Prioritize npm package updates by importance and risk. See which outdated packages matter and which are safe to update.
npm install package-outdated-whynpm outdated shows 50 packages. Which ones MATTER?
The only tool that combines outdated packages + security vulnerabilities + breaking change context + dependency freshness into one prioritized view.
---
- Libyear Metrics - Track how "stale" your dependencies are (inspired by libyear.com)
- Unused Detection - Find dependencies you're not actually using
- Health Check - Identify deprecated and unmaintained packages
- Full Analysis - Run all checks at once with full command
---
You run npm outdated and get this:
``
Package Current Wanted Latest
lodash 4.17.20 4.17.21 4.17.21
react 17.0.2 17.0.2 18.2.0
axios 1.6.0 1.6.7 1.6.7
eslint 8.56.0 8.57.0 9.0.0... 45 more packages š±
Now what?
- Which ones have security issues? š
- Which ones will break my code? š„
- Which ones are safe to update? ā
- How old are my dependencies? š
- Am I using all of them? š
---
`bash`
npx package-outdated-why
`
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā®
ā š¦ package-outdated-why ā
ā Know which updates actually matter ā
ā ā
ā Security Score: 65/100 ā
ā Freshness Score: 72/100 ā
ā°āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāÆ
š Summary:
Total outdated: 50
š“ Critical: 2 š” Important: 8 š¢ Safe: 35 āļø Skip: 5
š
Dependency Freshness:
Total drift: 3.2 libyears
Most outdated: lodash (1.5 years)
š“ CRITICAL - Update immediately:
ā¢ lodash: 4.17.20 ā 4.17.21 [EASY]
Security vulnerability (high): Prototype Pollution
ā ļø [HIGH] CVE-2021-23337
š” IMPORTANT - Review before updating:
ā¢ react: 17.0.2 ā 18.2.0 [MEDIUM]
Major update: Concurrent rendering, automatic batching
š Migration guide: https://react.dev/blog/2022/03/29/react-v18
`
---
| Tool | Outdated | Security | Breaking Changes | Libyear | Unused | Health |
|------|----------|----------|------------------|---------|--------|--------|
| npm outdated | ā
| ā | ā | ā | ā | ā |npm audit
| | ā | ā
| ā | ā | ā | ā |npm-check-updates
| | ā
| ā | Color only | ā | ā | ā |npm-check
| | ā
| ā | ā | ā | ā
| ā |libyear
| | ā
| ā | ā | ā
| ā | ā |depcheck
| | ā | ā | ā | ā | ā
| ā |
| package-outdated-why | ā
| ā
| ā
| ā
| ā
| ā
|
We're the only tool that combines everything into one command.
---
No installation needed! Use with npx:
`bash`
npx package-outdated-why
Or install globally:
`bash`
npm install -g package-outdated-why
---
Full analysis with prioritized updates:
`bashRun analysis
npx package-outdated-why
$3
Measure dependency freshness:
bash
npx package-outdated-why libyear
`
š
Dependency Freshness (Libyear Metrics) Total drift: 3.2 libyears
Average age: 0.15 years per dependency
Most outdated: lodash (1.5 years)
š Version breakdown:
Major: 5 behind
Minor: 12 behind
Patch: 8 behind
Freshness Score: 72/100
$3
Find unused dependencies:
bash
npx package-outdated-why unused
`
š Dependency Analysis ā ļø Potentially unused (3):
ā¢ lodash
ā¢ moment
ā¢ underscore
š¦ Dev packages in dependencies:
ā¢ @types/node ā move to devDependencies
$3
Check package health:
bash
npx package-outdated-why health
`
š„ Package Health Check ā Deprecated packages (1):
ā¢ request - find alternative!
š“ Unmaintained (2+ years) (2):
ā¢ moment
ā¢ node-uuid
ā
45 packages are healthy!
$3
Run all checks at once:
bash
npx package-outdated-why fullSave comprehensive report
npx package-outdated-why full -o full-report.md
`$3
Just the numbers:
bash
npx package-outdated-why quick
`
š Quick Summary: Security Score: 65/100
š“ Critical: 2
š” Important: 8
š¢ Safe: 35
āļø Skip: 5
Total: 50
šØ Fix 2 critical vulnerabilities immediately!
Effort: ~4 hours
$3
Get commands in order of priority:
bash
npx package-outdated-why fix
`$3
Deep dive into a specific package:
bash
npx package-outdated-why why react
`---
Programmatic Usage
typescript
import {
analyzePackages,
calculateLibyearMetrics,
detectUnused,
getHealthSummary
} from 'package-outdated-why';// Full analysis
const result = analyzePackages();
console.log(
Security Score: ${result.securityScore}/100);
console.log(Critical: ${result.critical.length});// Libyear metrics
const libyear = calculateLibyearMetrics(outdated);
console.log(
Total drift: ${libyear.totalLibyears} libyears);
console.log(Freshness: ${libyear.freshnessScore}/100);// Unused detection
const unused = detectUnused();
console.log(
Unused: ${unused.unused.join(', ')});// Health check
const health = getHealthSummary(packageNames);
console.log(
Deprecated: ${health.deprecated.join(', ')});
`---
CI/CD Integration
$3
yaml
- name: Check dependencies
run: npx package-outdated-why --ci- name: Generate full report
run: npx package-outdated-why full -o deps-report.md
- name: Upload report
uses: actions/upload-artifact@v3
with:
name: dependency-report
path: deps-report.md
`---
How It Works
$3
Security vulnerabilities from $3
Breaking changes with migration guides for 40+ packages$3
Backward-compatible patch/minor updates$3
Dev dependencies with low risk$3
- Total drift: Sum of years each package is behind
- Freshness Score: 0-100 (100 = all current)
- Pulse: Days since latest update available---
Changelog
$3
- Added command for dependency freshness metrics
- Added unused command to detect unused dependencies
- Added health command to check for deprecated/unmaintained packages
- Added full` command to run all analyses---
Migration guides and effort estimates for 40+ popular packages:
| Category | Packages |
|----------|----------|
| Frontend | React, Vue, Angular, Svelte, Next.js |
| Build | TypeScript, Webpack, Vite, esbuild |
| Testing | ESLint, Jest, Vitest, Playwright |
| Backend | Express, Fastify, Hono |
| Database | Mongoose, Prisma, Sequelize, TypeORM |
| UI | Tailwind CSS, MUI, Chakra UI |
---
100% free and open source.
If it saved you time, consider:
š Buy Me a Coffee
---
MIT
---
Contributions welcome! GitHub
PRs especially welcome for:
- Adding migration guides for more packages
- Improving effort estimates
- Better security advisory detection
- Unused detection improvements
---
Stop guessing. Know which updates actually matter.