inup 1.6.4 → 1.6.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +69 -15
- package/package.json +3 -3
package/README.md
CHANGED
|
@@ -6,10 +6,21 @@
|
|
|
6
6
|
[](https://github.com/donfear/inup/actions/workflows/ci.yml)
|
|
7
7
|
[](https://github.com/donfear/inup/blob/main/LICENSE)
|
|
8
8
|
|
|
9
|
-
|
|
9
|
+
**inup** is an interactive CLI for upgrading outdated npm dependencies — npm, yarn, pnpm, and bun all supported. It auto-detects your package manager, works in monorepos and workspaces, and requires zero configuration.
|
|
10
10
|
|
|
11
11
|

|
|
12
12
|
|
|
13
|
+
## Table of Contents
|
|
14
|
+
|
|
15
|
+
- [Quick Start](#quick-start)
|
|
16
|
+
- [Why inup?](#why-inup)
|
|
17
|
+
- [Options](#options)
|
|
18
|
+
- [CI & Scripting](#ci--scripting)
|
|
19
|
+
- [GitHub Action — one rolling upgrade PR](#github-action--one-rolling-upgrade-pr)
|
|
20
|
+
- [Keyboard Shortcuts](#keyboard-shortcuts)
|
|
21
|
+
- [Privacy](#privacy)
|
|
22
|
+
- [License](#license)
|
|
23
|
+
|
|
13
24
|
## Quick Start
|
|
14
25
|
|
|
15
26
|
```bash
|
|
@@ -25,19 +36,18 @@ yarn global add inup
|
|
|
25
36
|
bun add -g inup
|
|
26
37
|
```
|
|
27
38
|
|
|
28
|
-
Run `inup` in any project — it scans for outdated
|
|
39
|
+
Run `inup` in any project — it scans for outdated dependencies and lets you pick what to upgrade.
|
|
29
40
|
|
|
30
41
|
## Why inup?
|
|
31
42
|
|
|
32
|
-
- **All Dependencies at Once** —
|
|
33
|
-
- **Live Toggles** —
|
|
34
|
-
- **Zero Config** —
|
|
35
|
-
- **Monorepo Ready** —
|
|
36
|
-
- **Vulnerability Audit** —
|
|
37
|
-
- **Changelog Viewer** —
|
|
38
|
-
- **Built-in Search** —
|
|
39
|
-
- **Package Details** —
|
|
40
|
-
- **Themes** — Press `t` to switch between color themes.
|
|
43
|
+
- **All Dependencies at Once** — dev, peer, and optional dependencies load automatically. No more re-running with `--peer` or `--dev` flags.
|
|
44
|
+
- **Live Toggles** — filter dependency types (`d`, `p`, `o`) on the fly without restarting.
|
|
45
|
+
- **Zero Config** — auto-detects npm, yarn, pnpm, or bun from your lockfile.
|
|
46
|
+
- **Monorepo & Workspaces Ready** — discovers and upgrades dependencies across every workspace in one pass.
|
|
47
|
+
- **Vulnerability Audit** — flags known security vulnerabilities right in the package list, so you know what's risky before you upgrade.
|
|
48
|
+
- **Changelog Viewer** — read release notes and changelogs inline without leaving the terminal.
|
|
49
|
+
- **Built-in Search** — press `/` to filter packages instantly.
|
|
50
|
+
- **Package Details** — press `i` to view package info, download stats, and more.
|
|
41
51
|
|
|
42
52
|
## Options
|
|
43
53
|
|
|
@@ -58,6 +68,9 @@ inup [options]
|
|
|
58
68
|
|
|
59
69
|
## CI & Scripting
|
|
60
70
|
|
|
71
|
+
Run inup non-interactively to gate builds on outdated or vulnerable dependencies, generate a
|
|
72
|
+
machine-readable dependency report, or auto-apply safe upgrades in CI/CD.
|
|
73
|
+
|
|
61
74
|
`inup` runs headless automatically when stdout isn't a TTY or `$CI` is set, so it never hangs in a
|
|
62
75
|
pipeline waiting on the interactive UI. Both `--json` and `--check` are **read-only** — they report,
|
|
63
76
|
they never edit `package.json` or install.
|
|
@@ -70,6 +83,9 @@ inup --apply # write safe in-range bumps + install (non-interact
|
|
|
70
83
|
inup --apply --target latest # include major bumps; --json to also emit the report
|
|
71
84
|
```
|
|
72
85
|
|
|
86
|
+
<details>
|
|
87
|
+
<summary><strong>Details: <code>--apply</code>, JSON schema, and vulnerability cross-referencing</strong></summary>
|
|
88
|
+
|
|
73
89
|
Unlike `--json` and `--check`, **`--apply` writes**: it bumps `package.json` and runs your package
|
|
74
90
|
manager's install to update the lockfile. By default (`--target minor`) it only applies **in-range**
|
|
75
91
|
updates and leaves majors for you to review; `--target latest` includes majors. It honors `.inuprc`
|
|
@@ -91,10 +107,12 @@ agents can pin to a known shape.
|
|
|
91
107
|
Output hygiene: with `--json`, stdout carries **only** the JSON document; all progress and warnings go
|
|
92
108
|
to stderr. Exit codes: `0` up to date, `1` updates exist (`--check`), `2` error.
|
|
93
109
|
|
|
110
|
+
</details>
|
|
111
|
+
|
|
94
112
|
## GitHub Action — one rolling upgrade PR
|
|
95
113
|
|
|
96
|
-
|
|
97
|
-
the same PR instead of opening new ones.
|
|
114
|
+
Automate dependency upgrades for your GitHub repo: run inup on a schedule and get **one rolling pull
|
|
115
|
+
request** with safe upgrades applied. Re-runs update the same PR instead of opening new ones.
|
|
98
116
|
|
|
99
117
|
Add this workflow to **your** repo:
|
|
100
118
|
|
|
@@ -103,7 +121,7 @@ Add this workflow to **your** repo:
|
|
|
103
121
|
name: inup
|
|
104
122
|
on:
|
|
105
123
|
schedule:
|
|
106
|
-
- cron: '
|
|
124
|
+
- cron: '17 5 * * *' # daily around 05:17 UTC
|
|
107
125
|
workflow_dispatch: {}
|
|
108
126
|
|
|
109
127
|
permissions:
|
|
@@ -123,6 +141,40 @@ jobs:
|
|
|
123
141
|
That's it. Also enable Settings → Actions → General → **Workflow permissions** →
|
|
124
142
|
**"Allow GitHub Actions to create and approve pull requests"** so the action can open the PR.
|
|
125
143
|
|
|
144
|
+
Scheduled workflows are not real-time timers. [GitHub documents](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#schedule)
|
|
145
|
+
that `schedule` runs can be delayed during busy periods; the start of each hour is especially busy,
|
|
146
|
+
and very high load can even drop queued scheduled runs. If you want upgrades ready by a specific time,
|
|
147
|
+
schedule inup earlier than you need it and avoid `:00` cron minutes. Otherwise, let the scheduled run
|
|
148
|
+
arrive when GitHub starts it; the action will still update the same rolling PR when it runs.
|
|
149
|
+
|
|
150
|
+
### What the action creates
|
|
151
|
+
|
|
152
|
+
When inup finds applicable upgrades, the workflow commits the changed manifest/lockfile and opens or
|
|
153
|
+
updates one pull request. The PR body looks like this:
|
|
154
|
+
|
|
155
|
+
```md
|
|
156
|
+
## 📦 Dependency upgrades
|
|
157
|
+
|
|
158
|
+
Scanned **18** packages — **3** unique upgrade(s) (1 with a major available, 1 with known vulnerabilities).
|
|
159
|
+
|
|
160
|
+
### ✅ Applied in this PR
|
|
161
|
+
|
|
162
|
+
- `eslint` `^9.28.0` → `^9.30.1` (devDependencies)
|
|
163
|
+
- `undici` `^7.10.0` → `^7.11.0` (dependencies)
|
|
164
|
+
- `vite` `^6.3.0` → `^6.3.5` (devDependencies)
|
|
165
|
+
|
|
166
|
+
### Updates
|
|
167
|
+
|
|
168
|
+
| Package | Current | → In-range | Latest | Type | Applied | Major? | Security |
|
|
169
|
+
|---|---|---|---|---|---|---|---|
|
|
170
|
+
| `eslint` | ^9.28.0 | ^9.30.1 | 9.30.1 | devDependencies | ✅ | — | — |
|
|
171
|
+
| `undici` | ^7.10.0 | ^7.11.0 | 7.11.0 | dependencies | ✅ | — | 🟢 fixed by in-range bump |
|
|
172
|
+
| `vite` | ^6.3.0 | ^6.3.5 | 7.0.0 | devDependencies | ✅ | ⚠️ yes | — |
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
<details>
|
|
176
|
+
<summary><strong>Details: commit attribution, all inputs, and outputs</strong></summary>
|
|
177
|
+
|
|
126
178
|
### Commit as you, not the bot
|
|
127
179
|
|
|
128
180
|
By default the upgrade commit is authored by `github-actions[bot]`. To attribute it to **you**, store
|
|
@@ -158,6 +210,8 @@ Outputs: `outdated`, `vulnerable`, `pull-request-number`.
|
|
|
158
210
|
> `@v1` floats to the latest `1.x` release; pin to `@v1.6.2` or a SHA for reproducible runs. inup
|
|
159
211
|
> honors your `.inuprc` (`ignore`, `exclude`, `scanDirs`).
|
|
160
212
|
|
|
213
|
+
</details>
|
|
214
|
+
|
|
161
215
|
## Keyboard Shortcuts
|
|
162
216
|
|
|
163
217
|
<!-- KEYS:START -->
|
|
@@ -189,7 +243,7 @@ Outputs: `outdated`, `vulnerable`, `pull-request-number`.
|
|
|
189
243
|
|
|
190
244
|
## Privacy
|
|
191
245
|
|
|
192
|
-
No tracking, no telemetry, no data collection. Package metadata is fetched directly from the npm registry
|
|
246
|
+
No tracking, no telemetry, no data collection. Package metadata is fetched directly from the npm registry, download counts from the npm downloads API, and changelogs/release notes from GitHub.
|
|
193
247
|
|
|
194
248
|
## License
|
|
195
249
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "inup",
|
|
3
|
-
"version": "1.6.
|
|
3
|
+
"version": "1.6.6",
|
|
4
4
|
"description": "Interactive dependency upgrader for npm, yarn, pnpm & bun. Zero-config, monorepo-ready. Upgrade-interactive for every package manager.",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"bin": {
|
|
@@ -45,10 +45,10 @@
|
|
|
45
45
|
"devDependencies": {
|
|
46
46
|
"@types/node": "^25.9.4",
|
|
47
47
|
"@types/semver": "^7.7.1",
|
|
48
|
-
"@vitest/coverage-v8": "^4.1.
|
|
48
|
+
"@vitest/coverage-v8": "^4.1.9",
|
|
49
49
|
"prettier": "^3.9.4",
|
|
50
50
|
"typescript": "^6.0.3",
|
|
51
|
-
"vitest": "^4.1.
|
|
51
|
+
"vitest": "^4.1.9"
|
|
52
52
|
},
|
|
53
53
|
"dependencies": {
|
|
54
54
|
"chalk": "^5.6.2",
|