update-packages
This project is in an early alpha stage. Please use with extreme caution as this
can alter your local and remote Git repositories, install npm packages, etc. It
is recommended to test with a smaller folder or single repository first.
The steps that are taken are as follows:
- Look through command line options and any config file
- Find and cycle through the (non-hidden and non-excluded) targeted Git
repository(ies) with package.json
files.
- Get the current branch name and save it for later restoration
- If upgrading:
- Detect original branch so as to be able to switch back
to it afterward (including upon error)
- Switch to the targeted
branchName
(defaulting to master
)
- Upon erring in any of the following non-recovering steps, switch
back to the saved branch.
- Check for npm package updates, updating if so requested
- If not upgrading, stop these steps.
- Attempt to run a local npm install (for the updates)
- Attempt to run an npm security audit and fix any automatable
vulnerabilities as possible
- Run an npm test against the repository package
- Add any unstaged files to Git staging
- Attempt local commit (without global credentials)
- Upon failing, retrieve global Git config info and use for global
commit attempt
- Push to
origin
- Get remote names
- Push to each relevant remote
- Save report for potential future querying and resumption
- After all items complete, give final report of tasks completed
(at end), sorted by stage of final failure (if any)
Installation
Globally:
npm install -g update-packages
Or locally (for development):
npm install -D update-packages
Command line usage
To view as non-embedded HTML or SVG files (for copy-pasteable commands):
To-dos
-
Configuration
- Allow optional
npm version
/semver
(which can bump version as
appropriate per versions updated, do tagging (including a commit
template with %s
as variable for version number)) and/or
publishing via npm publish
; don't publish if private
in
package.json
is true
; option to only version if last was
another versioned commit; allow adding old and resulting version
to commit message as well as devDep vs. dep.
- Document scripts for querying JSON out of report file
(e.g., to find when last queried); currently using jq
(though
see https://github.com/s3u/JSONPath/issues/105 for desired
jsonpath-plus support)? reformat report JSON if not ideal for
querying
Possible future to-dos
- Add tests
-
Test master config file (as well as CLI) for indication of:
- Test pushing to multiple and alternate remote names besides
origin
.
- Test chunking/timing tasks to avoid heap error.
- Ensure still getting
token
- Ensure
npm-check-updates
is taking into account ncurc
files!
- Which repositories to include or exclude (in subdirectories)
- Which remotes to push to if any (by default when available and as
exceptions)
- Add a confirm updates option
- Configuration
- Option to only perform operations if branch isn't switched
- We could configure by repo the following: ncu, branch, commit
message, audit fix, and npm script (by default when available and as
exceptions), but this is less critical, especially for ncu as it
accepts config file
- Option to only apply if author is matched (e.g., to oneself)
- Option to stop if can't fix all security issues
- Work with commit hooks
- Add optional automated license check, lint fixing, etc. (if
npm test
doesn't handle)?
- Allow npm script to run (in place of test)
-
Collect and report back deprecated warnings for outdated/renamed
packages (not performed currently
by npm-check-updates
); one can get info on a package with npm view <package name> deprecated --json
(to get JSON string (e.g., opn-cli
) or get nothing
if not deprecated) but doesn't seem to show with npm ls
or extended
npm la
.
- We might ideally allow subscribing to an RSS feed of security notices
so as to regularly poll for security updates and upon encountering one
which was in a cached map of dependencies, would attempt to commit an
update to that repo.
- Could tap into https://github.com/npm/registry/blob/master/docs/follower.md
(after caching info on all package-lock.json files) for auto-updating when
changes to our repositories occur.