ruckup 0.6.4

Check and update dependencies across Cargo, npm, and pyproject projects

ruckup

One command to check and update dependencies across Cargo, Docker, GitHub Actions, npm, and Python — all at once.

ruckup auto-detects your project's manifest files and checks every dependency against its upstream registry. Run it in any repo — even polyglot monorepos — and get a unified view of what's outdated. Then apply updates interactively or all at once.

Installation

cargo

cargo install ruckup

npm / pnpm / yarn / bun

npm install -g ruckup
# or
pnpm add -g ruckup
# or
yarn global add ruckup
# or
bun add -g ruckup

pip / uv / pipx

pip install ruckup
# or
uv tool install ruckup
# or
pipx install ruckup

Pre-built binaries

Download the latest binary for your platform from the GitHub Releases page, extract it, and place it on your PATH.

Platform	Archive
Linux x86_64 (glibc)	ruckup-linux-x64.tar.gz
Linux x86_64 (musl)	ruckup-linux-x64-musl.tar.gz
Linux arm64 (glibc)	ruckup-linux-arm64.tar.gz
Linux arm64 (musl)	ruckup-linux-arm64-musl.tar.gz
macOS arm64 (Apple Silicon)	ruckup-darwin-arm64.tar.gz
macOS x86_64	ruckup-darwin-x64.tar.gz
Windows x86_64	ruckup-win32-x64.zip
Windows arm64	ruckup-win32-arm64.zip

Build from source

git clone https://github.com/ruckc/ruckup.git
cd ruckup
cargo install --path .

Features

• Auto-detection — scans the current directory for all supported manifest files
• Multi-ecosystem — one tool for Cargo, Docker, GitHub Actions, npm, and Python
• Interactive updates — multi-select prompt lets you pick exactly what to bump
• Bulk updates — --all flag skips prompts and applies everything
• Flexible filtering — scope work to a specific ecosystem or package name
• Upgrade intelligence reports — generate text/markdown/html/pdf reports with SCM diff links, changelog links, security resources, and supply-chain deltas where available
• Lockfile-aware — respects npm peer dependency constraints
• Configurable — per-project .ruckuprc plus global config and env var overrides

Supported Manifests

Ecosystem	Files
Cargo	Cargo.toml — [dependencies], [dev-dependencies], [build-dependencies]
Docker	Dockerfile, Dockerfile.*, docker-compose.yml, docker-compose.yaml, compose.yml, compose.yaml
GitHub Actions	.github/workflows/*.yml — uses: owner/repo@ref
npm / pnpm / yarn	package.json (lockfile-aware)
Python	pyproject.toml (uv, Poetry, PEP 621), requirements.txt

Usage

Usage: ruckup [OPTIONS] [COMMAND]

Commands:
  check   Check for available dependency updates (default)
  update  Interactively select and apply dependency updates
  list    List detected dependency files and their dependencies
  report  Generate upgrade intelligence reports

Options:
  -o, --only <ONLY>      Comma-separated list of ecosystems to check
                         (cargo, docker, github-actions, npm, pyproject, requirements)
  -f, --filter <FILTER>  Filter to specific dependency names
  -h, --help             Print help
  -V, --version          Print version

check is the default command, so ruckup and ruckup check are equivalent.

Examples

# Check everything in the current directory
ruckup

# Check only Cargo dependencies
ruckup --only cargo

# Check only GitHub Actions workflow pins
ruckup check --only github-actions

# Check npm packages and filter to a specific name
ruckup check --only npm --filter react

# Check multiple ecosystems at once
ruckup check --only cargo,npm --filter serde,clap

# List all detected dependencies without hitting registries
ruckup list

# Interactively choose which updates to apply
ruckup update

# Apply all available updates without prompts
ruckup update --all

# Generate a markdown report for all upgrade candidates
ruckup report

# Generate HTML + PDF reports and open in your browser
ruckup report --format html,pdf --open

# Generate a scoped report for one ecosystem + dependency
ruckup report --only npm --filter react --format text,markdown

Upgrade Intelligence Report Coverage

Scope	Included in report	Notes
All upgradable dependencies	Current version, latest version, semver impact (breaking, feature, bugfix)	Generated by ruckup report
SCM diffs	Compare links when repository metadata can be resolved (best with GitHub-hosted projects)	Falls back to registry/package pages when SCM is unavailable
Changelog context	Release/changelog/homepage links where available from package metadata	Depends on upstream metadata quality
Security context	Links to ecosystem security resources (for example OSV, deps.dev, Snyk, RustSec, Docker/GitHub security pages)	Link set varies by plugin/ecosystem
Supply-chain delta	Added/removed/changed transitive dependencies when version metadata exposes dependency graphs	Strongest support today for npm, crates.io, and PyPI
Output formats	text, markdown, html, pdf	Use --format with one or more values
Scope controls	Everything, specific dependency, or specific plugin	Use --filter and --only

Update shortcut

During interactive ruckup update, press r before selecting packages to generate and open a consolidated HTML report across all detected plugins and their pending upgrades.

Configuration

Configuration is resolved in this order (later entries win):

1. Built-in defaults
2. ~/.ruckuprc (global)
3. ./.ruckuprc (project)
4. RUCKUP_* environment variables

Both TOML and JSON formats are supported for .ruckuprc.

Settings

Setting	Env var	Default	Description
preserve_range	RUCKUP_PRESERVE_RANGE	true	Keep existing version range prefixes when updating
cargo_concurrency	RUCKUP_CARGO_CONCURRENCY	4	Concurrent crates.io requests
npm_concurrency	RUCKUP_NPM_CONCURRENCY	16	Concurrent npm registry requests
pypi_concurrency	RUCKUP_PYPI_CONCURRENCY	10	Concurrent PyPI requests
github_actions_concurrency	RUCKUP_GITHUB_ACTIONS_CONCURRENCY	8	Concurrent GitHub API requests
docker_concurrency	RUCKUP_DOCKER_CONCURRENCY	8	Concurrent Docker Hub requests

Example .ruckuprc

preserve_range = true
cargo_concurrency = 5
npm_concurrency = 16
pypi_concurrency = 10
github_actions_concurrency = 8
docker_concurrency = 8

Environment variable examples

RUCKUP_PRESERVE_RANGE=false ruckup update --all
RUCKUP_NPM_CONCURRENCY=8 ruckup check --only npm
RUCKUP_DOCKER_CONCURRENCY=4 ruckup check --only docker

Notes

• Docker support targets Docker Hub images with semver-like tags; unsupported registries and floating tags are listed but not upgraded.
• npm output includes peer dependency conflict reporting so you can see what is blocking an upgrade.
• GitHub Actions updates rewrite pinned uses: owner/repo@ref references; floating refs like stable are left alone.
• Python detection only activates for pyproject.toml files that declare Python dependencies.
• requirements.txt packaging directives (editable installs, direct URLs, pip flags) are intentionally ignored.
• Supply-chain deltas are generated where upstream metadata is available (currently strongest for npm, crates.io, and PyPI packages).

License

MIT — see LICENSE.