npm-check-updates 18.1.1 → 18.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +70 -0
- package/build/index.d.ts +2 -0
- package/build/index.js +261 -208
- package/build/index.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -201,6 +201,10 @@ Options that take no arguments can be negated by prefixing them with `--no-`, e.
|
|
|
201
201
|
<td>--configFilePath <path></td>
|
|
202
202
|
<td>Directory of .ncurc config file. (default: directory of <code>packageFile</code>)</td>
|
|
203
203
|
</tr>
|
|
204
|
+
<tr>
|
|
205
|
+
<td><a href="#cooldown">-c, --cooldown <n></a></td>
|
|
206
|
+
<td>Sets a minimum age (in days) for package versions to be considered for upgrade, reducing the risk of installing newly published, potentially compromised packages.</td>
|
|
207
|
+
</tr>
|
|
204
208
|
<tr>
|
|
205
209
|
<td>--cwd <path></td>
|
|
206
210
|
<td>Working directory in which npm will be executed.</td>
|
|
@@ -390,6 +394,72 @@ Run `ncu --help [OPTION]` to view advanced help for a specific option, or see be
|
|
|
390
394
|
<!-- BEGIN Advanced Options -->
|
|
391
395
|
<!-- Do not edit this section by hand. It is auto-generated in build-options.ts. Run "npm run build" or "npm run build:options" to build. -->
|
|
392
396
|
|
|
397
|
+
## cooldown
|
|
398
|
+
|
|
399
|
+
Usage:
|
|
400
|
+
|
|
401
|
+
ncu --cooldown [n]
|
|
402
|
+
ncu -c [n]
|
|
403
|
+
|
|
404
|
+
The cooldown option helps protect against supply chain attacks by requiring package versions to be published at least the given number of days before considering them for upgrade.
|
|
405
|
+
|
|
406
|
+
Note that previous stable versions will not be suggested. The package will be completely ignored if its latest published version is within the cooldown period. This is due to a limitation of the npm registry, which does not provide a way to query previous stable versions.
|
|
407
|
+
|
|
408
|
+
Example:
|
|
409
|
+
|
|
410
|
+
Let's examine how cooldown works with a package that has these versions available:
|
|
411
|
+
|
|
412
|
+
1.0.0 Released 7 days ago (initial version)
|
|
413
|
+
1.1.0 Released 6 days ago (minor update)
|
|
414
|
+
1.1.1 Released 5 days ago (patch update)
|
|
415
|
+
1.2.0 Released 5 days ago (minor update)
|
|
416
|
+
2.0.0-beta.1 Released 5 days ago (beta release)
|
|
417
|
+
1.2.1 Released 4 days ago (patch update)
|
|
418
|
+
1.3.0 Released 4 days ago (minor update) [latest]
|
|
419
|
+
2.0.0-beta.2 Released 3 days ago (beta release)
|
|
420
|
+
2.0.0-beta.3 Released 2 days ago (beta release) [beta]
|
|
421
|
+
|
|
422
|
+
With default target (latest):
|
|
423
|
+
|
|
424
|
+
```js
|
|
425
|
+
$ ncu --cooldown 5
|
|
426
|
+
```
|
|
427
|
+
|
|
428
|
+
No update will be suggested because:
|
|
429
|
+
|
|
430
|
+
- Latest version (1.3.0) is only 4 days old.
|
|
431
|
+
- Cooldown requires versions to be at least 5 days old
|
|
432
|
+
- Use `--cooldown 4` or lower to allow this update
|
|
433
|
+
|
|
434
|
+
With `@beta`/`@tag` target:
|
|
435
|
+
|
|
436
|
+
```js
|
|
437
|
+
$ ncu --cooldown 3 --target @beta
|
|
438
|
+
```
|
|
439
|
+
|
|
440
|
+
No update will be suggested because:
|
|
441
|
+
|
|
442
|
+
- Current beta (2.0.0-beta.3) is only 2 days old
|
|
443
|
+
- Cooldown requires versions to be at least 3 days old
|
|
444
|
+
- Use `--cooldown 2` or lower to allow this update
|
|
445
|
+
|
|
446
|
+
With other targets:
|
|
447
|
+
|
|
448
|
+
```js
|
|
449
|
+
$ ncu --cooldown 5 --target greatest|newest|minor|patch|semver
|
|
450
|
+
```
|
|
451
|
+
|
|
452
|
+
Each target will select the best version that is at least 5 days old:
|
|
453
|
+
|
|
454
|
+
greatest → 1.2.0 (highest version number outside cooldown)
|
|
455
|
+
newest → 2.0.0-beta.1 (most recently published version outside cooldown)
|
|
456
|
+
minor → 1.2.0 (highest minor version outside cooldown)
|
|
457
|
+
patch → 1.1.1 (highest patch version outside cooldown)
|
|
458
|
+
|
|
459
|
+
Note for latest/tag targets:
|
|
460
|
+
|
|
461
|
+
> :warning: For packages that update frequently (e.g. daily releases), using a long cooldown period (7+ days) with the default `--target latest` or `--target @tag` may prevent all updates since new versions will be published before older ones meet the cooldown requirement. Please consider this when setting your cooldown period.
|
|
462
|
+
|
|
393
463
|
## doctor
|
|
394
464
|
|
|
395
465
|
Usage:
|
package/build/index.d.ts
CHANGED
|
@@ -86,6 +86,8 @@ export declare interface RunOptions {
|
|
|
86
86
|
configFileName?: string;
|
|
87
87
|
/** Directory of .ncurc config file. (default: directory of `packageFile`) */
|
|
88
88
|
configFilePath?: string;
|
|
89
|
+
/** Sets a minimum age (in days) for package versions to be considered for upgrade, reducing the risk of installing newly published, potentially compromised packages. Run "ncu --help --cooldown" for details. */
|
|
90
|
+
cooldown?: number;
|
|
89
91
|
/** Working directory in which npm will be executed. */
|
|
90
92
|
cwd?: string;
|
|
91
93
|
/** Run recursively in current working directory. Alias of (`--packageFile '**\/package.json'`). */
|