Skip to main content

Fast multi-ecosystem dependency updater: package.json, Cargo.toml, pyproject.toml in a single CLI (like npm-check-updates for every language)

Project description

dependency-check-updates

CI Codecov deps.rs License: MIT

crates.io npm PyPI Rust 1.85+ Python 3.11+ Node

crates.io downloads npm downloads PyPI downloads

GitHub stars GitHub forks GitHub issues GitHub PRs Last commit Contributors

Dependency Check & Update — a fast, multi-ecosystem dependency updater written in Rust.

Like npm-check-updates, but for every language.

$ dcu
Checking Cargo.toml
 toml_edit  0.22  ->  0.25.4

Checking .github/workflows/CI.yml
 actions/checkout    v4  ->  v5
 actions/setup-node  v4  ->  v5

Run dcu -u to upgrade

dcu is a short alias installed alongside dependency-check-updates. Both commands are identical — use whichever you prefer.

Quick Start (Zero Install)

No install needed — run straight from your package manager's ephemeral runner:

# Node.js ecosystem
bunx @dependency-check-updates/cli
npx  @dependency-check-updates/cli

# Python ecosystem
uvx dependency-check-updates
pipx run dependency-check-updates

All four accept the same flags described in Usage.

Features

  • Multi-ecosystempackage.json, Cargo.toml, pyproject.toml, and .github/workflows/*.yml all handled by a single binary
  • Format-preserving — surgical byte-range patching for JSON / YAML; toml_edit for TOML. Your indentation, comments, trailing newlines, and key ordering stay intact
  • Fast — concurrent registry lookups across all manifests via futures::join_all
  • Smart range checking — skips false positives where the resolved version already satisfies the current range (^3 already covers 3.5.1)
  • Deep scan-d recursively finds manifests in monorepos, respecting .gitignore
  • ncu-compatible UX — the same flags you already know from npm-check-updates
  • Short alias — type dcu instead of dependency-check-updates; both are installed by every distribution
  • CI-friendly-e 2 exits non-zero when updates exist; --format json emits machine-readable output

Supported Ecosystems

Ecosystem Manifest Registry Package
Node.js package.json npm @dependency-check-updates/cli
Rust Cargo.toml crates.io dependency-check-updates
Python pyproject.toml PyPI dependency-check-updates
GitHub Actions .github/workflows/*.yml, action.yml GitHub Tags API (built-in)

GitHub Actions specifics

  • Discovers every *.yml / *.yaml under .github/workflows/ and any action.yml / action.yaml at the repo root automatically. Composite actions nested under .github/actions/**/ are picked up with -d.
  • Scans uses: owner/repo@ref directives. Refs without version digits — @main, @master, branch names, and full commit SHAs — are left untouched on purpose; they pin a moving target intentionally.
  • Tag prefix is preserved: @v5 updates to @v6 (major float), @v5.1.0 updates to @v6.0.0 (full precision). Bare semver without the v (@1.2.3, @5) is recognised and tracked the same way.
  • Duplicate rows are collapsed in the output — if actions/checkout@v5 appears in 12 jobs, you see one row, not twelve. The patch engine still updates every occurrence in the file.
  • Rate limit: unauthenticated runs use GitHub's 60 req/hr ceiling. Hitting it produces an explicit error pointing to the fix — set GITHUB_TOKEN (or GH_TOKEN) in your environment to raise the limit to 5 000 req/hr.
  • Tag fetch is bounded to the first 100 tags per action (newest-first). This comfortably covers every mainstream action; deliberately not paginating keeps API consumption predictable so deep scans don't spike into the rate-limit ceiling.

Installation

Every distribution below ships the exact same binary. Pick whichever matches your toolchain.

Rust (Cargo)

cargo install dependency-check-updates

Installs commands: dependency-check-updates and dcu (short alias).

Node.js (npm / bun / pnpm / yarn)

Permanent global install:

npm  install   -g @dependency-check-updates/cli
bun  add       -g @dependency-check-updates/cli
pnpm add       -g @dependency-check-updates/cli
yarn global add   @dependency-check-updates/cli

Installs commands: dependency-check-updates and dcu (short alias).

One-off execution (no install):

bunx @dependency-check-updates/cli [flags]
npx  @dependency-check-updates/cli [flags]

Python (pip / uv / pipx)

Permanent isolated install:

pipx install dependency-check-updates
uv tool install dependency-check-updates

Install inside a virtualenv:

pip    install dependency-check-updates
uv pip install dependency-check-updates

Installs commands: dependency-check-updates and dcu (short alias).

One-off execution (no install):

uvx dependency-check-updates [flags]
pipx run dependency-check-updates [flags]

Usage

Run from a directory containing at least one of package.json, Cargo.toml, pyproject.toml, or .github/workflows/*.yml. Every supported manifest in the current directory is auto-detected.

All examples below use the short dcu alias. The long form dependency-check-updates works identically.

Basic

# Check for outdated dependencies (read-only, nothing is written)
dcu

# Apply updates in place (format-preserving)
dcu -u

# Recursively scan subdirectories (monorepo-friendly, respects .gitignore)
dcu -d
dcu -d -u

All Options

Usage: dcu [OPTIONS] [FILTER]...
Flag Description Default
[FILTER]... Positional package names to include (allowlist; repeatable) (all)
-u, --upgrade Write updated versions back to the manifest file off
-d, --deep Recursively scan subdirectories, respecting .gitignore off
-t, --target <LEVEL> Version target: patch · minor · latest · newest · greatest latest
-x, --reject <PATTERN> Exclude packages by name (repeatable)
--manifest <PATH> Operate on a single specific manifest file (auto)
--format <FORMAT> Output format: table or json table
--remove-lockfile Delete lockfiles next to each manifest so the package manager re-resolves transitive deps on the next install off
--remove-installed Delete installed-dependency directories next to each manifest for a clean install off
--rm Shortcut for --remove-lockfile --remove-installed — wipes both in one go off
-e, --error-level <N> 1 = always exit 0 · 2 = exit 1 when updates exist (CI gate) 1
-v, --verbose Increase verbosity: -v info · -vv debug · -vvv trace off
-h, --help Print help
-V, --version Print version

-t, --target values

Value Behavior
patch Only patch bumps (e.g., 1.0.1 → 1.0.2)
minor Patch + minor bumps (e.g., 1.0.0 → 1.1.0)
latest Latest stable version; prereleases are skipped (default)
newest Most recently published version by publish date (npm time, crates.io created_at, PyPI upload time). For GitHub Actions this falls back to greatest — the Tags API exposes no per-tag dates.
greatest Highest version number, including prereleases

All five targets apply to every ecosystem, including Python (pyproject.toml / PyPI), which resolves PEP 440 versions from the full release list.

Examples

# Target specific update level
dcu -t patch           # patch only
dcu -t minor           # minor + patch
dcu -t latest          # default: latest stable
dcu -t greatest        # include prereleases

# Filter packages — positional args act as an include-list
dcu react eslint       # only check react and eslint
dcu -x typescript      # exclude typescript
dcu -x typescript -x lodash

# Filter GitHub Actions by owner — same filter syntax works across ecosystems
dcu actions            # only actions/checkout, actions/setup-node, …

# Operate on a specific manifest
dcu --manifest path/to/Cargo.toml
dcu --manifest apps/web/package.json
dcu --manifest .github/workflows/CI.yml

# Machine-readable output for scripting/CI
dcu --format json

# CI gate: exit 1 if any updates are available
dcu -e 2

# Verbose logging (accumulating)
dcu -v    # info
dcu -vv   # debug
dcu -vvv  # trace

# Combining flags — recursive, patch-only upgrade in a monorepo
dcu -d -u -t patch

# Force a full transitive refresh: bump manifests, wipe lockfiles, wipe
# installed copies. The next `bun install` / `cargo build` / `uv sync`
# rebuilds the dep tree from scratch and picks up the latest dep-of-dep.
dcu -u --rm                                      # shortcut for both removals
dcu -d -u --rm                                   # same, monorepo-wide
dcu -u --remove-lockfile                         # lockfiles only, keep installed
dcu -u --remove-installed                        # installed only, keep lockfiles

# Files / directories removed (per manifest discovered):
#   package.json   → bun.lock, bun.lockb, package-lock.json, pnpm-lock.yaml,
#                    yarn.lock, node_modules/
#   Cargo.toml     → Cargo.lock, target/
#   pyproject.toml → uv.lock, poetry.lock, Pipfile.lock, .venv/, venv/

# GitHub Actions: pin a higher rate limit by exporting a token
GITHUB_TOKEN=ghp_xxx dcu -d -u

Zero-Install Examples

Every example above works identically via the ephemeral runners, too:

bunx @dependency-check-updates/cli                  # check
bunx @dependency-check-updates/cli -u               # apply updates
bunx @dependency-check-updates/cli -d -t minor      # deep scan, minor bumps
bunx @dependency-check-updates/cli react eslint     # filter
npx  @dependency-check-updates/cli --format json

uvx dependency-check-updates
uvx dependency-check-updates -d -u -t patch
pipx run dependency-check-updates --format json

Architecture

Follows the changepacks pattern — one crate per language ecosystem, with bridge crates for cross-language distribution:

.
├── crates/
│   ├── cli/           # Binary + async CLI orchestration (installs `dcu` + `dependency-check-updates`)
│   ├── core/          # Shared traits (ManifestHandler, RegistryClient, Scanner)
│   ├── node/          # Node.js: package.json parser + npm registry
│   ├── rust/          # Rust: Cargo.toml parser (toml_edit) + crates.io
│   ├── python/        # Python: pyproject.toml parser (toml_edit) + PyPI
│   └── github/        # GitHub Actions: workflow YAML parser + GitHub Tags API
├── bridge/
│   ├── node/          # napi-rs N-API binding → npm: @dependency-check-updates/cli
│   └── python/        # maturin bin binding → PyPI: dependency-check-updates
├── Cargo.toml         # Workspace root
└── package.json       # Bun workspace (build/lint/test scripts)

Format Preservation

  • JSON (package.json): Surgical byte-range replacement — finds exact byte offsets of version values and replaces only those bytes. Indent, line endings, trailing newline, and key ordering are preserved byte-for-byte.
  • TOML (Cargo.toml, pyproject.toml): toml_edit document model preserves comments, table ordering, inline-table formatting, and whitespace.
  • YAML (.github/workflows/*.yml, action.yml): Line-based uses: scanning with byte-range replacement of only the @ref portion. Anchors, comments, blank lines, and unrelated @main / @<sha> pins are never touched.

Shared Traits

Each ecosystem crate implements two core traits from dependency-check-updates-core:

  • ManifestHandler — parse manifests, collect dependencies, apply format-preserving updates
  • RegistryClient — resolve versions from package registries with concurrency control

Range Satisfaction

Before reporting an update, the resolver checks whether the selected version already satisfies the current range (e.g., ^3 already covers 3.5.1). This eliminates the false positives that plague naive string comparison.

Development

Build prerequisites:

  • Rust 1.85+ (stable toolchain)
  • Bun 1.0+ (or Node.js 18+ with npm)
  • Python 3.11+ with maturin (only for the Python wheel step)
  • Windows: Visual Studio 2022 Build Tools (MSVC linker)
# First-time setup: install JS toolchain deps (@napi-rs/cli, etc.)
bun install

# Build everything (native CLI + napi .node + maturin wheel)
bun run build

# Dev build (faster, unoptimized)
bun run build:dev

# Lint (cargo clippy + rustfmt + bun workspace lints)
bun run lint
bun run lint:fix

# Test (cargo test --workspace + bun workspace tests)
bun run test

# Run CLI from source
bun run run -- --help
bun run run -- --manifest Cargo.toml -v
bun run run:release -- -d

Inspirations

  • npm-check-updates — the original ncu that inspired this tool's UX and flag design
  • changepacks — the workspace architecture pattern (crates/* + bridge/*), multi-language bridge distribution via napi-rs and maturin, and the overall project structure

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

dependency_check_updates-0.1.15-py3-none-win_amd64.whl (6.4 MB view details)

Uploaded Python 3Windows x86-64

dependency_check_updates-0.1.15-py3-none-win32.whl (5.5 MB view details)

Uploaded Python 3Windows x86

dependency_check_updates-0.1.15-py3-none-musllinux_1_2_x86_64.whl (6.9 MB view details)

Uploaded Python 3musllinux: musl 1.2+ x86-64

dependency_check_updates-0.1.15-py3-none-musllinux_1_2_i686.whl (6.6 MB view details)

Uploaded Python 3musllinux: musl 1.2+ i686

dependency_check_updates-0.1.15-py3-none-musllinux_1_2_armv7l.whl (5.9 MB view details)

Uploaded Python 3musllinux: musl 1.2+ ARMv7l

dependency_check_updates-0.1.15-py3-none-musllinux_1_2_aarch64.whl (6.4 MB view details)

Uploaded Python 3musllinux: musl 1.2+ ARM64

dependency_check_updates-0.1.15-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (6.8 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ x86-64

dependency_check_updates-0.1.15-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl (7.9 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ ppc64le

dependency_check_updates-0.1.15-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl (6.9 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ i686

dependency_check_updates-0.1.15-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl (5.9 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ ARMv7l

dependency_check_updates-0.1.15-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (6.4 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ ARM64

dependency_check_updates-0.1.15-py3-none-macosx_11_0_arm64.whl (6.3 MB view details)

Uploaded Python 3macOS 11.0+ ARM64

dependency_check_updates-0.1.15-py3-none-macosx_10_12_x86_64.whl (6.6 MB view details)

Uploaded Python 3macOS 10.12+ x86-64

File details

Details for the file dependency_check_updates-0.1.15-py3-none-win_amd64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-win_amd64.whl
Algorithm Hash digest
SHA256 7e998b0f55ddfd0251f1235267425b4af7cf7c764f4a75587e661b7585e2de47
MD5 2854b7a4643b46afe11a91d0a24ff99f
BLAKE2b-256 d236e2c40b4aea6089447d35d1469162df0a98d428cffa4704b13cfa85907ecf

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-win32.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-win32.whl
Algorithm Hash digest
SHA256 7a9c20fa2629d8a24d6c1c2f9df448c95be7295cd752e1d0d529f82a707102a5
MD5 9561d922fe962105cfac823820d60e7e
BLAKE2b-256 3addc7c5ea721b6911e4b5e3d408eee0a05a1cc14466b970e425261f55b1a161

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-musllinux_1_2_x86_64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-musllinux_1_2_x86_64.whl
Algorithm Hash digest
SHA256 92526e43124de3f85c226dd58215008358048a613141ff1ff4b75508a4f57614
MD5 18f0f5374e73643574f71c653f2cab6e
BLAKE2b-256 d8f93adcbbe4b5353d4f254873ca5a6523499c803ae48f771c02bd3a9aab3828

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-musllinux_1_2_i686.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-musllinux_1_2_i686.whl
Algorithm Hash digest
SHA256 ba15d7f347daa7b136c42957d95c795d9bff15606ae6debad8b699455652bc9b
MD5 63dd057bc6b71ada2d1f495da76da731
BLAKE2b-256 c34824badcd7cd3c9a5df0d21ad78fc17c61a02ecdb0bcefd3b8563c8eb355a0

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-musllinux_1_2_armv7l.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-musllinux_1_2_armv7l.whl
Algorithm Hash digest
SHA256 29f49911548877344517ce0b1bca6d5a6eddffabb6fea54146e3893d482cd518
MD5 a3a3eb94c197362b0212408f4497f819
BLAKE2b-256 99be7001a9ea848248b38d870084aff05a2ec642736642f1992bbd3eac25af6a

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-musllinux_1_2_aarch64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-musllinux_1_2_aarch64.whl
Algorithm Hash digest
SHA256 0220d7d2b184076d2b091b1c400f07e067f2e9b0c20f920b8c1ecf93eb9dbff3
MD5 32bff815a3e688ead6636da53d0fd97d
BLAKE2b-256 c123148dead6c52a459d8e91c3d48ab515fd782f37b26cc861543d5735f173dc

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 d9b07a6e2b5086652c5e010b4424ac0ee3f9b024d9bec24e38c0de92e4cfa1c5
MD5 5cfab7af03d2aacd41490fbc24797ebf
BLAKE2b-256 5586d92dbb4a9adcdba57da28035a587e1f7f24b4a3daeecb27dd8c65829ffeb

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl
Algorithm Hash digest
SHA256 f3a62ad278ba0065b7bc0587819931a66f28342ef2fbe89babc1db3704d2c9fd
MD5 6c50bffafb7f327b33acbc6f305c0c29
BLAKE2b-256 5b300b09f1edcc952927df6c23ac823004d2ab303956417d6ae4428585f555cb

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl
Algorithm Hash digest
SHA256 78efc45d38473b73bc57b7b6240bc50b37fe85ecb6893f787248ce4cbb7a802c
MD5 47f1817033ddd4132c2c3697cb4527a8
BLAKE2b-256 8a9e8c671eb6afaab6817eafdc58d61c0f351bc1e658f85c6879e1f678610423

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl
Algorithm Hash digest
SHA256 329d2a8ed356b86426b2c0d1405d6a835ae40926186e717f0e9346e39d028b3f
MD5 25b55c24c496c108ab524776c50a2a9f
BLAKE2b-256 a3c25cd8bba596bd59991688e89f56f76c6dca080932147b1dc4b49c0f031c98

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 89a083937d0c002f71a803d3869c32282ce4ca53f44b7d34693fa7ce8609f722
MD5 f528c38ce121a76860267fcb014ee9ba
BLAKE2b-256 fe8324565877845441de82271f42d991d263ca7e3d2bc065a93e94743179825f

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 d3cd0e7fc79b5161b4dbdad7d1e88f8c0716da47a2d45c8debfcf5b8312cca2f
MD5 22dd99854ea213971bff85dd17c3c4f3
BLAKE2b-256 f882b6db0d9ad9d073462a25ea0547de48bc27e06804ee2fec40fd63bd00fac5

See more details on using hashes here.

File details

Details for the file dependency_check_updates-0.1.15-py3-none-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for dependency_check_updates-0.1.15-py3-none-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 bb0133fa73832d17d5d0ce91e020967c236581878372a7c58bdceaea0aaab89e
MD5 fe4fdf229b7c806a1d2b084841724ba0
BLAKE2b-256 277aa85b880d04d390a1aa946df23cdc8aaf55c67db03c2aea793ef5eeadbab7

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page