On smaller projects, dependencies drift out of date faster than you can keep up, and npm itself doesn't ship a bulk-upgrade command — npm outdated shows what's stale, npm update only bumps within the existing semver range, and editing package.json by hand is a chore. npm-check-updates (ncu) closes that gap.
ncu in 30 seconds
Install it globally, or skip the install and run it via npx:
1npm install -g npm-check-updates
2# or
3npx -y npm-check-updates@latestIn your project directory, list what's outdated:
1ncuRewrite every entry in package.json past the existing semver range to its latest stable:
1ncu -uThen install:
1npm inpm i regenerates the lockfile around the new versions. After a big jump, deleting package-lock.json first gives you a cleaner regeneration.
The flags worth knowing
| Flag | What it does |
|---|---|
-u, --upgrade | Write the new versions back to package.json. Without it, ncu is read-only |
-t, --target <type> | Pick the target: latest (default, latest stable), greatest (includes prereleases), newest, minor, patch, @next, or a semver range |
-i, --interactive | Pick packages row-by-row instead of all-or-nothing |
-f, --filter <regex> | Only check matching packages, e.g. ncu -f /^@types/ |
--reject <regex> | The inverse — leave matching packages alone |
--workspaces, --deep | Walk a monorepo and upgrade nested package.json files |
--doctor | Run npm install and your test command per upgrade, reverting any that break the build |
--jsonUpgraded | Print only the packages that would be upgraded as JSON, for scripting |
In a 2026 stack
The other package managers ship their own version of this:
- pnpm:
pnpm up --latest - bun:
bun update --latest - yarn (berry):
yarn up '*'
ncu still wins for npm projects and for --doctor mode — upgrading packages one at a time, running tests, and auto-reverting anything that breaks isn't built into the others.
Pair it with npm audit for vulnerability-driven bumps; ncu is for the routine drift.