inup 1.6.4 → 1.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +69 -15
  2. package/package.json +3 -3
package/README.md CHANGED
@@ -6,10 +6,21 @@
6
6
  [![CI](https://img.shields.io/github/actions/workflow/status/donfear/inup/ci.yml?branch=main&style=for-the-badge&label=CI)](https://github.com/donfear/inup/actions/workflows/ci.yml)
7
7
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](https://github.com/donfear/inup/blob/main/LICENSE)
8
8
 
9
- Interactively upgrade outdated dependencies across npm, yarn, pnpm, and bun. Auto-detects your package manager, works in monorepos and workspaces, and requires zero configuration.
9
+ **inup** is an interactive CLI for upgrading outdated npm dependencies npm, yarn, pnpm, and bun all supported. It auto-detects your package manager, works in monorepos and workspaces, and requires zero configuration.
10
10
 
11
11
  ![Interactive Upgrade Demo](docs/demo/interactive-upgrade.gif)
12
12
 
13
+ ## Table of Contents
14
+
15
+ - [Quick Start](#quick-start)
16
+ - [Why inup?](#why-inup)
17
+ - [Options](#options)
18
+ - [CI & Scripting](#ci--scripting)
19
+ - [GitHub Action — one rolling upgrade PR](#github-action--one-rolling-upgrade-pr)
20
+ - [Keyboard Shortcuts](#keyboard-shortcuts)
21
+ - [Privacy](#privacy)
22
+ - [License](#license)
23
+
13
24
  ## Quick Start
14
25
 
15
26
  ```bash
@@ -25,19 +36,18 @@ yarn global add inup
25
36
  bun add -g inup
26
37
  ```
27
38
 
28
- Run `inup` in any project — it scans for outdated packages and lets you pick what to upgrade.
39
+ Run `inup` in any project — it scans for outdated dependencies and lets you pick what to upgrade.
29
40
 
30
41
  ## Why inup?
31
42
 
32
- - **All Dependencies at Once** — Dev, peer, and optional dependencies load automatically. No more re-running with `--peer` or `--dev` flags.
33
- - **Live Toggles** — Filter dependency types (`d`, `p`, `o`) on the fly without restarting.
34
- - **Zero Config** — Auto-detects npm, yarn, pnpm, or bun from your lockfile.
35
- - **Monorepo Ready** — Discovers and upgrades across workspaces seamlessly.
36
- - **Vulnerability Audit** — Flags known security vulnerabilities right in the package list so you know what's risky before upgrading.
37
- - **Changelog Viewer** — Read release notes and changelogs inline without leaving the terminal.
38
- - **Built-in Search** — Press `/` to filter packages instantly.
39
- - **Package Details** — Press `i` to view package info, download stats, and more.
40
- - **Themes** — Press `t` to switch between color themes.
43
+ - **All Dependencies at Once** — dev, peer, and optional dependencies load automatically. No more re-running with `--peer` or `--dev` flags.
44
+ - **Live Toggles** — filter dependency types (`d`, `p`, `o`) on the fly without restarting.
45
+ - **Zero Config** — auto-detects npm, yarn, pnpm, or bun from your lockfile.
46
+ - **Monorepo & Workspaces Ready** — discovers and upgrades dependencies across every workspace in one pass.
47
+ - **Vulnerability Audit** — flags known security vulnerabilities right in the package list, so you know what's risky before you upgrade.
48
+ - **Changelog Viewer** — read release notes and changelogs inline without leaving the terminal.
49
+ - **Built-in Search** — press `/` to filter packages instantly.
50
+ - **Package Details** — press `i` to view package info, download stats, and more.
41
51
 
42
52
  ## Options
43
53
 
@@ -58,6 +68,9 @@ inup [options]
58
68
 
59
69
  ## CI & Scripting
60
70
 
71
+ Run inup non-interactively to gate builds on outdated or vulnerable dependencies, generate a
72
+ machine-readable dependency report, or auto-apply safe upgrades in CI/CD.
73
+
61
74
  `inup` runs headless automatically when stdout isn't a TTY or `$CI` is set, so it never hangs in a
62
75
  pipeline waiting on the interactive UI. Both `--json` and `--check` are **read-only** — they report,
63
76
  they never edit `package.json` or install.
@@ -70,6 +83,9 @@ inup --apply # write safe in-range bumps + install (non-interact
70
83
  inup --apply --target latest # include major bumps; --json to also emit the report
71
84
  ```
72
85
 
86
+ <details>
87
+ <summary><strong>Details: <code>--apply</code>, JSON schema, and vulnerability cross-referencing</strong></summary>
88
+
73
89
  Unlike `--json` and `--check`, **`--apply` writes**: it bumps `package.json` and runs your package
74
90
  manager's install to update the lockfile. By default (`--target minor`) it only applies **in-range**
75
91
  updates and leaves majors for you to review; `--target latest` includes majors. It honors `.inuprc`
@@ -91,10 +107,12 @@ agents can pin to a known shape.
91
107
  Output hygiene: with `--json`, stdout carries **only** the JSON document; all progress and warnings go
92
108
  to stderr. Exit codes: `0` up to date, `1` updates exist (`--check`), `2` error.
93
109
 
110
+ </details>
111
+
94
112
  ## GitHub Action — one rolling upgrade PR
95
113
 
96
- Run inup on a schedule and get **one rolling pull request** with safe upgrades applied. Re-runs update
97
- the same PR instead of opening new ones.
114
+ Automate dependency upgrades for your GitHub repo: run inup on a schedule and get **one rolling pull
115
+ request** with safe upgrades applied. Re-runs update the same PR instead of opening new ones.
98
116
 
99
117
  Add this workflow to **your** repo:
100
118
 
@@ -103,7 +121,7 @@ Add this workflow to **your** repo:
103
121
  name: inup
104
122
  on:
105
123
  schedule:
106
- - cron: '0 6 * * *' # daily at 06:00 UTC
124
+ - cron: '17 5 * * *' # daily around 05:17 UTC
107
125
  workflow_dispatch: {}
108
126
 
109
127
  permissions:
@@ -123,6 +141,40 @@ jobs:
123
141
  That's it. Also enable Settings → Actions → General → **Workflow permissions** →
124
142
  **"Allow GitHub Actions to create and approve pull requests"** so the action can open the PR.
125
143
 
144
+ Scheduled workflows are not real-time timers. [GitHub documents](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#schedule)
145
+ that `schedule` runs can be delayed during busy periods; the start of each hour is especially busy,
146
+ and very high load can even drop queued scheduled runs. If you want upgrades ready by a specific time,
147
+ schedule inup earlier than you need it and avoid `:00` cron minutes. Otherwise, let the scheduled run
148
+ arrive when GitHub starts it; the action will still update the same rolling PR when it runs.
149
+
150
+ ### What the action creates
151
+
152
+ When inup finds applicable upgrades, the workflow commits the changed manifest/lockfile and opens or
153
+ updates one pull request. The PR body looks like this:
154
+
155
+ ```md
156
+ ## 📦 Dependency upgrades
157
+
158
+ Scanned **18** packages — **3** unique upgrade(s) (1 with a major available, 1 with known vulnerabilities).
159
+
160
+ ### ✅ Applied in this PR
161
+
162
+ - `eslint` `^9.28.0` → `^9.30.1` (devDependencies)
163
+ - `undici` `^7.10.0` → `^7.11.0` (dependencies)
164
+ - `vite` `^6.3.0` → `^6.3.5` (devDependencies)
165
+
166
+ ### Updates
167
+
168
+ | Package | Current | → In-range | Latest | Type | Applied | Major? | Security |
169
+ |---|---|---|---|---|---|---|---|
170
+ | `eslint` | ^9.28.0 | ^9.30.1 | 9.30.1 | devDependencies | ✅ | — | — |
171
+ | `undici` | ^7.10.0 | ^7.11.0 | 7.11.0 | dependencies | ✅ | — | 🟢 fixed by in-range bump |
172
+ | `vite` | ^6.3.0 | ^6.3.5 | 7.0.0 | devDependencies | ✅ | ⚠️ yes | — |
173
+ ```
174
+
175
+ <details>
176
+ <summary><strong>Details: commit attribution, all inputs, and outputs</strong></summary>
177
+
126
178
  ### Commit as you, not the bot
127
179
 
128
180
  By default the upgrade commit is authored by `github-actions[bot]`. To attribute it to **you**, store
@@ -158,6 +210,8 @@ Outputs: `outdated`, `vulnerable`, `pull-request-number`.
158
210
  > `@v1` floats to the latest `1.x` release; pin to `@v1.6.2` or a SHA for reproducible runs. inup
159
211
  > honors your `.inuprc` (`ignore`, `exclude`, `scanDirs`).
160
212
 
213
+ </details>
214
+
161
215
  ## Keyboard Shortcuts
162
216
 
163
217
  <!-- KEYS:START -->
@@ -189,7 +243,7 @@ Outputs: `outdated`, `vulnerable`, `pull-request-number`.
189
243
 
190
244
  ## Privacy
191
245
 
192
- No tracking, no telemetry, no data collection. Package metadata is fetched directly from the npm registry. Download counts come from the npm downloads API. Changelog and release notes are fetched from GitHub.
246
+ No tracking, no telemetry, no data collection. Package metadata is fetched directly from the npm registry, download counts from the npm downloads API, and changelogs/release notes from GitHub.
193
247
 
194
248
  ## License
195
249
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "inup",
3
- "version": "1.6.4",
3
+ "version": "1.6.5",
4
4
  "description": "Interactive dependency upgrader for npm, yarn, pnpm & bun. Zero-config, monorepo-ready. Upgrade-interactive for every package manager.",
5
5
  "main": "dist/index.js",
6
6
  "bin": {
@@ -45,10 +45,10 @@
45
45
  "devDependencies": {
46
46
  "@types/node": "^25.9.4",
47
47
  "@types/semver": "^7.7.1",
48
- "@vitest/coverage-v8": "^4.1.7",
48
+ "@vitest/coverage-v8": "^4.1.9",
49
49
  "prettier": "^3.9.4",
50
50
  "typescript": "^6.0.3",
51
- "vitest": "^4.1.7"
51
+ "vitest": "^4.1.9"
52
52
  },
53
53
  "dependencies": {
54
54
  "chalk": "^5.6.2",