dependency-check-updates 0.1.4

Fast multi-ecosystem dependency updater: package.json, Cargo.toml, pyproject.toml in a single CLI (like npm-check-updates for every language)

dependency-check-updates

Dependency Check & Update — a fast, multi-ecosystem dependency updater written in Rust.

Like npm-check-updates, but for every language.

$ dependency-check-updates
Checking Cargo.toml
 toml_edit  0.22  ->  0.25.4

Run dependency-check-updates -u to upgrade Cargo.toml

Quick Start (Zero Install)

No install needed — run straight from your package manager's ephemeral runner:

# Node.js ecosystem
bunx @dependency-check-updates/cli
npx  @dependency-check-updates/cli

# Python ecosystem
uvx dependency-check-updates
pipx run dependency-check-updates

All four accept the same flags described in Usage.

Features

• Multi-ecosystem — package.json, Cargo.toml, pyproject.toml handled by a single binary
• Format-preserving — surgical byte-range patching for JSON; toml_edit for TOML. Your indentation, comments, trailing newlines, and key ordering stay intact
• Fast — concurrent registry lookups across all manifests via futures::join_all
• Smart range checking — skips false positives where the resolved version already satisfies the current range (^3 already covers 3.5.1)
• Deep scan — -d recursively finds manifests in monorepos, respecting .gitignore
• ncu-compatible UX — the same flags you already know from npm-check-updates
• CI-friendly — -e 2 exits non-zero when updates exist; --format json emits machine-readable output

Supported Ecosystems

Ecosystem	Manifest	Registry	Package
Node.js	package.json	npm	@dependency-check-updates/cli
Rust	Cargo.toml	crates.io	dependency-check-updates
Python	pyproject.toml	PyPI	dependency-check-updates

Installation

Every distribution below ships the exact same binary. Pick whichever matches your toolchain.

Rust (Cargo)

cargo install dependency-check-updates

Installs command: dependency-check-updates

Node.js (npm / bun / pnpm / yarn)

Permanent global install:

npm  install   -g @dependency-check-updates/cli
bun  add       -g @dependency-check-updates/cli
pnpm add       -g @dependency-check-updates/cli
yarn global add   @dependency-check-updates/cli

Installs commands: dependency-check-updates and dcu (short alias).

One-off execution (no install):

bunx @dependency-check-updates/cli [flags]
npx  @dependency-check-updates/cli [flags]

Python (pip / uv / pipx)

Permanent isolated install:

pipx install dependency-check-updates
uv tool install dependency-check-updates

Install inside a virtualenv:

pip    install dependency-check-updates
uv pip install dependency-check-updates

Installs command: dependency-check-updates

One-off execution (no install):

uvx dependency-check-updates [flags]
pipx run dependency-check-updates [flags]

Usage

Run from a directory containing at least one of package.json, Cargo.toml, or pyproject.toml. Every supported manifest in the current directory is auto-detected.

Basic

# Check for outdated dependencies (read-only, nothing is written)
dependency-check-updates

# Apply updates in place (format-preserving)
dependency-check-updates -u

# Recursively scan subdirectories (monorepo-friendly, respects .gitignore)
dependency-check-updates -d
dependency-check-updates -d -u

On Node.js installations the short alias dcu works identically — e.g. dcu -d -u.

All Options

Usage: dependency-check-updates [OPTIONS] [FILTER]...

Flag	Description	Default
[FILTER]...	Positional package names to include (allowlist; repeatable)	(all)
-u, --upgrade	Write updated versions back to the manifest file	off
-d, --deep	Recursively scan subdirectories, respecting .gitignore	off
-t, --target <LEVEL>	Version target: patch · minor · latest · newest · greatest	latest
-x, --reject <PATTERN>	Exclude packages by name (repeatable)	—
--manifest <PATH>	Operate on a single specific manifest file	(auto)
--format <FORMAT>	Output format: table or json	table
-e, --error-level <N>	1 = always exit 0 · 2 = exit 1 when updates exist (CI gate)	1
-v, --verbose	Increase verbosity: -v info · -vv debug · -vvv trace	off
-h, --help	Print help	—
-V, --version	Print version	—

-t, --target values

Value	Behavior
patch	Only patch bumps (e.g., 1.0.1 → 1.0.2)
minor	Patch + minor bumps (e.g., 1.0.0 → 1.1.0)
latest	Latest stable version; prereleases are skipped (default)
newest	Most recently published version by publish date
greatest	Highest version number, including prereleases

Examples

# Target specific update level
dependency-check-updates -t patch           # patch only
dependency-check-updates -t minor           # minor + patch
dependency-check-updates -t latest          # default: latest stable
dependency-check-updates -t greatest        # include prereleases

# Filter packages — positional args act as an include-list
dependency-check-updates react eslint       # only check react and eslint
dependency-check-updates -x typescript      # exclude typescript
dependency-check-updates -x typescript -x lodash

# Operate on a specific manifest
dependency-check-updates --manifest path/to/Cargo.toml
dependency-check-updates --manifest apps/web/package.json

# Machine-readable output for scripting/CI
dependency-check-updates --format json

# CI gate: exit 1 if any updates are available
dependency-check-updates -e 2

# Verbose logging (accumulating)
dependency-check-updates -v    # info
dependency-check-updates -vv   # debug
dependency-check-updates -vvv  # trace

# Combining flags — recursive, patch-only upgrade in a monorepo
dependency-check-updates -d -u -t patch

Zero-Install Examples

Every example above works identically via the ephemeral runners, too:

bunx @dependency-check-updates/cli                  # check
bunx @dependency-check-updates/cli -u               # apply updates
bunx @dependency-check-updates/cli -d -t minor      # deep scan, minor bumps
bunx @dependency-check-updates/cli react eslint     # filter
npx  @dependency-check-updates/cli --format json

uvx dependency-check-updates
uvx dependency-check-updates -d -u -t patch
pipx run dependency-check-updates --format json

Architecture

Follows the changepacks pattern — one crate per language ecosystem, with bridge crates for cross-language distribution:

.
├── crates/
│   ├── cli/           # Binary + async CLI orchestration
│   ├── core/          # Shared traits (ManifestHandler, RegistryClient, Scanner)
│   ├── node/          # Node.js: package.json parser + npm registry
│   ├── rust/          # Rust: Cargo.toml parser (toml_edit) + crates.io
│   ├── python/        # Python: pyproject.toml parser (toml_edit) + PyPI
│   └── testkit/       # Test fixtures and helpers
├── bridge/
│   ├── node/          # napi-rs N-API binding → npm: @dependency-check-updates/cli
│   └── python/        # maturin bin binding → PyPI: dependency-check-updates
├── Cargo.toml         # Workspace root
└── package.json       # Bun workspace (build/lint/test scripts)

Format Preservation

• JSON (package.json): Surgical byte-range replacement — finds exact byte offsets of version values and replaces only those bytes. Indent, line endings, trailing newline, and key ordering are preserved byte-for-byte.
• TOML (Cargo.toml, pyproject.toml): toml_edit document model preserves comments, table ordering, inline-table formatting, and whitespace.

Shared Traits

Each ecosystem crate implements two core traits from dependency-check-updates-core:

• ManifestHandler — parse manifests, collect dependencies, apply format-preserving updates
• RegistryClient — resolve versions from package registries with concurrency control

Range Satisfaction

Before reporting an update, the resolver checks whether the selected version already satisfies the current range (e.g., ^3 already covers 3.5.1). This eliminates the false positives that plague naive string comparison.

Development

Build prerequisites:

• Rust 1.85+ (stable toolchain)
• Bun 1.0+ (or Node.js 18+ with npm)
• Python 3.9+ with maturin (only for the Python wheel step)
• Windows: Visual Studio 2022 Build Tools (MSVC linker)

# First-time setup: install JS toolchain deps (@napi-rs/cli, etc.)
bun install

# Build everything (native CLI + napi .node + maturin wheel)
bun run build

# Dev build (faster, unoptimized)
bun run build:dev

# Lint (cargo clippy + rustfmt + bun workspace lints)
bun run lint
bun run lint:fix

# Test (cargo test --workspace + bun workspace tests)
bun run test

# Run CLI from source
bun run run -- --help
bun run run -- --manifest Cargo.toml -v
bun run run:release -- -d

Inspirations

• npm-check-updates — the original ncu that inspired this tool's UX and flag design
• changepacks — the workspace architecture pattern (crates/* + bridge/*), multi-language bridge distribution via napi-rs and maturin, and the overall project structure

License

MIT