Fast multi-ecosystem dependency updater: package.json, Cargo.toml, pyproject.toml in a single CLI (like npm-check-updates for every language)
Project description
dependency-check-updates
Dependency Check & Update — a fast, multi-ecosystem dependency updater written in Rust.
Like npm-check-updates, but for every language.
$ dcu
Checking Cargo.toml
toml_edit 0.22 -> 0.25.4
Checking .github/workflows/CI.yml
actions/checkout v4 -> v5
actions/setup-node v4 -> v5
Run dcu -u to upgrade
dcuis a short alias installed alongsidedependency-check-updates. Both commands are identical — use whichever you prefer.
Quick Start (Zero Install)
No install needed — run straight from your package manager's ephemeral runner:
# Node.js ecosystem
bunx @dependency-check-updates/cli
npx @dependency-check-updates/cli
# Python ecosystem
uvx dependency-check-updates
pipx run dependency-check-updates
All four accept the same flags described in Usage.
Features
- Multi-ecosystem —
package.json,Cargo.toml,pyproject.toml, and.github/workflows/*.ymlall handled by a single binary - Format-preserving — surgical byte-range patching for JSON / YAML;
toml_editfor TOML. Your indentation, comments, trailing newlines, and key ordering stay intact - Fast — concurrent registry lookups across all manifests via
futures::join_all - Smart range checking — skips false positives where the resolved version already satisfies the current range (
^3already covers3.5.1) - Deep scan —
-drecursively finds manifests in monorepos, respecting.gitignore - ncu-compatible UX — the same flags you already know from
npm-check-updates - Short alias — type
dcuinstead ofdependency-check-updates; both are installed by every distribution - CI-friendly —
-e 2exits non-zero when updates exist;--format jsonemits machine-readable output
Supported Ecosystems
| Ecosystem | Manifest | Registry | Package |
|---|---|---|---|
| Node.js | package.json |
npm | @dependency-check-updates/cli |
| Rust | Cargo.toml |
crates.io | dependency-check-updates |
| Python | pyproject.toml |
PyPI | dependency-check-updates |
| GitHub Actions | .github/workflows/*.yml, action.yml |
GitHub Tags API | (built-in) |
GitHub Actions specifics
- Discovers every
*.yml/*.yamlunder.github/workflows/and anyaction.yml/action.yamlat the repo root automatically. Composite actions nested under.github/actions/**/are picked up with-d. - Scans
uses: owner/repo@refdirectives. Refs without version digits —@main,@master, branch names, and full commit SHAs — are left untouched on purpose; they pin a moving target intentionally. - Tag prefix is preserved:
@v5updates to@v6(major float),@v5.1.0updates to@v6.0.0(full precision). Bare semver without thev(@1.2.3,@5) is recognised and tracked the same way. - Duplicate rows are collapsed in the output — if
actions/checkout@v5appears in 12 jobs, you see one row, not twelve. The patch engine still updates every occurrence in the file. - Rate limit: unauthenticated runs use GitHub's 60 req/hr ceiling. Hitting it produces an explicit error pointing to the fix — set
GITHUB_TOKEN(orGH_TOKEN) in your environment to raise the limit to 5 000 req/hr. - Tag fetch is bounded to the first 100 tags per action (newest-first). This comfortably covers every mainstream action; deliberately not paginating keeps API consumption predictable so deep scans don't spike into the rate-limit ceiling.
Installation
Every distribution below ships the exact same binary. Pick whichever matches your toolchain.
Rust (Cargo)
cargo install dependency-check-updates
Installs commands: dependency-check-updates and dcu (short alias).
Node.js (npm / bun / pnpm / yarn)
Permanent global install:
npm install -g @dependency-check-updates/cli
bun add -g @dependency-check-updates/cli
pnpm add -g @dependency-check-updates/cli
yarn global add @dependency-check-updates/cli
Installs commands: dependency-check-updates and dcu (short alias).
One-off execution (no install):
bunx @dependency-check-updates/cli [flags]
npx @dependency-check-updates/cli [flags]
Python (pip / uv / pipx)
Permanent isolated install:
pipx install dependency-check-updates
uv tool install dependency-check-updates
Install inside a virtualenv:
pip install dependency-check-updates
uv pip install dependency-check-updates
Installs commands: dependency-check-updates and dcu (short alias).
One-off execution (no install):
uvx dependency-check-updates [flags]
pipx run dependency-check-updates [flags]
Usage
Run from a directory containing at least one of package.json, Cargo.toml, pyproject.toml, or .github/workflows/*.yml. Every supported manifest in the current directory is auto-detected.
All examples below use the short dcu alias. The long form dependency-check-updates works identically.
Basic
# Check for outdated dependencies (read-only, nothing is written)
dcu
# Apply updates in place (format-preserving)
dcu -u
# Recursively scan subdirectories (monorepo-friendly, respects .gitignore)
dcu -d
dcu -d -u
All Options
Usage: dcu [OPTIONS] [FILTER]...
| Flag | Description | Default |
|---|---|---|
[FILTER]... |
Positional package names to include (allowlist; repeatable) | (all) |
-u, --upgrade |
Write updated versions back to the manifest file | off |
-d, --deep |
Recursively scan subdirectories, respecting .gitignore |
off |
-t, --target <LEVEL> |
Version target: patch · minor · latest · newest · greatest |
latest |
-x, --reject <PATTERN> |
Exclude packages by name (repeatable) | — |
--manifest <PATH> |
Operate on a single specific manifest file | (auto) |
--format <FORMAT> |
Output format: table or json |
table |
-e, --error-level <N> |
1 = always exit 0 · 2 = exit 1 when updates exist (CI gate) |
1 |
-v, --verbose |
Increase verbosity: -v info · -vv debug · -vvv trace |
off |
-h, --help |
Print help | — |
-V, --version |
Print version | — |
-t, --target values
| Value | Behavior |
|---|---|
patch |
Only patch bumps (e.g., 1.0.1 → 1.0.2) |
minor |
Patch + minor bumps (e.g., 1.0.0 → 1.1.0) |
latest |
Latest stable version; prereleases are skipped (default) |
newest |
Most recently published version by publish date |
greatest |
Highest version number, including prereleases |
Examples
# Target specific update level
dcu -t patch # patch only
dcu -t minor # minor + patch
dcu -t latest # default: latest stable
dcu -t greatest # include prereleases
# Filter packages — positional args act as an include-list
dcu react eslint # only check react and eslint
dcu -x typescript # exclude typescript
dcu -x typescript -x lodash
# Filter GitHub Actions by owner — same filter syntax works across ecosystems
dcu actions # only actions/checkout, actions/setup-node, …
# Operate on a specific manifest
dcu --manifest path/to/Cargo.toml
dcu --manifest apps/web/package.json
dcu --manifest .github/workflows/CI.yml
# Machine-readable output for scripting/CI
dcu --format json
# CI gate: exit 1 if any updates are available
dcu -e 2
# Verbose logging (accumulating)
dcu -v # info
dcu -vv # debug
dcu -vvv # trace
# Combining flags — recursive, patch-only upgrade in a monorepo
dcu -d -u -t patch
# GitHub Actions: pin a higher rate limit by exporting a token
GITHUB_TOKEN=ghp_xxx dcu -d -u
Zero-Install Examples
Every example above works identically via the ephemeral runners, too:
bunx @dependency-check-updates/cli # check
bunx @dependency-check-updates/cli -u # apply updates
bunx @dependency-check-updates/cli -d -t minor # deep scan, minor bumps
bunx @dependency-check-updates/cli react eslint # filter
npx @dependency-check-updates/cli --format json
uvx dependency-check-updates
uvx dependency-check-updates -d -u -t patch
pipx run dependency-check-updates --format json
Architecture
Follows the changepacks pattern — one crate per language ecosystem, with bridge crates for cross-language distribution:
.
├── crates/
│ ├── cli/ # Binary + async CLI orchestration (installs `dcu` + `dependency-check-updates`)
│ ├── core/ # Shared traits (ManifestHandler, RegistryClient, Scanner)
│ ├── node/ # Node.js: package.json parser + npm registry
│ ├── rust/ # Rust: Cargo.toml parser (toml_edit) + crates.io
│ ├── python/ # Python: pyproject.toml parser (toml_edit) + PyPI
│ └── github/ # GitHub Actions: workflow YAML parser + GitHub Tags API
├── bridge/
│ ├── node/ # napi-rs N-API binding → npm: @dependency-check-updates/cli
│ └── python/ # maturin bin binding → PyPI: dependency-check-updates
├── Cargo.toml # Workspace root
└── package.json # Bun workspace (build/lint/test scripts)
Format Preservation
- JSON (
package.json): Surgical byte-range replacement — finds exact byte offsets of version values and replaces only those bytes. Indent, line endings, trailing newline, and key ordering are preserved byte-for-byte. - TOML (
Cargo.toml,pyproject.toml):toml_editdocument model preserves comments, table ordering, inline-table formatting, and whitespace. - YAML (
.github/workflows/*.yml,action.yml): Line-baseduses:scanning with byte-range replacement of only the@refportion. Anchors, comments, blank lines, and unrelated@main/@<sha>pins are never touched.
Shared Traits
Each ecosystem crate implements two core traits from dependency-check-updates-core:
ManifestHandler— parse manifests, collect dependencies, apply format-preserving updatesRegistryClient— resolve versions from package registries with concurrency control
Range Satisfaction
Before reporting an update, the resolver checks whether the selected version already satisfies the current range (e.g., ^3 already covers 3.5.1). This eliminates the false positives that plague naive string comparison.
Development
Build prerequisites:
- Rust 1.85+ (stable toolchain)
- Bun 1.0+ (or Node.js 18+ with npm)
- Python 3.11+ with
maturin(only for the Python wheel step) - Windows: Visual Studio 2022 Build Tools (MSVC linker)
# First-time setup: install JS toolchain deps (@napi-rs/cli, etc.)
bun install
# Build everything (native CLI + napi .node + maturin wheel)
bun run build
# Dev build (faster, unoptimized)
bun run build:dev
# Lint (cargo clippy + rustfmt + bun workspace lints)
bun run lint
bun run lint:fix
# Test (cargo test --workspace + bun workspace tests)
bun run test
# Run CLI from source
bun run run -- --help
bun run run -- --manifest Cargo.toml -v
bun run run:release -- -d
Inspirations
- npm-check-updates — the original
ncuthat inspired this tool's UX and flag design - changepacks — the workspace architecture pattern (
crates/*+bridge/*), multi-language bridge distribution via napi-rs and maturin, and the overall project structure
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distributions
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dependency_check_updates-0.1.13-py3-none-win_amd64.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-win_amd64.whl
- Upload date:
- Size: 6.4 MB
- Tags: Python 3, Windows x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cbd06e59c2b2a6e3c68e25c67bcfaff2fa2bf7474e10e438041928e4afda279c
|
|
| MD5 |
9294370c6496d6a2e0d66fb095dff58c
|
|
| BLAKE2b-256 |
ed690d8d7109f0e01cb9fcf938f060c1e9f1b9aaee09e199bf1759050eb5b6df
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-win32.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-win32.whl
- Upload date:
- Size: 5.4 MB
- Tags: Python 3, Windows x86
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e329bf59daeb26202042ed81da455350ddfdcb47c3290e1b528d3498abdd663b
|
|
| MD5 |
f06b8b10022e141871fd607c580dcbbe
|
|
| BLAKE2b-256 |
23a3ed370640ddd12832ee65ac8134a38d4b3612cd0baecd52878173dc89dc2a
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-musllinux_1_2_x86_64.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-musllinux_1_2_x86_64.whl
- Upload date:
- Size: 6.9 MB
- Tags: Python 3, musllinux: musl 1.2+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
467b2bb556dbb340467235434a0fd8e4c87fc39cd9fb956fc7cda96af81dd86e
|
|
| MD5 |
27bc2a684e712088c09fe8712ac65a72
|
|
| BLAKE2b-256 |
7ed5f8006899aa5563903664f3860965b463b419a69bed5bb8fa114eeafef360
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-musllinux_1_2_i686.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-musllinux_1_2_i686.whl
- Upload date:
- Size: 6.6 MB
- Tags: Python 3, musllinux: musl 1.2+ i686
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bdfe48a35e760901d4b818913de9d26c524992a1ab0f05af6d7c4872b5e89826
|
|
| MD5 |
97779fac0a9213b92bd323acb138d3ea
|
|
| BLAKE2b-256 |
9926cf279e2764824bb187bedf4d1667b9d8563b48347d33d93811e5e1f01374
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-musllinux_1_2_armv7l.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-musllinux_1_2_armv7l.whl
- Upload date:
- Size: 5.8 MB
- Tags: Python 3, musllinux: musl 1.2+ ARMv7l
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3f28d0a2455c216a256d5d0988dee2e0eabd9fe96b315289c019a282aa4fed14
|
|
| MD5 |
0aabcd6af4692b95d5296808ccedd355
|
|
| BLAKE2b-256 |
0d508a450e7d41a77ad585271e0e8a7a0e421d2aacd929e976f70ffd0284dc8d
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-musllinux_1_2_aarch64.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-musllinux_1_2_aarch64.whl
- Upload date:
- Size: 6.4 MB
- Tags: Python 3, musllinux: musl 1.2+ ARM64
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f9c083ca573c8b61593f5bb8ead8120ccf12d076889af806d2c55b39113304ae
|
|
| MD5 |
76e8cbb5ead004f1422b0a5e0698b914
|
|
| BLAKE2b-256 |
96c7e65c7b2ddfdae1e141f9916b99c41d11c9e9ded9ebaa99b446d4e7f17b53
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
- Upload date:
- Size: 6.8 MB
- Tags: Python 3, manylinux: glibc 2.17+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
63600709b968b9bf0ee9aa309593fee28b00dbfb5cfccb54c7b33da9c8d7327c
|
|
| MD5 |
0af7e960dfcd4c0379d4c65ec58a66e7
|
|
| BLAKE2b-256 |
7a32e642da5f30558277beef3337aa971be95841915f478b6834b734d9fdbd51
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl
- Upload date:
- Size: 7.8 MB
- Tags: Python 3, manylinux: glibc 2.17+ ppc64le
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e0899d734ad35d9b9a77ecb0854e0d1bef494bad4a742a258e85ae264acf93ca
|
|
| MD5 |
da0d3dbdb56aa1cb5eef2f6c7c5af4c2
|
|
| BLAKE2b-256 |
616c6f4a4ae36d7938ba6b87fa8cc22e347bb67a1b0f19c2b42aee40d4d886cf
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl
- Upload date:
- Size: 6.9 MB
- Tags: Python 3, manylinux: glibc 2.17+ i686
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6929e12dd016e93b6d028e7dee40589de690cbb918e682f17507419824a737c4
|
|
| MD5 |
332ce8ae04c87278df5f88fe6fb7e739
|
|
| BLAKE2b-256 |
7c80b255a75883e4b5a1fbfc8682c85b938efe9fd6d06602d4a73af53b40a01b
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl
- Upload date:
- Size: 5.9 MB
- Tags: Python 3, manylinux: glibc 2.17+ ARMv7l
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1fde05cb09f73f53dff91495f92b17b4d5c23584ef3315fbcb3cce12f7e3e93a
|
|
| MD5 |
15e2a6911e7edda8fd6cb5d145d4ab8c
|
|
| BLAKE2b-256 |
7e180ed71543f38fc388d8fa3315c1e6cc8164c69e92ffae6c8f92a9faafbacd
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
- Upload date:
- Size: 6.4 MB
- Tags: Python 3, manylinux: glibc 2.17+ ARM64
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7d2e7655512586d117c1acb1052b1a13b228a8ce1a6341397b69d9a5be3c2851
|
|
| MD5 |
fcbb486b9f7146aa990d07e5849e7b2d
|
|
| BLAKE2b-256 |
9e4cf9ef3758db532348ad6b85b885fee9badb6433fcd991a3add1496a14011f
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-macosx_11_0_arm64.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-macosx_11_0_arm64.whl
- Upload date:
- Size: 6.3 MB
- Tags: Python 3, macOS 11.0+ ARM64
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9fdec3faffcc5d08d0f72549620fd3150ca0e8f2c134195f26d19056304eaa95
|
|
| MD5 |
aada895fd070afcac64e61721d4760bf
|
|
| BLAKE2b-256 |
d7a2c57ff7ad30adfe7451266e178871d9e453c620f54fbd9d2ce179afd9fe0c
|
File details
Details for the file dependency_check_updates-0.1.13-py3-none-macosx_10_12_x86_64.whl.
File metadata
- Download URL: dependency_check_updates-0.1.13-py3-none-macosx_10_12_x86_64.whl
- Upload date:
- Size: 6.5 MB
- Tags: Python 3, macOS 10.12+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: maturin/1.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9ba511a902b1262031d3aaa8d1674aae0210f57a8f59c0baff8ca072a0054135
|
|
| MD5 |
08b34af169be667483b2ced235b53019
|
|
| BLAKE2b-256 |
ad46a2dfaece98f58cd72d5b0fc7f27150034f47889e0ed4886b4fcf44e64d01
|