Skip to content

vcode-sh/depfresh

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

112 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

depfresh

npm version CI License: MIT Node.js

Fast dependency updates for JavaScript projects, with safe writes, monorepo catalogs, and a reviewable plan/apply workflow when you need stronger guarantees.

Try it

Run depfresh from any project root. Recursive workspace discovery is on by default, so -r is not needed.

# Bun
bunx depfresh@2.0.0

# pnpm
pnpm dlx depfresh@2.0.0

# npm
npm exec --yes --package=depfresh@2.0.0 -- depfresh

# Yarn
yarn dlx depfresh@2.0.0

Node.js 24.15.0 or newer is required.

For a team or CI, pin depfresh in the project instead:

pnpm add -D --save-exact depfresh@2.0.0
pnpm exec depfresh

Everyday commands

depfresh                 # show available updates
depfresh minor           # allow minor and patch updates
depfresh major           # include major updates
depfresh -w              # write selected targets safely
depfresh -wI             # choose updates interactively
depfresh --output json   # structured compatibility output
depfresh --no-recursive  # inspect only the root package

depfresh -w updates package files while preserving their formatting. It does not run an install or lifecycle scripts. Use the reviewed plan/apply workflow when lockfile, install, or verification phases are required.

Safe plan and apply

depfresh inspect --json > depfresh-inspect.json
depfresh plan --json > depfresh-plan.json

# Review depfresh-plan.json, then grant file-write authority for that exact plan.
depfresh apply --json --write --plan-file depfresh-plan.json
  • inspect reads repository evidence without registry access, commands, config execution, or writes.
  • plan may read the registry and declarative JSON config, but uses memory-only cache state and never writes.
  • apply rejects stale, dirty, escaped, or changed targets. Configuration can select updates but can never grant write, install, process, network, or verification authority.
  • Unknown or incomplete evidence is kept as unknown; it is never converted into success.

Machine commands return 0 for a complete result without findings, 1 for a schema-valid result with findings or a non-success apply state, and 2 for a fatal contract or runtime error. Their JSON output is still valid on exit 1.

See automation and machine workflows for schemas, lockfile phases, artifact verification, and CI examples.

Skip native or Expo updates in a monorepo

depfresh supports npm, pnpm, Yarn, and Bun workspaces. Pnpm, Yarn, and Bun catalogs include shared and named catalogs. Add a declarative .depfreshrc.json when one part of a workspace needs a different update policy:

{
  "ignorePaths": ["**/.worktrees/**", "tmp/**"],
  "policyRules": [
    {
      "id": "skip-native-catalog",
      "selectors": { "catalogName": "^native$" },
      "action": "exclude"
    },
    {
      "id": "skip-native-direct",
      "selectors": {
        "workspacePath": "^apps/native$",
        "catalogRole": "direct"
      },
      "action": "exclude"
    }
  ]
}

The first rule freezes the physical native catalog and all of its consumers. The second freezes dependencies declared directly in apps/native. Dependencies in the default catalog stay eligible, even when a native app consumes them. Put native-only packages in the named native catalog or add an exact rule for their physical catalog owner.

Path ignores control repository discovery; they are not dependency policy. inspect deliberately does not load project config, so pass repository-specific discovery additions explicitly when needed:

depfresh inspect --json --ignore-paths '**/.worktrees/**,tmp/**'

CLI ignore additions retain the built-in safety exclusions for node_modules, dist, coverage, and .git.

What depfresh handles

  • npm, pnpm, Yarn, and Bun workspaces; pnpm, Yarn, and Bun catalogs
  • npm, JSR, GitHub, alias, workspace, override, and resolution declarations
  • seven update modes: default, major, minor, patch, latest, newest, and next
  • private registries and scoped .npmrc configuration for normal dependency resolution
  • formatting-preserving, stale-safe manifest and catalog writes
  • deterministic inspect, plan, apply, and global-operation JSON contracts
  • SQLite registry cache with an automatic in-memory fallback
  • runtime, peer, cohort, release, deprecation, and evidence-completeness signals
  • optional exact public-npm artifact verification with npm 11.12.x

Deliberate limits are documented rather than hidden: manager execution is supported on Linux and macOS; Yarn manager execution, Windows manager execution, and legacy bun.lockb are unsupported. File replacement is atomic per file, not across an entire repository. Exact artifact verification is limited to the public npm registry and does not inherit project npm configuration.

Documentation

From taze

depfresh is a from-scratch successor inspired by taze and the work of its contributors. The migration guide explains the practical differences: coming from taze.

License

MIT - Vibe Code

About

depfresh. Spiritual successor to taze. Keep your npm dependencies fresh. Fast, correct, zero-config.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

1 star

Watchers

0 watching

Forks

Sponsor this project

 

Packages

 
 
 

Contributors