Updating JS Dependencies the Right Way
Most people update dependencies wrong. Here's how to actually do it.
Updating JS Dependencies the Right Way
Most people update dependencies wrong. They run pnpm update --latest on everything and hope nothing breaks. Here's how to actually do it.
Install pnpm via Corepack
Node.js ships with Corepack since v16.13. Update it first, there's a known issue with outdated signatures.
npm install --global corepack@latest
corepack enable pnpm
Pin the version to your project so everyone runs the same thing.
corepack use pnpm@latest-10
This adds a packageManager field to your package.json. Corepack picks it up automatically.
If you installed Node.js via
pnpm env, Corepack won't be on your system. Install it separately.
Audit First
pnpm outdated
pnpm audit
Know what you're working with before touching anything.
Understand Semver
Patch (~1.2.x) is safe. Minor (^1.x.x) is usually fine. Major (x.0.0) has breaking changes, read the changelog.
Update with pnpm
pnpm update # updates within your semver ranges
pnpm update --latest # ignores ranges, pulls everything latest
Want control over what gets bumped, do it per package.
pnpm update some-package --latest
Update in Batches
One thing at a time for anything critical. Don't blindly run --latest across the board.
Test Every Time
pnpm build
pnpm test
Make sure nothing is broken before moving on.
Lock Your Lockfile
Commit pnpm-lock.yaml, use pnpm install --frozen-lockfile in CI. Never commit node_modules.
Automate It
Set up Renovate Bot. It opens PRs for updates automatically, you just review and merge. You shouldn't be tracking this manually.
Update small and often. Getting two major versions behind and fixing everything at once is how you lose a weekend.