npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@hiryus-org/gardener

v1.2.2

Published

Automatically update dependencies.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hiryushiryus

Keywords

dependencypackageupdate

Readme

Gardener

Gardener is a small utility with the aim to update ndoejs dependencies regularly and without human interraction. This allows a program to always be up to date with latest security patches and lower the upgrades cost.

How it works

Gardener is based on the following workflow:

  1. Update package.json dependencies version based on a set of rules.
  2. Install the new dependencies and update package-lock.json accordingly.
  3. Run tests to ensure the application behavior is not changed.
  4. Commit and push the changes (which may trigger a deployment).

If any of the step fails, subsequent ones are cancelled.

Gardener cannot test your application, but it can manage the other tasks for you.

Install

Simply:

npm install --save-dev @hiryus-org/gardener

NB: gardener requires node version 12 or greater.

Configuration

Usually, gardener is called from a regular CI / CD pipeline with the following sequential steps / jobs / stages:

  1. Update dependencies with npx @hiryus-org/gardener update.
  2. Run tests (we recommend to test different environments including LTS and latest nodejs versions).
  3. Commit changes npx @hiryus-org/gardener commit.

For each test, make sure to clone the repository on the branch you want to update (usually master).

If files are wiped between the different pipeline steps (if each step uses its own containers for example), it is your responsability to copy the package.json and package-lock.json files from one step to the others. Most piepline provide an "artifact" feature with this aim.

The "update" command

Gardener "update" command expects npm to be installed (and credentials configured if you are using private packages).

It supports the following arguments (they can be specified several times):

  • --ignore-version=<pattern> - regular expression describing versions to ignore (for any package).
  • --ignore-package=<pattern> - regular expression describing packages to ignore.

NB: all patterns are created with the "ignore case" switch.

The "commit" command

Gardener "commit" command expects git to be installed and allowed to push modification for the current branch.

It supports the following arguments:

  • --username=<string> (default: gardener-bot) - git comitter name to use for the commit.
  • --email=<string> (default: empty) - git comitter email to use for the commit.
  • --message=<string> (default: chore(deps): dependencies update [skip ci] ) - comit message to use.

NB: Gardener will always commit the package.json and package-lock.json files if one of them has changed. Make sure the tests (or other part of the pipeline) don't change them !

Schedule

We recommend to run the update pipeline every night so that:

  • Each run only pulls a few updates at a time (it makes it a lot easier to find which update introduced a breaking change),
  • The application stays relatively up to date with latest versions.
  • New commits don't disturb your day work.

Example with gitlab CI

image: node:latest

before_script:
- npm ci

stages:
- update
- test
- commit

update:
  stage: update
  script:
  - gardener update
  artifacts:
    expire_in: 1 day
    paths:
    - package.json
    - package-lock.json

lint:
  stage: test
  script:
  - npm run lint

test:
  stage: test
  script:
  - npm run test

commit:
  stage: commit
  script:
  - gardener commit

Limitations

  • Under the hood, gardener use the npm outdated command to find each package latest version. This command only returns the last version, and not the versions in-between. Thus, if the latest version is ignored, gardener cannot check if there is an intermediate version available (a version between the current and the latest ones). This is why we recommend to update regularly so that each versions is applied before the next one is published.

Trivia

To avoid using any dependency, gardener uses a very simple argument parser with doesn't knows about arguments order. This mean that gardener --include-release-candidate update is actually valid and the same as gardener update --include-release-candidate. We recommand to stick to the "standard" way of using the command first, and then extra arguments.