fix(deps): update dependency npm-check-updates to v19

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
npm-check-updates	^16.9.0 -> ^19.0.0

---

Release Notes

raineorshine/npm-check-updates (npm-check-updates)

v19.1.2

Compare Source

What's Changed

• fix: support singular 'catalog' field in pnpm-workspace.yaml by @​afonsojramos in #​1572

New Contributors

• @​afonsojramos made their first contribution in #​1572

Full Changelog: raineorshine/npm-check-updates@v19.1.1...v19.1.2

v19.1.1

Compare Source

What's Changed

• fix(cooldown): handle CooldownFunction in config file by @​SebastianSedzik in #​1565

Full Changelog: raineorshine/npm-check-updates@v19.1.0...v19.1.1

v19.1.0

Compare Source

What's Changed

• feat(cooldown): support for cooldown predicate function by @​SebastianSedzik in #​1563

Full Changelog: raineorshine/npm-check-updates@v19.0.0...v19.1.0

v19.0.0

Compare Source

Breaking

• node >= 20 required
• --workspaces (plural) short option -ws changed to -w
  • Better compatibility with commander v13
  • Short option should always be a single character for consistency
  • Replaces the short option for --workspace (singular)
  • --workspace (singular) no longer has a short option.

v18.3.1

Compare Source

v18.3.0

Compare Source

v18.2.1

Compare Source

v18.2.0

Compare Source

Thanks to community members for raising awareness and to @​SebastianSedzik for the implementation.

See: #​1547

Feature: --cooldown

Usage:

ncu --cooldown [n]
ncu -c [n]

The cooldown option helps protect against supply chain attacks by requiring package versions to be published at least the given number of days before considering them for upgrade.

Note that previous stable versions will not be suggested. The package will be completely ignored if its latest published version is within the cooldown period. This is due to a limitation of the npm registry, which does not provide a way to query previous stable versions.

Example:

Let's examine how cooldown works with a package that has these versions available:

1.0.0          Released 7 days ago    (initial version)
1.1.0          Released 6 days ago    (minor update)
1.1.1          Released 5 days ago    (patch update)
1.2.0          Released 5 days ago    (minor update)
2.0.0-beta.1   Released 5 days ago    (beta release)
1.2.1          Released 4 days ago    (patch update)
1.3.0          Released 4 days ago    (minor update) [latest]
2.0.0-beta.2   Released 3 days ago    (beta release)
2.0.0-beta.3   Released 2 days ago    (beta release) [beta]

With default target (latest):

$ ncu --cooldown 5

No update will be suggested because:

• Latest version (1.3.0) is only 4 days old.
• Cooldown requires versions to be at least 5 days old
• Use --cooldown 4 or lower to allow this update

With @beta/@tag target:

$ ncu --cooldown 3 --target @​beta

No update will be suggested because:

• Current beta (2.0.0-beta.3) is only 2 days old
• Cooldown requires versions to be at least 3 days old
• Use --cooldown 2 or lower to allow this update

With other targets:

$ ncu --cooldown 5 --target greatest|newest|minor|patch|semver

Each target will select the best version that is at least 5 days old:

greatest → 1.2.0        (highest version number outside cooldown)
newest   → 2.0.0-beta.1 (most recently published version outside cooldown)
minor    → 1.2.0        (highest minor version outside cooldown)
patch    → 1.1.1        (highest patch version outside cooldown)

Note for latest/tag targets:

⚠️ For packages that update frequently (e.g. daily releases), using a long cooldown period (7+ days) with the default --target latest or --target @​tag may prevent all updates since new versions will be published before older ones meet the cooldown requirement. Please consider this when setting your cooldown period.

v18.1.1

Compare Source

v18.1.0

Compare Source

v18.0.3

Compare Source

v18.0.2

Compare Source

v18.0.1

Compare Source

v18.0.0

Compare Source

Breaking

The only breaking change in v18 is with the -g/--global flag.

npm-check-updates -g will now auto-detect your package manager based on the execution path. Previously, it defaulted to npm.

• yarn dlx ncu -g --packageManager yarn → yarn dlx ncu -g
• pnpm dlx ncu --global --packageManager pnpm → pnpm dlx ncu -g
• bunx ncu -g--packageManager pnpm → bunx ncu -g

If for some reason you were running ncu -g with an alternative package manager and relying on it checking the global npm packages, you will need to now explicitly specify npm:

• ncu -g → ncu -g--packageManager npm

Thanks to @​LuisFerLCC for the improvement (#​1514).

raineorshine/npm-check-updates@v17.1.18...v18.0.0

v17.1.18

Compare Source

Breaking

The only breaking change in v18 is with the -g/--global flag.

npm-check-updates -g will now auto-detect your package manager based on the execution path. Previously, it defaulted to npm.

• yarn dlx ncu -g --packageManager yarn → yarn dlx ncu -g
• pnpm dlx ncu --global --packageManager pnpm → pnpm dlx ncu -g
• bunx ncu -g--packageManager pnpm → bunx ncu -g

If for some reason you were running ncu -g with an alternative package manager and relying on it checking the global npm packages, you will need to now explicitly specify npm:

• ncu -g → ncu -g--packageManager npm

Thanks to @​LuisFerLCC for the improvement (#​1514).

raineorshine/npm-check-updates@v17.1.18...v18.0.0

v17.1.17

Compare Source

v17.1.16

Compare Source

v17.1.15

Compare Source

v17.1.14

Compare Source

v17.1.13

Compare Source

v17.1.12

Compare Source

v17.1.11

Compare Source

v17.1.10

Compare Source

v17.1.9

Compare Source

v17.1.8

Compare Source

v17.1.7

Compare Source

v17.1.6

Compare Source

v17.1.5

Compare Source

v17.1.4

Compare Source

v17.1.3

Compare Source

v17.1.2

Compare Source

v17.1.1

Compare Source

Breaking

The only breaking change in v18 is with the -g/--global flag.

npm-check-updates -g will now auto-detect your package manager based on the execution path. Previously, it defaulted to npm.

• yarn dlx ncu -g --packageManager yarn → yarn dlx ncu -g
• pnpm dlx ncu --global --packageManager pnpm → pnpm dlx ncu -g
• bunx ncu -g--packageManager pnpm → bunx ncu -g

If for some reason you were running ncu -g with an alternative package manager and relying on it checking the global npm packages, you will need to now explicitly specify npm:

• ncu -g → ncu -g--packageManager npm

Thanks to @​LuisFerLCC for the improvement (#​1514).

raineorshine/npm-check-updates@v17.1.18...v18.0.0

v17.1.0

Compare Source

v17.0.6

Compare Source

v17.0.5

Compare Source

v17.0.4

Compare Source

v17.0.3

Compare Source

v17.0.2

Compare Source

v17.0.1

Compare Source

v17.0.0

Compare Source

Breaking

• Require node >= 18.18.0
• Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
  • You can opt in with --no-deprecated in the CLI or deprecated: false in your ncurc config.
• In workspaces mode, --root is now set by default (#​1353)
  • To not check the root package.json, use --no-root.
• If you have a packageManager field in your package.json, it is now upgraded by default (#​1390)
  • Use --dep prod,dev,optional for the old behavior.

raineorshine/npm-check-updates@v16.14.20...v17.0.0

v16.14.20

Compare Source

Breaking

• Require node >= 18.18.0
• Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
  • You can opt in with --no-deprecated in the CLI or deprecated: false in your ncurc config.
• In workspaces mode, --root is now set by default (#​1353)
  • To not check the root package.json, use --no-root.
• If you have a packageManager field in your package.json, it is now upgraded by default (#​1390)
  • Use --dep prod,dev,optional for the old behavior.

raineorshine/npm-check-updates@v16.14.20...v17.0.0

v16.14.19

Compare Source

v16.14.18

Compare Source

v16.14.17

Compare Source

v16.14.16

Compare Source

v16.14.15

Compare Source

v16.14.14

Compare Source

v16.14.13

Compare Source

v16.14.12

Compare Source

v16.14.11

Compare Source

v16.14.10

Compare Source

v16.14.9

Compare Source

v16.14.8

Compare Source

v16.14.7

Compare Source

v16.14.6

Compare Source

v16.14.5

Compare Source

v16.14.4

Compare Source

v16.14.3

Compare Source

v16.14.2

Compare Source

Breaking

• Require node >= 18.18.0
• Deprecated versions are no longer excluded by default, as it requires fetching package info for every published version, significantly slowing down upgrades.
  • You can opt in with --no-deprecated in the CLI or deprecated: false in your ncurc config.
• In workspaces mode, --root is now set by default (#​1353)
  • To not check the root package.json, use --no-root.
• If you have a packageManager field in your package.json, it is now upgraded by default (#​1390)
  • Use --dep prod,dev,optional for the old behavior.

raineorshine/npm-check-updates@v16.14.20...v17.0.0

v16.14.1

Compare Source

v16.14.0

Compare Source

Feature

• Added experimental support for bun package manager.
• Automatically used if bun.lockb is detected.
• Assistance needed to test it out on different platforms.

$ ncu --packageManager bun
$ ncu -p bun

Thanks to @​ImBIOS for the PR!

v16.13.4

Compare Source

v16.13.3

Compare Source

v16.13.2

Compare Source

v16.13.1

Compare Source

v16.13.0

Compare Source

Feature

• Added --install option to control auto-install behavior.

Usage:

ncu --install [value]

Default: prompt

Control the auto-install behavior.

always	Runs your package manager's install command automatically after upgrading.
never	Does not install and does not prompt.
prompt	Shows a message after upgrading that recommends an install, but does not install. In interactive mode, prompts for install. (default)

v16.12.3

Compare Source

v16.12.2

Compare Source

v16.12.1

Compare Source

v16.12.0

Compare Source

v16.11.2

Compare Source

v16.11.1

Compare Source

v16.11.0

Compare Source

v16.10.19

Compare Source

v16.10.18

Compare Source

v16.10.17

Compare Source

v16.10.16

Compare Source

v16.10.15

Compare Source

v16.10.14

Compare Source

v16.10.13

Compare Source

v16.10.12

Compare Source

v16.10.11

Compare Source

v16.10.10

Compare Source

v16.10.9

Compare Source

v16.10.8

Compare Source

v16.10.7

Compare Source

v16.10.6

Compare Source

v16.10.5

Compare Source

v16.10.4

Compare Source

v16.10.3

Compare Source

v16.10.2

Compare Source

v16.10.1

Compare Source

v16.10.0

Compare Source

Feature

• Added filterResults option to filter out upgrades based on a user provided function.

filterResults runs after new versions are fetched, in contrast to filter and filterVersion, which run before. This allows you to filter out upgrades with filterResults based on how the version has changed (e.g. a major version change).

Only available in .ncurc.js or when importing npm-check-updates as a module.

/** Filter out non-major version updates.
  @​param {string} packageName               The name of the dependency.
  @​param {string} currentVersion            Current version declaration (may be range).
  @​param {SemVer[]} currentVersionSemver    Current version declaration in semantic versioning format (may be range).
  @​param {string} upgradedVersion           Upgraded version.
  @​param {SemVer} upgradedVersionSemver     Upgraded version in semantic versioning format.
  @​returns {boolean}                        Return true if the upgrade should be kept, otherwise it will be ignored.
*/
filterResults: (packageName, {currentVersion, currentVersionSemver, upgradedVersion, upgradedVersionSemver}) => {
  const currentMajorVersion = currentVersionSemver?.[0]?.major
  const upgradedMajorVersion = upgradedVersionSemver?.major
  if (currentMajorVersion && upgradedMajorVersion) {
    return currentMajorVersion < upgradedMajorVersion
  }
  return true
}

For the SemVer type definition, see: https://git.coolaj86.com/coolaj86/semver-utils.js#semverutils-parse-semverstring

Thanks to mslowiak for this enhancement!

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm-check-updates@​16.9.0 ⏵ 19.1.2	+5			+6

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		ejs@2.7.4 has a Critical CVE. CVE: GHSA-phwq-j96m-2c2q ejs template injection vulnerability (CRITICAL) Affected versions: < 3.1.7 Patched version: 3.1.7 From: ? → npm/react-scripts@4.0.3 → npm/ejs@2.7.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ejs@2.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		elliptic@6.5.4 has a Critical CVE. CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL) Affected versions: < 6.6.1 Patched version: 6.6.1 From: ? → npm/react-scripts@4.0.3 → npm/elliptic@6.5.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report