dependency-check-updates

Dependency Check & Update — a fast, multi-ecosystem dependency updater written in Rust.

Like npm-check-updates, but for every language.

$ dependency-check-updates
Checking Cargo.toml
 toml_edit  0.22  ->  0.25.4

Run dependency-check-updates -u to upgrade Cargo.toml

Quick Start (Zero Install)

No install needed — run straight from your package manager's ephemeral runner:

# Node.js ecosystem
bunx @dependency-check-updates/cli
npx  @dependency-check-updates/cli

# Python ecosystem
uvx dependency-check-updates
pipx run dependency-check-updates

All four accept the same flags described in Usage.

Features

Multi-ecosystem — package.json, Cargo.toml, pyproject.toml handled by a single binary
Format-preserving — surgical byte-range patching for JSON; toml_edit for TOML. Your indentation, comments, trailing newlines, and key ordering stay intact
Fast — concurrent registry lookups across all manifests via futures::join_all
Smart range checking — skips false positives where the resolved version already satisfies the current range (^3 already covers 3.5.1)
Deep scan — -d recursively finds manifests in monorepos, respecting .gitignore
ncu-compatible UX — the same flags you already know from npm-check-updates
CI-friendly — -e 2 exits non-zero when updates exist; --format json emits machine-readable output

Supported Ecosystems

Ecosystem	Manifest	Registry	Package
Node.js	`package.json`	npm	`@dependency-check-updates/cli`
Rust	`Cargo.toml`	crates.io	`dependency-check-updates`
Python	`pyproject.toml`	PyPI	`dependency-check-updates`

Installation

Every distribution below ships the exact same binary. Pick whichever matches your toolchain.

Rust (Cargo)

cargo install dependency-check-updates

Installs command: dependency-check-updates

Node.js (npm / bun / pnpm / yarn)

Permanent global install:

npm  install   -g @dependency-check-updates/cli
bun  add       -g @dependency-check-updates/cli
pnpm add       -g @dependency-check-updates/cli
yarn global add   @dependency-check-updates/cli

Installs commands: dependency-check-updates and dcu (short alias).

One-off execution (no install):

bunx @dependency-check-updates/cli [flags]
npx  @dependency-check-updates/cli [flags]

Python (pip / uv / pipx)

Permanent isolated install:

pipx install dependency-check-updates
uv tool install dependency-check-updates

Install inside a virtualenv:

pip    install dependency-check-updates
uv pip install dependency-check-updates

Installs command: dependency-check-updates

One-off execution (no install):

uvx dependency-check-updates [flags]
pipx run dependency-check-updates [flags]

Usage

Run from a directory containing at least one of package.json, Cargo.toml, or pyproject.toml. Every supported manifest in the current directory is auto-detected.

Basic

# Check for outdated dependencies (read-only, nothing is written)
dependency-check-updates

# Apply updates in place (format-preserving)
dependency-check-updates -u

# Recursively scan subdirectories (monorepo-friendly, respects .gitignore)
dependency-check-updates -d
dependency-check-updates -d -u

On Node.js installations the short alias dcu works identically — e.g. dcu -d -u.

All Options

Usage: dependency-check-updates [OPTIONS] [FILTER]...

Flag	Description	Default
`[FILTER]...`	Positional package names to include (allowlist; repeatable)	(all)
`-u, --upgrade`	Write updated versions back to the manifest file	off
`-d, --deep`	Recursively scan subdirectories, respecting `.gitignore`	off
`-t, --target <LEVEL>`	Version target: `patch` · `minor` · `latest` · `newest` · `greatest`	`latest`
`-x, --reject <PATTERN>`	Exclude packages by name (repeatable)	—
`--manifest <PATH>`	Operate on a single specific manifest file	(auto)
`--format <FORMAT>`	Output format: `table` or `json`	`table`
`-e, --error-level <N>`	`1` = always exit 0 · `2` = exit 1 when updates exist (CI gate)	`1`
`-v, --verbose`	Increase verbosity: `-v` info · `-vv` debug · `-vvv` trace	off
`-h, --help`	Print help	—
`-V, --version`	Print version	—

`-t, --target` values

Value	Behavior
`patch`	Only patch bumps (e.g., `1.0.1 → 1.0.2`)
`minor`	Patch + minor bumps (e.g., `1.0.0 → 1.1.0`)
`latest`	Latest stable version; prereleases are skipped (default)
`newest`	Most recently published version by publish date
`greatest`	Highest version number, including prereleases

Examples

# Target specific update level
dependency-check-updates -t patch           # patch only
dependency-check-updates -t minor           # minor + patch
dependency-check-updates -t latest          # default: latest stable
dependency-check-updates -t greatest        # include prereleases

# Filter packages — positional args act as an include-list
dependency-check-updates react eslint       # only check react and eslint
dependency-check-updates -x typescript      # exclude typescript
dependency-check-updates -x typescript -x lodash

# Operate on a specific manifest
dependency-check-updates --manifest path/to/Cargo.toml
dependency-check-updates --manifest apps/web/package.json

# Machine-readable output for scripting/CI
dependency-check-updates --format json

# CI gate: exit 1 if any updates are available
dependency-check-updates -e 2

# Verbose logging (accumulating)
dependency-check-updates -v    # info
dependency-check-updates -vv   # debug
dependency-check-updates -vvv  # trace

# Combining flags — recursive, patch-only upgrade in a monorepo
dependency-check-updates -d -u -t patch

Zero-Install Examples

Every example above works identically via the ephemeral runners, too:

bunx @dependency-check-updates/cli                  # check
bunx @dependency-check-updates/cli -u               # apply updates
bunx @dependency-check-updates/cli -d -t minor      # deep scan, minor bumps
bunx @dependency-check-updates/cli react eslint     # filter
npx  @dependency-check-updates/cli --format json

uvx dependency-check-updates
uvx dependency-check-updates -d -u -t patch
pipx run dependency-check-updates --format json

Architecture

Follows the changepacks pattern — one crate per language ecosystem, with bridge crates for cross-language distribution:

.
├── crates/
│   ├── cli/           # Binary + async CLI orchestration
│   ├── core/          # Shared traits (ManifestHandler, RegistryClient, Scanner)
│   ├── node/          # Node.js: package.json parser + npm registry
│   ├── rust/          # Rust: Cargo.toml parser (toml_edit) + crates.io
│   ├── python/        # Python: pyproject.toml parser (toml_edit) + PyPI
│   └── testkit/       # Test fixtures and helpers
├── bridge/
│   ├── node/          # napi-rs N-API binding → npm: @dependency-check-updates/cli
│   └── python/        # maturin bin binding → PyPI: dependency-check-updates
├── Cargo.toml         # Workspace root
└── package.json       # Bun workspace (build/lint/test scripts)

Format Preservation

JSON (package.json): Surgical byte-range replacement — finds exact byte offsets of version values and replaces only those bytes. Indent, line endings, trailing newline, and key ordering are preserved byte-for-byte.
TOML (Cargo.toml, pyproject.toml): toml_edit document model preserves comments, table ordering, inline-table formatting, and whitespace.

Shared Traits

Each ecosystem crate implements two core traits from dependency-check-updates-core:

ManifestHandler — parse manifests, collect dependencies, apply format-preserving updates
RegistryClient — resolve versions from package registries with concurrency control

Range Satisfaction

Before reporting an update, the resolver checks whether the selected version already satisfies the current range (e.g., ^3 already covers 3.5.1). This eliminates the false positives that plague naive string comparison.

Development

Build prerequisites:

Rust 1.85+ (stable toolchain)
Bun 1.0+ (or Node.js 18+ with npm)
Python 3.11+ with maturin (only for the Python wheel step)
Windows: Visual Studio 2022 Build Tools (MSVC linker)

# First-time setup: install JS toolchain deps (@napi-rs/cli, etc.)
bun install

# Build everything (native CLI + napi .node + maturin wheel)
bun run build

# Dev build (faster, unoptimized)
bun run build:dev

# Lint (cargo clippy + rustfmt + bun workspace lints)
bun run lint
bun run lint:fix

# Test (cargo test --workspace + bun workspace tests)
bun run test

# Run CLI from source
bun run run -- --help
bun run run -- --manifest Cargo.toml -v
bun run run:release -- -d

Inspirations

npm-check-updates — the original ncu that inspired this tool's UX and flag design
changepacks — the workspace architecture pattern (crates/* + bridge/*), multi-language bridge distribution via napi-rs and maturin, and the overall project structure

License

MIT

dependency-check-updates-core 0.1.9