Skip upgrading a dependency if set to a specific version?

[oleersoy]

Based on what I'm seeing, npm check updates everything it can find to update. I was hoping it would only update things with a ^ character in the version?

For example this updates:

multer            ^0.1.8  →   ^1.0.1

But this does not

multer            0.1.8  →   0.1.8 

Thoughts?

The reason I'm requesting this is I have dependencies that are updating, like postcss-custom-properties but the build they are updating to is broken so ...

[raineorshine]

Hi, thanks for posting. I could definitely see this being useful. Currently ncu only filters against the package name. It would be a good addition to offer a command line option to filter against the specified version as well.

In the mean time, you will have to explicitly exclude packages, e.g.

ncu -x postcss-custom-properties

[yvbeek]

I would expect this to be default behavior.

When I pin a version with 0.1.8 instead of ^0.1.8 I'm choosing not to update that package to the latest version, I just want to keep it at 0.1.8.

Could this perhaps be changed?
Basically just ignore all packages that have fixed versions.

[prantlf]

I upgrade all modules in package.json from time to time. I use pinned dependencies. Running ncu for modules with pinned versions is a convenient way of checking and upgrading npm modules only when wanted, being pinned or not.

If ncu should ignore npm modules with exact version, I'd prefer introducing a command line option for it, to be able to still use the original functionality. Running npm outdated checks npm modules with pinned version too.

[prantlf]

.ncurc can be used to list packages, which should not be touched by ncu, having pinned version or not.

[yvbeek]

@prantlf I don't agree. When you specify an exact version number it is the developer's intent to stay at the specific version. There are many ways to specify a flexible version number:
https://docs.npmjs.com/misc/semver#ranges

NCU should honor these versioning rules. Upgrading pinned versions is risky, but you can always introduce something like --upgradePinned.

[raineorshine]

To clarify, the main purpose of ncu is to break versioning rules. npm is good at performing non-breaking upgrades. It is not so good at performing controlled breaking version upgrades, hence ncu. (A feature I'd love to add is the ability to run unit tests for each upgrade to determine if it actually breaks anything.)

That said, people have a variety of needs around dependency management, and there should be a flag in ncu to optionally exclude fixed version numbers.

[raineorshine]

Closed with the revive-me tag for interested contributors. See #484.

[raineorshine]

--filterVersion and --rejectVersion added in v10.2.0, allowing filtering based on the version string.

e.g. You can exclude exact versions by filtering only ranges:

ncu --filterVersion "/^[~^<>]| - |\.x$/"