ScriptsJul 14, 2026·3 min read

npm-check-updates — Find Newer Versions of Your Dependencies

npm-check-updates (ncu) upgrades your package.json dependencies to the latest versions, ignoring specified version constraints, so you always know what can be updated.

Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
npm-check-updates
Direct install command
npx -y tokrepo@latest install 3ee4925d-7f3c-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

Introduction

npm-check-updates (commonly called ncu) finds newer versions of dependencies than what your package.json currently allows. It respects semver ranges by default but can upgrade past them, giving you full control over when and how you update.

What npm-check-updates Does

  • Scans package.json and reports all dependencies with newer versions available
  • Upgrades version constraints in package.json to match the latest published versions
  • Supports filtering by package name, dependency type, or semver level (major, minor, patch)
  • Works with npm, yarn, pnpm, and bun lockfiles
  • Provides interactive mode for selectively choosing which packages to upgrade

Architecture Overview

ncu reads your package.json, queries the npm registry (or a configured private registry) for the latest versions of each dependency, compares them against current constraints, and optionally rewrites package.json. It uses the npm registry API directly and does not require a local node_modules directory.

Self-Hosting & Configuration

  • Install globally: npm install -g npm-check-updates, or run via npx
  • Configure with .ncurc.js or .ncurc.json in your project root
  • Set a default target version level: --target minor, --target patch, or --target latest
  • Filter packages with --filter or --reject glob patterns
  • Use --peer to include peerDependencies in the check

Key Features

  • Interactive mode (--interactive) lets you pick which updates to apply one by one
  • Doctor mode (--doctor) runs tests after each upgrade and reverts if they fail
  • Supports monorepos: scan workspaces with --workspaces flag
  • Group-by-major output shows which upgrades involve breaking changes
  • Deep mode checks installed packages in addition to package.json declarations

Comparison with Similar Tools

  • npm outdated — Built-in npm command showing outdated packages but cannot upgrade package.json automatically
  • npm-check — Similar tool with an interactive UI; ncu is more focused on version bumping with deeper filtering
  • Renovate — Automated bot that opens PRs; ncu is a local CLI for manual or CI-driven upgrades
  • Dependabot — GitHub-integrated update service; ncu runs anywhere without requiring GitHub

FAQ

Q: Does ncu modify node_modules or the lockfile? A: No. ncu only modifies package.json. You run npm install (or yarn/pnpm) yourself afterward to update the lockfile and node_modules.

Q: Can I use ncu in CI to fail if dependencies are outdated? A: Yes. Run ncu with --errorLevel 2 and it exits with a non-zero code when upgradeable packages are found.

Q: How do I exclude specific packages from upgrades? A: Use --reject or add a reject list to your .ncurc.js config file.

Q: Does it work with private registries? A: Yes. ncu respects your .npmrc registry configuration and supports custom registry URLs via the --registry flag.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets