ignores dependency range

[tcurdt]

• I have searched for similar issues
• I am using the latest version of npm-check-updates (16.3.7)
• I am using node >= 14.14

I don't quite understand why this gets reported as available update given the dep range defined.

This seems related to #1054

---

Steps to Reproduce

Dependencies:

"dependencies": {
    "bootstrap": "4.6.2 <5",
}

Steps:

Current Behavior

$ npx npm-check-updates          
Checking ..../package.json
[====================] 65/65 100%

 bootstrap                      4.6.2 <5  →              ^5

Expected Behavior

$ npx npm-check-updates          
Checking ..../package.json
[====================] 65/65 100%

[raineorshine]

The main purpose of npm-check-updates is to break existing version ranges.

npm-check-updates upgrades your package.json dependencies to the latest versions, ignoring specified versions.

Depending on your use case, you have a couple options:

• If you would like to upgrade packages while respecting version ranges, use npm update.
• If you would like to exclude specific packages, use ncu --reject X or add reject: 'X' to your .ncurc.

There have been requests to have npm-check-updates respect version ranges in order to allow more fine-grained control and and automation than npm update provides. While this goes beyond npm-check-updates' original purpose, I believe it is highly congruent and would be a worthy feature. This is being tracked in #1054 as you found out. It is not being worked on currently, but PR's are always welcome.

[tcurdt]

We use it a bit like a dependabot/renovate replacement.
So maybe that's a slightly different use case.

We worked around this for now.
But having proper support for ranges would be super cool.

But let's close this in favour for #1054

[raineorshine]

Initial support for --target semver added and published in v16.11.0. However, I think it will still clobber explicit version ranges.

@tcurdt What is the expected behavior, that explicit version ranges like 4.6.2 < 5 are ignored completely by ncu --target semver?

[tcurdt]

Well, the initial expectation I had was that for 4.6.2 < 5 it would not suggest updates >= 5.

But I guess a good solution could be to print some kind of indicator in the sense of "halted but new version 5.1 is available".
That could be the default behaviour which would be very close to the original behaviour.
If there is any update or warning I would expect an exit code of 1+.

And then have a cli option to turn off these kind of warnings.
If the warning gets disabled I would expect an exit code of 0 (unless there are other updates available).

That should make it pretty easy to use in CI environments.

Does that make sense?

[raineorshine]

Thanks, that's useful. It probably won't have warnings, as npm-check-updates aims for a less verbose output by default, but you will still able able to use some combination of --target semver and --errorLevel 2 to get the exit code behavior you want.

[tcurdt]

It probably won't have warnings, as npm-check-updates aims for a less verbose output by default

I meant just an short indicator of course (hence the "in the sense of") but with the other options in place that would just be the icing on the cake 🙂