node>= 20 required
--workspaces (plural) short option-ws changed to-w
- Better compatibility with commanderv13
- Short option should always be a single character for consistency
- Replaces the short option for--workspace (singular)
- --workspace (singular) no longer has a short option.

`v18.2.0`

Compare Source

Thanks to community members for raising awareness and to@SebastianSedzik for the implementation.

See:#1547

Feature:`--cooldown`

Usage:

ncu --cooldown [n]ncu -c [n]

The cooldown option helps protect against supply chain attacks by requiring package versions to be published at least the given number of days before considering them for upgrade.

Note that previous stable versions will not be suggested. The package will be completely ignored if its latest published version is within the cooldown period. This is due to a limitation of the npm registry, which does not provide a way to query previous stable versions.

Example:

Let's examine how cooldown works with a package that has these versions available:

1.0.0          Released 7 days ago    (initial version)1.1.0          Released 6 days ago    (minor update)1.1.1          Released 5 days ago    (patch update)1.2.0          Released 5 days ago    (minor update)2.0.0-beta.1   Released 5 days ago    (beta release)1.2.1          Released 4 days ago    (patch update)1.3.0          Released 4 days ago    (minor update) [latest]2.0.0-beta.2   Released 3 days ago    (beta release)2.0.0-beta.3   Released 2 days ago    (beta release) [beta]

With default target (latest):

$ncu--cooldown5

No update will be suggested because:

Latest version (1.3.0) is only 4 days old.
Cooldown requires versions to be at least 5 days old
Use--cooldown 4 or lower to allow this update

With@beta/@tag target:

$ncu--cooldown3--target @&#8203;beta

No update will be suggested because:

Current beta (2.0.0-beta.3) is only 2 days old
Cooldown requires versions to be at least 3 days old
Use--cooldown 2 or lower to allow this update

With other targets:

$ncu--cooldown5--targetgreatest|newest|minor|patch|semver

Each target will select the best version that is at least 5 days old:

greatest → 1.2.0        (highest version number outside cooldown)newest   → 2.0.0-beta.1 (most recently published version outside cooldown)minor    → 1.2.0        (highest minor version outside cooldown)patch    → 1.1.1        (highest patch version outside cooldown)

Note for latest/tag targets:

⚠️ For packages that update frequently (e.g. daily releases), using a long cooldown period (7+ days) with the default--target latest or--target @tag may prevent all updates since new versions will be published before older ones meet the cooldown requirement. Please consider this when setting your cooldown period.

Breaking

Theonly breaking change in v18 is with the-g/--global flag.

npm-check-updates -g will now auto-detect your package manager based on the execution path. Previously, it defaulted tonpm.

yarn dlx ncu -g --packageManager yarn →yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm →pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm →bunx ncu -g

If for some reason you were runningncu -g with an alternative package manager and relying on it checking the globalnpm packages, you will need to now explicitly specify npm:

ncu -g →ncu -g--packageManager npm

Thanks to@LuisFerLCC for the improvement (#1514).

raineorshine/npm-check-updates@v17.1.18...v18.0.0

`v17.1.18`

Compare Source

Breaking

Theonly breaking change in v18 is with the-g/--global flag.

npm-check-updates -g will now auto-detect your package manager based on the execution path. Previously, it defaulted tonpm.

yarn dlx ncu -g --packageManager yarn →yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm →pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm →bunx ncu -g

If for some reason you were runningncu -g with an alternative package manager and relying on it checking the globalnpm packages, you will need to now explicitly specify npm:

ncu -g →ncu -g--packageManager npm

Thanks to@LuisFerLCC for the improvement (#1514).

raineorshine/npm-check-updates@v17.1.18...v18.0.0

`v17.1.17`

Compare Source

`v17.1.16`

Compare Source

`v17.1.15`

Compare Source

`v17.1.14`

Compare Source

`v17.1.13`

Compare Source

`v17.1.12`

Compare Source

`v17.1.11`

Compare Source

`v17.1.10`

Compare Source

`v17.1.9`

Compare Source

`v17.1.8`

Compare Source

`v17.1.7`

Compare Source

`v17.1.6`

Compare Source

`v17.1.5`

Compare Source

`v17.1.4`

Compare Source

`v17.1.3`

Compare Source

`v17.1.2`

Compare Source

`v17.1.1`

Compare Source

Breaking

Theonly breaking change in v18 is with the-g/--global flag.

npm-check-updates -g will now auto-detect your package manager based on the execution path. Previously, it defaulted tonpm.

yarn dlx ncu -g --packageManager yarn →yarn dlx ncu -g
pnpm dlx ncu --global --packageManager pnpm →pnpm dlx ncu -g
bunx ncu -g--packageManager pnpm →bunx ncu -g

If for some reason you were runningncu -g with an alternative package manager and relying on it checking the globalnpm packages, you will need to now explicitly specify npm:

ncu -g →ncu -g--packageManager npm

Thanks to@LuisFerLCC for the improvement (#1514).

raineorshine/npm-check-updates@v17.1.18...v18.0.0

Breaking

Require node >= 18.18.0
Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
- You can opt in with--no-deprecated in the CLI ordeprecated: false in yourncurc config.
In workspaces mode,--root is now set by default (#1353)
- Tonot check the root package.json, use--no-root.
If you have apackageManager field in your package.json, it is now upgraded by default (#1390)
- Use--dep prod,dev,optional for the old behavior.

raineorshine/npm-check-updates@v16.14.20...v17.0.0

`v16.14.20`

Compare Source

Breaking

Require node >= 18.18.0
Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
- You can opt in with--no-deprecated in the CLI ordeprecated: false in yourncurc config.
In workspaces mode,--root is now set by default (#1353)
- Tonot check the root package.json, use--no-root.
If you have apackageManager field in your package.json, it is now upgraded by default (#1390)
- Use--dep prod,dev,optional for the old behavior.

raineorshine/npm-check-updates@v16.14.20...v17.0.0

Breaking

Require node >= 18.18.0
Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
- You can opt in with--no-deprecated in the CLI ordeprecated: false in yourncurc config.
In workspaces mode,--root is now set by default (#1353)
- Tonot check the root package.json, use--no-root.
If you have apackageManager field in your package.json, it is now upgraded by default (#1390)
- Use--dep prod,dev,optional for the old behavior.

raineorshine/npm-check-updates@v16.14.20...v17.0.0

`v16.14.1`

Compare Source

`v16.14.0`

Compare Source

Feature

Addedexperimental support forbun package manager.
Automatically used ifbun.lockb is detected.
Assistance needed to test it out on different platforms.

$ ncu --packageManager bun$ ncu -p bun

Thanks to@ImBIOS for the PR!

Feature

Added--install option to control auto-install behavior.

Usage:

ncu --install [value]

Default: prompt

Control the auto-install behavior.

always	Runs your package manager's install command automatically after upgrading.
never	Does not install and does not prompt.
prompt	Shows a message after upgrading that recommends an install, but does not install. In interactive mode, prompts for install. (default)

Configuration

📅Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated byMend Renovate. View therepository job log.

renovatebotforce-pushed therenovate/npm-check-updates-19.x branch 2 times, most recently from97772bb to89da8cbCompare

October 15, 2025 17:36

Update dependency npm-check-updates to v19

260e277

renovatebotforce-pushed therenovate/npm-check-updates-19.x branch from89da8cb to260e277Compare

October 28, 2025 17:53

Labels

None yet

Movatterモバイル変換

Update dependency npm-check-updates to v19#46

Are you sure you want to change the base?

Update dependency npm-check-updates to v19#46

Uh oh!

Conversation

renovatebot commentedSep 29, 2025• editedLoading Uh oh!There was an error while loading.Please reload this page.

Uh oh!

Release Notes

What's Changed

New Contributors

What's Changed

What's Changed

Breaking

Feature:--cooldown

Breaking

Breaking

Breaking

Breaking

Breaking

Breaking

Feature

Feature

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovatebot commentedSep 29, 2025•
edited
Loading

Feature:`--cooldown`