depfresh

Keep your dependencies fresh. Zero config, fast, monorepo-ready. Your AI agent already knows how to use this.

Install

# One-off run (no install)
npx depfresh
pnpm dlx depfresh
bunx depfresh

# Global install
npm install -g depfresh

# Local devDependency (recommended for team + CI)
pnpm add -D depfresh

| If you want... | Use | Example | | --- | --- | --- | | Run once in any repo | One-off | npx depfresh | | Always available on your machine | Global | pnpm add -g depfresh | | Pinned for team/CI consistency | Local devDep | npm install -D depfresh |

Quick Start

# What's outdated?
depfresh

# Update everything
depfresh --write

# Interactive -- pick what to update
depfresh -I

# JSON output for scripts and AI agents
depfresh --output json

# Only minor/patch (living cautiously)
depfresh minor -w

# CI: fail if anything is outdated
depfresh --fail-on-outdated

Features

• Zero config -- run depfresh and it works. No YAML. No PhD.
• Monorepo & workspace support -- pnpm, bun, yarn, npm. Auto-detected. Catalogs included.
• 7 range modes -- default, major, minor, patch, latest, newest, next
• Interactive cherry-picking -- grouped multiselect with colour-coded severity
• Per-package modes -- packageMode with exact, glob, or regex patterns per dependency
• Write safely -- --write updates files. --verify-command tests each dep and reverts failures.
• Post-write hooks -- --execute, --install, --update. Chain commands after writing.
• Global packages -- --global for one manager, --global-all scans npm + pnpm + bun (deduped)
• Private registries -- full .npmrc support. Scoped registries, auth tokens, env vars.
• GitHub dependencies -- github:owner/repo#tag with protocol-preserving writes
• JSON output -- structured envelope for scripts and AI agents. No ANSI noise.
• CI mode -- --fail-on-outdated exits with code 1. Plug it into your pipeline.
• SQLite cache -- WAL mode, 30min TTL, auto-fallback to memory
• Provenance tracking -- warnings for unsigned or downgraded attestations
• Node engine compat -- flags updates that don't match your Node version
• Cooldown filter -- skip versions published less than N days ago
• Programmatic API -- lifecycle callbacks + addon system for custom workflows

Full CLI reference: docs/cli/

Configuration

Zero config works. But if you want it:

import { defineConfig } from 'depfresh'

export default defineConfig({
  mode: 'minor',
  exclude: ['typescript'],
  packageMode: {
    'eslint': 'latest',
    '/^@types/': 'patch',
  },
})

Supports depfresh.config.ts, .depfreshrc, or a depfresh key in package.json. Full reference: docs/configuration/

Monorepo Support

depfresh auto-detects pnpm, bun, yarn, and npm workspaces -- no config needed. Workspace catalogs (pnpm-workspace.yaml, bun catalogs, yarn .yarnrc.yml catalogs) are resolved and updated in-place alongside your package manifests.

Details: docs/configuration/workspaces.md

AI Agent Friendly

depfresh was built for humans and machines. --output json emits a structured envelope. --help-json returns the full CLI contract (flags, enums, exit codes, agent workflows). Exit codes are semantic: 0 = up to date, 1 = updates available, 2 = error. Non-TTY environments automatically suppress spinners and interactive prompts.

Details: docs/agents/README.md

Coming from taze?

depfresh is a spiritual successor to taze by Anthony Fu -- a tool that did the job well until maintenance slowed and issues piled up. depfresh rewrites everything from scratch, fixes long-standing bugs (private registries, bun catalogs, packageMode precedence), and adds structured JSON output, verify-and-rollback, SQLite caching, and proper AI agent support.

Migration guide: docs/compare/from-taze.md | Full comparison: docs/compare/

Documentation

• CLI Reference -- flags, modes, sorting, filtering, hooks, interactive, CI
• Configuration -- config files, options, packageMode, private registries, cache
• Programmatic API -- functions, lifecycle callbacks, addon plugins, types
• Output Formats -- table, JSON, exit codes
• Agent Workflows -- quickstarts for AI coding assistants
• Integrations -- GitHub Actions and MCP wrapper guidance
• Compare -- coverage matrix, migration guide, solved issues
• Troubleshooting -- common issues, workspace gotchas, known limitations

Standing on the Shoulders of People Who Actually Did the Work

depfresh wouldn't exist without taze. I rewrote everything from scratch, yes, but "from scratch" is easy when someone else already figured out what the thing should do. Every bug report, every feature PR, every typo fix in the taze repo was a free lesson in what users actually need. I just took notes and built a new house on someone else's blueprint.

So here's to every contributor who opened a PR on taze. Some of you added features I shamelessly reimplemented. Some of you fixed bugs that taught me where the landmines were. Some of you fixed typos, and honestly, that's braver than any architecture decision I've ever made.

Cheers to all of you. I owe you mass-produced coffee at minimum.

a1mer · Alex Liu · Arash Sheyda · await-ovo · Aymane Dara Hlamnach · azaleta · Benny Powers · Bruno Rocha · btea · Carter · Charles · Daniel Bayley · Daniel Schmitz · Dreamacro · Duncan Lock · Dunqing · Eneko Rodríguez · Enzo Innocenzi · Eugene · Geoffrey Parrier · Han · Harry Yep · Hassan Zahirnia · hyrious · iiio2 · Iridescent · Jakub Zomerfeld · Jaw · jinghaihan · Joaquín Sánchez · Johan Lindskogen · Julien Calixte · Kerman · Kevin Deng · Khalil Yao · Kirk Lin · Lo · Loann Neveu · Lochlan Bunn · mancuoj · Maxime Dubourg · Nam Nguyen · ntnyq · Patryk Tomczyk · pdx · Pier Dolique · RainbowBird · Renato Lacerda · rg · Riri · Runyasak Chaengnaimuang · sapphi-red · simexce · Simon He · sinoon · Stephen Zhou · Sukka · Takuya Fukuju · Tanimodori · Tomás Hernández · tyler · Vladislav Deryabkin · wChenonly · webdiscus · Wind · wuchao · younggglcy · Yu Le

License

MIT - Vibe Code