Fast dependency updates for JavaScript projects, with safe writes, monorepo catalogs, and a reviewable plan/apply workflow when you need stronger guarantees.
Run depfresh from any project root. Recursive workspace discovery is on by default, so -r is not
needed.
# Bun
bunx depfresh@2.0.0
# pnpm
pnpm dlx depfresh@2.0.0
# npm
npm exec --yes --package=depfresh@2.0.0 -- depfresh
# Yarn
yarn dlx depfresh@2.0.0Node.js 24.15.0 or newer is required.
For a team or CI, pin depfresh in the project instead:
pnpm add -D --save-exact depfresh@2.0.0
pnpm exec depfreshdepfresh # show available updates
depfresh minor # allow minor and patch updates
depfresh major # include major updates
depfresh -w # write selected targets safely
depfresh -wI # choose updates interactively
depfresh --output json # structured compatibility output
depfresh --no-recursive # inspect only the root packagedepfresh -w updates package files while preserving their formatting. It does not run an install
or lifecycle scripts. Use the reviewed plan/apply workflow when lockfile, install, or verification
phases are required.
depfresh inspect --json > depfresh-inspect.json
depfresh plan --json > depfresh-plan.json
# Review depfresh-plan.json, then grant file-write authority for that exact plan.
depfresh apply --json --write --plan-file depfresh-plan.jsoninspectreads repository evidence without registry access, commands, config execution, or writes.planmay read the registry and declarative JSON config, but uses memory-only cache state and never writes.applyrejects stale, dirty, escaped, or changed targets. Configuration can select updates but can never grant write, install, process, network, or verification authority.- Unknown or incomplete evidence is kept as unknown; it is never converted into success.
Machine commands return 0 for a complete result without findings, 1 for a schema-valid result
with findings or a non-success apply state, and 2 for a fatal contract or runtime error. Their
JSON output is still valid on exit 1.
See automation and machine workflows for schemas, lockfile phases, artifact verification, and CI examples.
depfresh supports npm, pnpm, Yarn, and Bun workspaces. Pnpm, Yarn, and Bun catalogs include shared
and named catalogs. Add a declarative .depfreshrc.json when one part of a workspace needs a
different update policy:
{
"ignorePaths": ["**/.worktrees/**", "tmp/**"],
"policyRules": [
{
"id": "skip-native-catalog",
"selectors": { "catalogName": "^native$" },
"action": "exclude"
},
{
"id": "skip-native-direct",
"selectors": {
"workspacePath": "^apps/native$",
"catalogRole": "direct"
},
"action": "exclude"
}
]
}The first rule freezes the physical native catalog and all of its consumers. The second freezes
dependencies declared directly in apps/native. Dependencies in the default catalog stay
eligible, even when a native app consumes them. Put native-only packages in the named native
catalog or add an exact rule for their physical catalog owner.
Path ignores control repository discovery; they are not dependency policy. inspect deliberately
does not load project config, so pass repository-specific discovery additions explicitly when
needed:
depfresh inspect --json --ignore-paths '**/.worktrees/**,tmp/**'CLI ignore additions retain the built-in safety exclusions for node_modules, dist, coverage,
and .git.
- npm, pnpm, Yarn, and Bun workspaces; pnpm, Yarn, and Bun catalogs
- npm, JSR, GitHub, alias, workspace, override, and resolution declarations
- seven update modes:
default,major,minor,patch,latest,newest, andnext - private registries and scoped
.npmrcconfiguration for normal dependency resolution - formatting-preserving, stale-safe manifest and catalog writes
- deterministic inspect, plan, apply, and global-operation JSON contracts
- SQLite registry cache with an automatic in-memory fallback
- runtime, peer, cohort, release, deprecation, and evidence-completeness signals
- optional exact public-npm artifact verification with npm 11.12.x
Deliberate limits are documented rather than hidden: manager execution is supported on Linux and
macOS; Yarn manager execution, Windows manager execution, and legacy bun.lockb are unsupported.
File replacement is atomic per file, not across an entire repository. Exact artifact verification
is limited to the public npm registry and does not inherit project npm configuration.
- CLI reference
- Configuration and policy
- Workspace and catalog behavior
- Programmatic API
- Output contracts
- GitHub Action and integrations
- Troubleshooting
- 2.0.0 release notes
depfresh is a from-scratch successor inspired by taze and the work of its contributors. The migration guide explains the practical differences: coming from taze.
MIT - Vibe Code