npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

steadydeps

v0.1.0

Published

Policy-driven manual dependency updates for workspaces and monorepos.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

xzxkingxzxking

Keywords

dependency-updatesnpm-check-updatesmonorepoworkspaceclipolicy

Readme

steadydeps

Policy-driven manual dependency updates for workspaces and monorepos.

한국어 README

steadydeps is a library-first wrapper around npm-check-updates for teams that want a local, reviewable dependency update workflow instead of a bot-driven one.

Quick Start

Install:

pnpm add -D steadydeps

Create steadydeps.config.mjs:

import {defineConfig} from 'steadydeps';

export default defineConfig({
  policy: {
    cooldownDays: 7,
    rules: [
      {
        name: 'storybook-freeze',
        match: ['storybook', {glob: '@storybook/*'}],
        strategy: 'exclude',
      },
      {
        name: 'core-tooling-minor',
        match: ['react', 'react-dom', 'typescript', 'vite'],
        strategy: 'minor',
      },
      {
        name: 'refresh-plugin-patch',
        match: ['eslint-plugin-react-refresh'],
        strategy: 'patch',
      },
    ],
  },
});

Run:

steadydeps policy
steadydeps check
steadydeps update --package apps/web
pnpm install

Recommended first run:

  1. steadydeps policy to verify rule coverage
  2. steadydeps check to inspect candidates
  3. steadydeps update to change package.json
  4. your package manager install command to refresh the lockfile
  5. your normal validation commands

When To Use It

Use steadydeps if you want:

  • local/manual dependency updates instead of bot PRs
  • workspace-aware package selection
  • policy rules such as exclude, minor-only, patch-only, cooldown, dependency section matching, and workspace path matching
  • a reusable TypeScript API in addition to a CLI

If you want automated update PRs, use Renovate. If you mainly need version consistency across a monorepo, syncpack is usually a better fit.

Features

  • workspace discovery for pnpm-workspace.yaml
  • fallback discovery for package.json#workspaces
  • package selection by root, package name, or relative path
  • string, glob, and regex package matchers
  • optional dependency section matching via dependencyTypes
  • optional workspace matching via workspacePaths
  • check, update, interactive, policy, and report commands
  • human-readable and JSON output
  • update only changes package.json
  • post-action reminders after updates

CLI

steadydeps policy
steadydeps check
steadydeps report
steadydeps update
steadydeps interactive

Common options:

steadydeps check --package root
steadydeps check --package packages/ui
steadydeps check --package @acme/ui
steadydeps update --config ./steadydeps.config.mjs
steadydeps report --json
steadydeps check --cwd ../another-repo

Command behavior:

  • policy
    • prints rule coverage and strategy counts without touching the registry
  • check
    • queries the npm registry and reports candidates without writing files
  • report
    • same execution model as check, but summary-focused output
  • update
    • updates package.json only
  • interactive
    • updates package.json through npm-check-updates interactive prompts

Config

steadydeps looks for these files by default:

  • steadydeps.config.ts
  • steadydeps.config.mts
  • steadydeps.config.cts
  • steadydeps.config.js
  • steadydeps.config.mjs
  • steadydeps.config.cjs
  • steadydeps.config.json

Rules are evaluated top-to-bottom. The first matching rule wins.

JavaScript config

import {defineConfig} from 'steadydeps';

export default defineConfig({
  cli: {
    postActions: ['pnpm install', 'pnpm test', 'pnpm build'],
  },
  policy: {
    cooldownDays: 7,
    defaultStrategy: 'latest',
    rules: [
      {
        name: 'storybook-freeze',
        match: ['storybook', {glob: '@storybook/*'}],
        strategy: 'exclude',
        reason: 'Review Storybook changes manually.',
      },
      {
        name: 'core-tooling-minor',
        match: ['react', 'react-dom', 'typescript', 'vite', {glob: '@typescript-eslint/*'}],
        strategy: 'minor',
      },
      {
        name: 'patch-refresh',
        match: ['eslint-plugin-react-refresh'],
        strategy: 'patch',
      },
      {
        name: 'docs-workspace-rule',
        match: [{regex: '^vite'}],
        workspacePaths: ['apps/docs'],
        dependencyTypes: ['dependencies'],
        strategy: 'patch',
      },
    ],
  },
});

JSON config

{
  "cli": {
    "postActions": ["pnpm install", "pnpm test", "pnpm build"]
  },
  "policy": {
    "cooldownDays": 7,
    "rules": [
      {
        "name": "storybook-freeze",
        "match": ["storybook", {"glob": "@storybook/*"}],
        "strategy": "exclude"
      }
    ]
  }
}

Presets

Nothing is hardcoded by default. If you want a starter preset, the package exports conservativeWebPreset.

import {conservativeWebPreset} from 'steadydeps/presets/conservative-web';

export default conservativeWebPreset;

Treat it as an example preset, not as the library default.

Library API

import {
  applyUpdates,
  checkUpdates,
  defineConfig,
  discoverWorkspaces,
  evaluatePolicy,
  generateReport,
  inspectPolicy,
  loadConfig,
  printPolicy,
  selectPackages,
} from 'steadydeps';

const config = await loadConfig({cwd: process.cwd()});
const workspaces = await discoverWorkspaces({config});
const selected = selectPackages(workspaces, ['root']);
const snapshot = evaluatePolicy({config, workspace: selected[0]});
const report = await checkUpdates({cwd: process.cwd()});

console.log(printPolicy(await inspectPolicy({cwd: process.cwd()})));
console.log(generateReport(report));

Notes

  • steadydeps intentionally ignores .ncurc.* so your policy stays inside the steadydeps config file.
  • update keeps lockfiles untouched. Run your package manager install command after updating.
  • cooldownDays relies on npm-check-updates cooldown behavior. With target: latest, very frequently published packages may yield no suggestion until the latest tag becomes old enough.
  • check, report, update, and interactive require npm registry access.
  • rules are first-match-wins, so put narrower rules before broader ones.
  • --package accepts root, workspace package names, and relative workspace paths.

Maintainers

Release and publish workflow notes live in docs/releasing.md.