Performance: Third-party packages may contain optimizations that improve performance or reduce memory usage. Keeping packages up-to-date ensures that your application benefits from these improvements.

5. Features: Third-party packages may add new features that can be useful to your application. Keeping packages up-to-date ensures that you can take advantage of these features and provide a better user experience.

Keeping third-party packages up-to-date is important for security, bug fixes, compatibility, performance, and features. It helps to ensure that your application remains stable, secure, and up-to-date with the latest technologies.

How to keep your app’s third-party packages always up-to-date

Updating your app’s third-party packages is usually a manual task. For NPM specifically, there are built-in tools in npm itself that can be used for keeping packages up-to-date, but also third-party tools as well.

Using NPM’s CLI

From your command line, you can use the following npm command to help you keep your app’s packages up-to-date:

npm audit

npm audit command is used to check a Node.js project for security vulnerabilities in its dependencies. It analyzes the dependencies listed in the package.json file and checks them against a database of known security vulnerabilities.

When you run the npm audit command, npm will check the installed packages for known security vulnerabilities and report any issues found. It will show a summary of the vulnerabilities, including the number of vulnerabilities found, the severity level of each vulnerability, and the packages that are affected.

The severity levels for vulnerabilities are:

• High: Vulnerabilities that can be exploited by attackers to execute code or steal sensitive information.
• Moderate: Vulnerabilities that can cause non-critical information leaks or denial-of-service attacks.
• Low: Vulnerabilities that have a limited impact and are unlikely to be exploited.

The npm audit command also provides guidance on how to fix the vulnerabilities found. It recommends updating the affected packages to a version that has a fix available or applying a manual fix if no update is available. It also provides information on how to suppress specific warnings or ignore certain vulnerabilities.

npm update

npm update command is used to update the dependencies listed in the package.json file of a Node.js project.

When you run the npm update command, npm checks the registry to see if any of the installed packages have newer versions available. If a newer version of a package is available, npm will download and install it, updating the package in the node_modules directory.

The npm update command updates packages to the latest version that satisfies the version range defined in the package.json file. If a package has a caret (^) or tilde (~) symbol in front of its version number, npm will update to the latest version within the specified range. If there is no version range specified, npm update will update to the latest version available.

It’s worth noting that npm update will only update packages within the version range specified in package.json, so if you want to update to a new major version of a package, you’ll need to manually update the version number in package.json.

In summary, the npm update command updates the dependencies of a Node.js project to their latest versions that satisfy the version range defined in the package.json file.

npm outdated

npm outdated command is used to check for outdated dependencies in a Node.js project. It lists the installed packages that have newer versions available and the version ranges defined in the package.json file.

When you run the npm outdated command, npm will compare the currently installed packages with the latest versions available in the registry. It will show a list of packages that have newer versions available and highlight the ones that are outside the version range specified in package.json.

The main difference between the npm outdated and npm update commands is that npm outdated only shows information about outdated packages, while npm update updates the installed packages to their latest versions.

Using third-party CLI tools

While npm has its built-in commands to help you keep packages up-to-date, there are other third-party tools available as well that provide more features and functionality for keeping npm packages up-to-date.

Here are the most common third-party CLI tools to help you keep your npm packages up-to-date:

npm-check-updates

npm-check-updates is a third-party CLI tool that upgrades your package.json dependencies to their latest versions, ignoring specified versions.

npm-upgrade

npm-upgrade is a third-party CLI tool that helps you to easily update outdated NPM dependencies with change logs inspection support.

npm-check

npm-check is a third-party CLI tool that provides a more interactive interface inside the terminal for keeping your npm packages up-to-date.

How often should you update your npm packages

The frequency of updating npm packages in a project can vary depending on several factors, such as the size and complexity of the project, the importance of security, and the stability of the packages.

Here are some general guidelines for updating npm packages:

1. Stay up-to-date with security patches: It’s important to update packages that have security vulnerabilities as soon as possible. You can use the npm audit command to check for security vulnerabilities in your dependencies and then update the affected packages accordingly.

2. Update frequently for small projects: For small projects, it’s a good practice to update packages frequently, at least once a week or every two weeks. This can help prevent package version conflicts and keep the project up-to-date with the latest features and improvements.

3. Update less frequently for large projects: For large projects, updating packages can be more challenging due to the higher risk of breaking changes and version conflicts. In such cases, it’s recommended to update packages less frequently, but still regularly, such as once a month or every few months.

4. Use version ranges: When specifying dependencies in the package.json file, use version ranges instead of fixed versions. This allows npm to update packages within the specified range automatically, without needing to manually update the version number.

The frequency of updating npm packages depends on the size and complexity of the project, the importance of security, and the stability of the packages. It’s recommended to stay up-to-date with security patches, update frequently for small projects, update less frequently for large projects, and use version ranges to allow for automatic updates.

Automating security vulnerability checks

If your project is using CI/CD pipeline for automation, it is a good idea to integrate auditing third-party packages and libraries within your pipeline. This way, you can control how your project should react to any new package updates and security vulnerabilities.

The best library for automated audits right now is most definitely OWASP Dependency Check which also has a Jenkins plugin if you happen to use Jenkins for your CI/CD.