VisCommandsvis update

vis update

Update packages to their latest versions with catalog support

vis update

Update packages to their latest versions. Automatically uses catalog mode for pnpm/bun workspaces with catalogs, or wraps the native package manager otherwise.

Alias: vis up

Usage

vis update [packages] [options]

Examples

vis update react                    # Update react within semver range
vis up react -L                     # Update react to latest
vis update -i                       # Interactive mode
vis update --filter app             # Update in specific workspace
vis update -r                       # Update in all workspaces
vis update --target minor           # Only apply minor/patch updates (catalog)
vis update --dry-run                # Preview changes without applying
vis update --exclude '@types/*'     # Exclude packages by pattern
vis update --changelog              # Show changelog links after updating
vis update --rollback               # Restore catalog from last backup

Options

OptionAliasDefaultDescription
--latest-LfalseUpdate to latest version (ignore semver range)
--target-tlatestUpdate target: latest, minor, or patch (catalog)
--dry-run-dfalsePreview changes without applying
--global-gfalseUpdate global packages
--recursive-rfalseUpdate recursively in all workspace packages
--filterFilter packages in monorepo
--workspace-root-wfalseInclude workspace root
--dev-DfalseUpdate only devDependencies
--prod-PfalseUpdate only dependencies
--interactive-ifalseInteractive mode
--no-optionalfalseDon't update optionalDependencies
--include-locked-lfalseInclude packages with pinned/exact versions (no ^ or ~ prefix)
--no-savefalseUpdate lockfile only
--includeGlob pattern to include packages (repeatable, catalog)
--excludeGlob pattern to exclude packages (repeatable, catalog)
--prereleasefalseInclude prerelease versions (catalog)
--securityfalseCheck for known security vulnerabilities (OSV.dev)
--no-catalogfalseSkip catalog mode, use package manager directly
--formattableOutput format: table, json, or minimal
--changelogfalseShow changelog URLs for updated packages
--installtrueRun install after catalog update (--no-install to skip)
--rollbackfalseRestore catalog file from the last backup
--no-typosquat-checkfalseSkip typosquat name check for package arguments

How It Works

flowchart TD
    A["vis update [packages]"] --> B{Explicit packages\nprovided?}
    B -- yes --> C{Typosquat check\nenabled?}
    B -- no --> F
    C -- no --> F
    C -- yes --> D["Check names against\nblocklist & heuristics"]
    D --> E{Typosquat\ndetected?}
    E -- no --> F{Rollback\nrequested?}
    E -- yes --> P["Show warning:\n'Did you mean X?'"]
    P --> Q{User choice}
    Q -- "S (suggested)" --> R["Replace with\ncorrect name"]
    R --> F
    Q -- "y (keep)" --> F
    Q -- "N (abort)" --> Z["Exit with code 1"]
    F -- yes --> G["Restore from backup"]
    F -- no --> H{Catalogs\ndetected?}
    H -- yes --> I["Catalog mode:\nread catalogs, check\nnpm registry"]
    H -- no --> J["PM wrapper mode:\ndelegate to native\nupdate command"]
    I --> K{Interactive\nTTY?}
    K -- yes --> L["Interactive TUI\nwith selection"]
    K -- no --> M["Static output\n(table/json/minimal)"]
    L --> N["Apply selected\nupdates + backup"]
    M --> N
    J --> O["Done"]
    N --> O

Catalog Mode vs Package Manager Mode

Catalog Mode (pnpm/bun)

When catalogs are detected in pnpm-workspace.yaml or package.json, vis directly updates the catalog entries. This mode:

  • Reads catalog definitions from the workspace config
  • Checks the npm registry for newer versions
  • Updates the catalog file in place
  • Creates a backup before modifying
  • Optionally runs pnpm install or bun install after updating

Package Manager Mode

When catalogs are not available (or --no-catalog is used), vis wraps the native package manager's update command. Supported package managers:

  • pnpm — Full feature support
  • npm — Basic support
  • yarn v1 — Limited support
  • yarn berry — Full support
  • bun — Partial support

Backup and Rollback

Every catalog update automatically creates a backup. To restore:

vis update --rollback

The backup is stored alongside the catalog file (e.g., pnpm-workspace.yaml.backup).

Configuration

These settings can be defined in vis.config.ts under the update key:

import { defineConfig } from "@visulima/vis/config";

export default defineConfig({
    update: {
        target: "minor",
        exclude: ["@types/*"],
        includeLocked: false,
        packageMode: {
            typescript: "minor",
            "/^@vue/": "patch",
        },
        depFields: [
            "dependencies",
            "devDependencies",
            "optionalDependencies",
            "peerDependencies",
            "overrides",
        ],
    },
});

includeLocked

By default, packages with pinned/exact versions (no ^ or ~ prefix, e.g., "react": "18.2.0") are skipped during update checks. Set includeLocked: true or pass --include-locked to opt them in.

packageMode

Per-package or per-pattern update target overrides. Keys can be:

  • Exact names: "typescript" — matches only that package
  • Glob patterns: "@types/*" — matches any @types/ package
  • Regex patterns: "/^@vue/" — wrapped in /, uses regex matching

Values are "latest", "minor", or "patch". Unmatched packages use the global target.

depFields

Controls which dependency fields are scanned for outdated packages. Beyond the standard fields (dependencies, devDependencies, optionalDependencies, peerDependencies), you can include:

  • "overrides" — npm overrides
  • "resolutions" — yarn resolutions
  • "pnpm.overrides" — pnpm overrides (nested field)

Values that reference other dependencies (e.g., "$react" in npm overrides) are automatically skipped.

Maturity Period

The update.minimumReleaseAge setting (in minutes) filters out versions published too recently, so you don't adopt packages that might be yanked or found malicious shortly after publishing.

This is separate from security.minimumReleaseAge (which applies at install time). The update setting is not enabled by default — all published versions are eligible for updates unless you opt in.

export default defineConfig({
    update: {
        minimumReleaseAge: 1440, // 24 hours
        minimumReleaseAgeExclude: ["webpack", "@myorg/*"],
    },
});

If minimumReleaseAge is also configured in your package manager's native config (pnpm-workspace.yaml or package.json), vis will warn when the values are out of sync.

Edit on GitHub

On this page

vis update
Usage
Examples
Options
How It Works
Catalog Mode vs Package Manager Mode
Catalog Mode (pnpm/bun)
Package Manager Mode
Backup and Rollback
Configuration
includeLocked
packageMode
depFields
Maturity Period
Support

Contribute to our work and keep us going

Community is the heart of open source. The success of our packages wouldn't be possible without the incredible contributions of users, testers, and developers who collaborate with us every day.Want to get involved? Here are some tips on how you can make a meaningful impact on our open source projects.

Ready to help us out?

Be sure to check out the package's contribution guidelines first. They'll walk you through the process on how to properly submit an issue or pull request to our repositories.

Submit a pull request

Found something to improve? Fork the repo, make your changes, and open a PR. We review every contribution and provide feedback to help you get merged.

Good first issues

Simple issues suited for people new to open source development, and often a good place to start working on a package.
View good first issues