Skip to main content

Fast multi-ecosystem dependency updater: package.json, Cargo.toml, pyproject.toml in a single CLI (like npm-check-updates for every language)

Project description

dependency-check-updates

CI Codecov deps.rs License: MIT

crates.io npm PyPI Rust 1.85+ Python 3.11+ Node

crates.io downloads npm downloads PyPI downloads

GitHub stars GitHub forks GitHub issues GitHub PRs Last commit Contributors

Dependency Check & Update — a fast, multi-ecosystem dependency updater written in Rust.

Like npm-check-updates, but for every language.

$ dcu
Checking Cargo.toml
 toml_edit  0.22  ->  0.25.4

Checking .github/workflows/CI.yml
 actions/checkout    v4  ->  v5
 actions/setup-node  v4  ->  v5

Run dcu -u to upgrade

dcu is a short alias installed alongside dependency-check-updates. Both commands are identical — use whichever you prefer.

Quick Start (Zero Install)

No install needed — run straight from your package manager's ephemeral runner:

# Node.js ecosystem
bunx @dependency-check-updates/cli
npx  @dependency-check-updates/cli

# Python ecosystem
uvx dependency-check-updates
pipx run dependency-check-updates

All four accept the same flags described in Usage.

Features

  • Multi-ecosystempackage.json, Cargo.toml, pyproject.toml, and .github/workflows/*.yml all handled by a single binary
  • Format-preserving — surgical byte-range patching for JSON / YAML; toml_edit for TOML. Your indentation, comments, trailing newlines, and key ordering stay intact
  • Fast — concurrent registry lookups across all manifests via futures::join_all
  • Smart range checking — skips false positives where the resolved version already satisfies the current range (^3 already covers 3.5.1)
  • Deep scan-d recursively finds manifests in monorepos, respecting .gitignore
  • ncu-compatible UX — the same flags you already know from npm-check-updates
  • Short alias — type dcu instead of dependency-check-updates; both are installed by every distribution
  • CI-friendly-e 2 exits non-zero when updates exist; --format json emits machine-readable output

Supported Ecosystems

Ecosystem Manifest Registry Package
Node.js package.json npm @dependency-check-updates/cli
Rust Cargo.toml crates.io dependency-check-updates
Python pyproject.toml PyPI dependency-check-updates
GitHub Actions .github/workflows/*.yml, action.yml GitHub Tags API (built-in)

GitHub Actions specifics

  • Discovers every *.yml / *.yaml under .github/workflows/ and any action.yml / action.yaml at the repo root automatically. Composite actions nested under .github/actions/**/ are picked up with -d.
  • Scans uses: owner/repo@ref directives. Refs without version digits — @main, @master, branch names, and full commit SHAs — are left untouched on purpose; they pin a moving target intentionally.
  • Tag prefix is preserved: @v5 updates to @v6 (major float), @v5.1.0 updates to @v6.0.0 (full precision). Bare semver without the v (@1.2.3, @5) is recognised and tracked the same way.
  • Duplicate rows are collapsed in the output — if actions/checkout@v5 appears in 12 jobs, you see one row, not twelve. The patch engine still updates every occurrence in the file.
  • Rate limit: unauthenticated runs use GitHub's 60 req/hr ceiling. Hitting it produces an explicit error pointing to the fix — set GITHUB_TOKEN (or GH_TOKEN) in your environment to raise the limit to 5 000 req/hr.
  • Tag fetch is bounded to the first 100 tags per action (newest-first). This comfortably covers every mainstream action; deliberately not paginating keeps API consumption predictable so deep scans don't spike into the rate-limit ceiling.

Installation

Every distribution below ships the exact same binary. Pick whichever matches your toolchain.

Rust (Cargo)

cargo install dependency-check-updates

Installs commands: dependency-check-updates and dcu (short alias).

Node.js (npm / bun / pnpm / yarn)

Permanent global install:

npm  install   -g @dependency-check-updates/cli
bun  add       -g @dependency-check-updates/cli
pnpm add       -g @dependency-check-updates/cli
yarn global add   @dependency-check-updates/cli

Installs commands: dependency-check-updates and dcu (short alias).

One-off execution (no install):

bunx @dependency-check-updates/cli [flags]
npx  @dependency-check-updates/cli [flags]

Python (pip / uv / pipx)

Permanent isolated install:

pipx install dependency-check-updates
uv tool install dependency-check-updates

Install inside a virtualenv:

pip    install dependency-check-updates
uv pip install dependency-check-updates

Installs commands: dependency-check-updates and dcu (short alias).

One-off execution (no install):

uvx dependency-check-updates [flags]
pipx run dependency-check-updates [flags]

Usage

Run from a directory containing at least one of package.json, Cargo.toml, pyproject.toml, or .github/workflows/*.yml. Every supported manifest in the current directory is auto-detected.

All examples below use the short dcu alias. The long form dependency-check-updates works identically.

Basic

# Check for outdated dependencies (read-only, nothing is written)
dcu

# Apply updates in place (format-preserving)
dcu -u

# Recursively scan subdirectories (monorepo-friendly, respects .gitignore)
dcu -d
dcu -d -u

All Options

Usage: dcu [OPTIONS] [FILTER]...
Flag Description Default
[FILTER]... Positional package names to include (allowlist; repeatable) (all)
-u, --upgrade Write updated versions back to the manifest file off
-d, --deep Recursively scan subdirectories, respecting .gitignore off
-t, --target <LEVEL> Version target: patch · minor · latest · newest · greatest latest
-x, --reject <PATTERN> Exclude packages by name (repeatable)
--manifest <PATH> Operate on a single specific manifest file (auto)
--format <FORMAT> Output format: table or json table
-e, --error-level <N> 1 = always exit 0 · 2 = exit 1 when updates exist (CI gate) 1
-v, --verbose Increase verbosity: -v info · -vv debug · -vvv trace off
-h, --help Print help
-V, --version Print version

-t, --target values

Value Behavior
patch Only patch bumps (e.g., 1.0.1 → 1.0.2)
minor Patch + minor bumps (e.g., 1.0.0 → 1.1.0)
latest Latest stable version; prereleases are skipped (default)
newest Most recently published version by publish date
greatest Highest version number, including prereleases

Examples

# Target specific update level
dcu -t patch           # patch only
dcu -t minor           # minor + patch
dcu -t latest          # default: latest stable
dcu -t greatest        # include prereleases

# Filter packages — positional args act as an include-list
dcu react eslint       # only check react and eslint
dcu -x typescript      # exclude typescript
dcu -x typescript -x lodash

# Filter GitHub Actions by owner — same filter syntax works across ecosystems
dcu actions            # only actions/checkout, actions/setup-node, …

# Operate on a specific manifest
dcu --manifest path/to/Cargo.toml
dcu --manifest apps/web/package.json
dcu --manifest .github/workflows/CI.yml

# Machine-readable output for scripting/CI
dcu --format json

# CI gate: exit 1 if any updates are available
dcu -e 2

# Verbose logging (accumulating)
dcu -v    # info
dcu -vv   # debug
dcu -vvv  # trace

# Combining flags — recursive, patch-only upgrade in a monorepo
dcu -d -u -t patch

# GitHub Actions: pin a higher rate limit by exporting a token
GITHUB_TOKEN=ghp_xxx dcu -d -u

Zero-Install Examples

Every example above works identically via the ephemeral runners, too:

bunx @dependency-check-updates/cli                  # check
bunx @dependency-check-updates/cli -u               # apply updates
bunx @dependency-check-updates/cli -d -t minor      # deep scan, minor bumps
bunx @dependency-check-updates/cli react eslint     # filter
npx  @dependency-check-updates/cli --format json

uvx dependency-check-updates
uvx dependency-check-updates -d -u -t patch
pipx run dependency-check-updates --format json

Architecture

Follows the changepacks pattern — one crate per language ecosystem, with bridge crates for cross-language distribution:

.
├── crates/
│   ├── cli/           # Binary + async CLI orchestration (installs `dcu` + `dependency-check-updates`)
│   ├── core/          # Shared traits (ManifestHandler, RegistryClient, Scanner)
│   ├── node/          # Node.js: package.json parser + npm registry
│   ├── rust/          # Rust: Cargo.toml parser (toml_edit) + crates.io
│   ├── python/        # Python: pyproject.toml parser (toml_edit) + PyPI
│   └── github/        # GitHub Actions: workflow YAML parser + GitHub Tags API
├── bridge/
│   ├── node/          # napi-rs N-API binding → npm: @dependency-check-updates/cli
│   └── python/        # maturin bin binding → PyPI: dependency-check-updates
├── Cargo.toml         # Workspace root
└── package.json       # Bun workspace (build/lint/test scripts)

Format Preservation

  • JSON (package.json): Surgical byte-range replacement — finds exact byte offsets of version values and replaces only those bytes. Indent, line endings, trailing newline, and key ordering are preserved byte-for-byte.
  • TOML (Cargo.toml, pyproject.toml): toml_edit document model preserves comments, table ordering, inline-table formatting, and whitespace.
  • YAML (.github/workflows/*.yml, action.yml): Line-based uses: scanning with byte-range replacement of only the @ref portion. Anchors, comments, blank lines, and unrelated @main / @<sha> pins are never touched.

Shared Traits

Each ecosystem crate implements two core traits from dependency-check-updates-core:

  • ManifestHandler — parse manifests, collect dependencies, apply format-preserving updates
  • RegistryClient — resolve versions from package registries with concurrency control

Range Satisfaction

Before reporting an update, the resolver checks whether the selected version already satisfies the current range (e.g., ^3 already covers 3.5.1). This eliminates the false positives that plague naive string comparison.

Development

Build prerequisites:

  • Rust 1.85+ (stable toolchain)
  • Bun 1.0+ (or Node.js 18+ with npm)
  • Python 3.11+ with maturin (only for the Python wheel step)
  • Windows: Visual Studio 2022 Build Tools (MSVC linker)
# First-time setup: install JS toolchain deps (@napi-rs/cli, etc.)
bun install

# Build everything (native CLI + napi .node + maturin wheel)
bun run build

# Dev build (faster, unoptimized)
bun run build:dev

# Lint (cargo clippy + rustfmt + bun workspace lints)
bun run lint
bun run lint:fix

# Test (cargo test --workspace + bun workspace tests)
bun run test

# Run CLI from source
bun run run -- --help
bun run run -- --manifest Cargo.toml -v
bun run run:release -- -d

Inspirations

  • npm-check-updates — the original ncu that inspired this tool's UX and flag design
  • changepacks — the workspace architecture pattern (crates/* + bridge/*), multi-language bridge distribution via napi-rs and maturin, and the overall project structure

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

dependency_check_updates-0.1.13-py3-none-win_amd64.whl (6.4 MB view details)

Uploaded Python 3Windows x86-64

dependency_check_updates-0.1.13-py3-none-win32.whl (5.4 MB view details)

Uploaded Python 3Windows x86

dependency_check_updates-0.1.13-py3-none-musllinux_1_2_x86_64.whl (6.9 MB view details)

Uploaded Python 3musllinux: musl 1.2+ x86-64

dependency_check_updates-0.1.13-py3-none-musllinux_1_2_i686.whl (6.6 MB view details)

Uploaded Python 3musllinux: musl 1.2+ i686

dependency_check_updates-0.1.13-py3-none-musllinux_1_2_armv7l.whl (5.8 MB view details)

Uploaded Python 3musllinux: musl 1.2+ ARMv7l

dependency_check_updates-0.1.13-py3-none-musllinux_1_2_aarch64.whl (6.4 MB view details)

Uploaded Python 3musllinux: musl 1.2+ ARM64

dependency_check_updates-0.1.13-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (6.8 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ x86-64

dependency_check_updates-0.1.13-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl (7.8 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ ppc64le

dependency_check_updates-0.1.13-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl (6.9 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ i686

dependency_check_updates-0.1.13-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl (5.9 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ ARMv7l

dependency_check_updates-0.1.13-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (6.4 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ ARM64

dependency_check_updates-0.1.13-py3-none-macosx_11_0_arm64.whl (6.3 MB view details)

Uploaded Python 3macOS 11.0+ ARM64

dependency_check_updates-0.1.13-py3-none-macosx_10_12_x86_64.whl (6.5 MB view details)

Uploaded Python 3macOS 10.12+ x86-64

File details

Details for the file dependency_check_updates-0.1.13-py3-none-win_amd64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-win_amd64.whl
Algorithm Hash digest
SHA256 cbd06e59c2b2a6e3c68e25c67bcfaff2fa2bf7474e10e438041928e4afda279c
MD5 9294370c6496d6a2e0d66fb095dff58c
BLAKE2b-256 ed690d8d7109f0e01cb9fcf938f060c1e9f1b9aaee09e199bf1759050eb5b6df

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-win32.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-win32.whl
Algorithm Hash digest
SHA256 e329bf59daeb26202042ed81da455350ddfdcb47c3290e1b528d3498abdd663b
MD5 f06b8b10022e141871fd607c580dcbbe
BLAKE2b-256 23a3ed370640ddd12832ee65ac8134a38d4b3612cd0baecd52878173dc89dc2a

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-musllinux_1_2_x86_64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-musllinux_1_2_x86_64.whl
Algorithm Hash digest
SHA256 467b2bb556dbb340467235434a0fd8e4c87fc39cd9fb956fc7cda96af81dd86e
MD5 27bc2a684e712088c09fe8712ac65a72
BLAKE2b-256 7ed5f8006899aa5563903664f3860965b463b419a69bed5bb8fa114eeafef360

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-musllinux_1_2_i686.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-musllinux_1_2_i686.whl
Algorithm Hash digest
SHA256 bdfe48a35e760901d4b818913de9d26c524992a1ab0f05af6d7c4872b5e89826
MD5 97779fac0a9213b92bd323acb138d3ea
BLAKE2b-256 9926cf279e2764824bb187bedf4d1667b9d8563b48347d33d93811e5e1f01374

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-musllinux_1_2_armv7l.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-musllinux_1_2_armv7l.whl
Algorithm Hash digest
SHA256 3f28d0a2455c216a256d5d0988dee2e0eabd9fe96b315289c019a282aa4fed14
MD5 0aabcd6af4692b95d5296808ccedd355
BLAKE2b-256 0d508a450e7d41a77ad585271e0e8a7a0e421d2aacd929e976f70ffd0284dc8d

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-musllinux_1_2_aarch64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-musllinux_1_2_aarch64.whl
Algorithm Hash digest
SHA256 f9c083ca573c8b61593f5bb8ead8120ccf12d076889af806d2c55b39113304ae
MD5 76e8cbb5ead004f1422b0a5e0698b914
BLAKE2b-256 96c7e65c7b2ddfdae1e141f9916b99c41d11c9e9ded9ebaa99b446d4e7f17b53

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 63600709b968b9bf0ee9aa309593fee28b00dbfb5cfccb54c7b33da9c8d7327c
MD5 0af7e960dfcd4c0379d4c65ec58a66e7
BLAKE2b-256 7a32e642da5f30558277beef3337aa971be95841915f478b6834b734d9fdbd51

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl
Algorithm Hash digest
SHA256 e0899d734ad35d9b9a77ecb0854e0d1bef494bad4a742a258e85ae264acf93ca
MD5 da0d3dbdb56aa1cb5eef2f6c7c5af4c2
BLAKE2b-256 616c6f4a4ae36d7938ba6b87fa8cc22e347bb67a1b0f19c2b42aee40d4d886cf

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl
Algorithm Hash digest
SHA256 6929e12dd016e93b6d028e7dee40589de690cbb918e682f17507419824a737c4
MD5 332ce8ae04c87278df5f88fe6fb7e739
BLAKE2b-256 7c80b255a75883e4b5a1fbfc8682c85b938efe9fd6d06602d4a73af53b40a01b

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl
Algorithm Hash digest
SHA256 1fde05cb09f73f53dff91495f92b17b4d5c23584ef3315fbcb3cce12f7e3e93a
MD5 15e2a6911e7edda8fd6cb5d145d4ab8c
BLAKE2b-256 7e180ed71543f38fc388d8fa3315c1e6cc8164c69e92ffae6c8f92a9faafbacd

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 7d2e7655512586d117c1acb1052b1a13b228a8ce1a6341397b69d9a5be3c2851
MD5 fcbb486b9f7146aa990d07e5849e7b2d
BLAKE2b-256 9e4cf9ef3758db532348ad6b85b885fee9badb6433fcd991a3add1496a14011f

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 9fdec3faffcc5d08d0f72549620fd3150ca0e8f2c134195f26d19056304eaa95
MD5 aada895fd070afcac64e61721d4760bf
BLAKE2b-256 d7a2c57ff7ad30adfe7451266e178871d9e453c620f54fbd9d2ce179afd9fe0c

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.13-py3-none-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.13-py3-none-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 9ba511a902b1262031d3aaa8d1674aae0210f57a8f59c0baff8ca072a0054135
MD5 08b34af169be667483b2ced235b53019
BLAKE2b-256 ad46a2dfaece98f58cd72d5b0fc7f27150034f47889e0ed4886b4fcf44e64d01

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page