npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

upshift-cli

v0.5.1

Published

AI-powered dependency upgrades with explanations and safe rollbacks.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jeffadkins1jeffadkins1

Keywords

dependenciesupgradesecurityvulnerabilitiesnpmyarnpnpmcliai

Readme

Upshift

npm version License: MIT VS Code Extension

AI-powered dependency upgrades. Stop reading changelogs—let AI fix what breaks.

Version-bump PRs (from Dependabot, Renovate, or manual bumps) leave the hard work on you: breaking changes, failed tests, and risky rollbacks. Upshift is the after-the-bump layer: it explains what changed, suggests code fixes, runs your tests, and rolls back automatically when something fails. Radar is the fleet view—dependency health across repos (free: paste reports; Pro/Team: persisted dashboard, history, alerts).

They hand you a list of chores. We did your chores—here's the receipt.

Guardrails first (not another autonomous coding agent)

Upshift is built for review and safety: run your existing test command, restore package.json + lockfile on failure, use upshift fix --dry-run before applying AI edits, and configure human-in-the-loop (prompts, or webhook approval) via .upshiftrc.json. Optional confidence hints and opt-in local outcome logging help you learn what breaks over time. Details: When it breaks & guardrails.

Hero stack (where we go deepest)

  • Best-in-class path: npm, yarn, pnpm on Node—especially React / Next.js upgrades, explain, fix, and migration templates.
  • Scan breadth: Python (pip/poetry), Ruby (bundler), Go (modules) for upshift scan, reports, and Radar—treat AI fix / migrate as Node-first unless noted otherwise.

Dependabot / Renovate and Upshift

| They do | Upshift adds | |--------|----------------| | Open PRs with version bumps | Plain-English breaking-change analysis + optional AI deep dive | | You read changelogs | explain + fix suggest concrete code changes | | You handle test failures | upgrade runs your tests and auto-rollback |

Upshift complements bots you already use; it does not replace org-wide PR automation. See User guide: Renovate.

Status

Supports npm, yarn, and pnpm; scan coverage for Python, Ruby, and Go.

Vercel (marketing web/): If vercel deploy fails with a message about the Git author needing team access, your last commit may use a placeholder email ([email protected]). Use a real address on the Vercel team (git config user.email) or deploy with npm run vercel:marketing (prebuilt upload). Platform (upshiftai/platform): npm run vercel:platform from the repo root (or cd upshiftai/platform && vercel pull once, then deploy). What CI guarantees vs AI best-effort: docs/capabilities.md. What's next: ROADMAP.md · BACKLOG.md · docs/STRATEGY_AND_FEEDBACK.md.

When does it break? At upgrade time: when you or CI run upshift upgrade, we run your tests and roll back if they fail. CI/CD and your existing smoke/integration tests are the guardrail—we don't replace them. See When it breaks & guardrails.

Install

npm install -g upshift-cli

Then run:

upshift --help

From source (dev)

git clone https://github.com/repairman29/upshift.git
cd upshift
npm install
npm run build
node dist/cli.js --help

Usage

Scan & Explain

upshift scan                          # See all outdated packages
upshift scan --json                   # Machine-readable output
upshift scan --licenses               # Include license per direct dep (npm)
upshift scan --report report.json     # Write JSON for Radar (central dashboard)
upshift radar                         # Open Radar in browser

upshift explain react --ai            # AI explains breaking changes
upshift explain react --from 18 --to 19
upshift explain react --risk          # low/medium/high risk score
upshift explain react --changelog     # Fetch changelog from GitHub

Upgrade & Fix

upshift upgrade react                 # Upgrade with tests + auto-rollback
upshift upgrade react --to 19.0.0
upshift upgrade react -y              # Skip approval prompt (e.g. CI)
upshift upgrade --all                 # Batch upgrade all packages
upshift upgrade --all-minor           # Only minor/patch updates

upshift fix react                     # AI generates code fixes
upshift fix react --dry-run           # Preview changes without applying

upshift rollback                      # Restore previous state
upshift rollback --list               # See available backups

Suggest & Plan

upshift suggest                      # Recommended upgrades (low risk, high value)
upshift suggest --limit 10           # Top 10 suggestions
upshift plan                         # Multi-step upgrade order (dependency + risk)
upshift plan --mode minor            # Only minor/patch upgrades
upshift migrate react --list         # List migration templates for react
upshift migrate react --dry-run     # Preview template application
upshift migrate next                # Apply Next.js 13→14 template
upshift migrate vue --list          # List Vue templates

Interactive & Monorepo

upshift interactive                   # TUI for selecting packages
upshift workspaces                    # Scan monorepo workspaces

Notifications

upshift notify --slack https://...    # Send report to Slack
upshift notify --discord https://...  # Send report to Discord

Credits & Billing

upshift credits                       # Check credit balance
upshift buy-credits --pack small      # Purchase credits
upshift subscribe --tier pro          # Subscribe to Pro
upshift status                        # Check subscription status

Public pricing (tiers, credits, packs) is defined in pricing.json—keep docs, website, and Stripe in sync with that file.

Human-in-the-loop (oversight)

Self-healing via LLM-generated code fixes should be reviewed, not applied blindly. Use upshift fix --dry-run to preview changes, then review before applying. For automated pipelines, use approval gates (see below).

If you want to approve risky upgrades (and optionally code fixes) instead of running fully automatic:

  • Single upgrade: By default, major version upgrades prompt Upgrade X from A to B (major)? [y/N] when run interactively. Use -y to skip (e.g. CI).
  • Config: Create .upshiftrc.json with upshift init. Set approval.mode to "prompt" (default), "none", or "webhook" (POST proposed upgrade to approval.webhookUrl; 200 = approve). Set approval.requireFor to ["major"] (default) or ["all"]. Set upgradePolicy: { blockRisk: ["high"] } to block high-risk upgrades (use -y to override). Set autoConfirm: true to skip all prompts.
  • Batch: upshift upgrade --all (or --all-minor) already asks for confirmation before applying; use -y to skip.

For full HITL (webhooks, event stream, approval server), see upshiftai and .upshiftai.json with approval.mode: "webhook" and docs/HITL.md. See also When it breaks & guardrails.

What it does today

  • Upgrade a dependency and run tests; roll back on failure (package.json + lockfile)
  • Explain breaking changes (explain, optional --ai); risk scores and changelogs
  • Fix with AI-suggested code changes (fix, --dry-run supported)
  • Scan outdated / vulnerable packages (npm, yarn, pnpm; plus Python, Ruby, Go for scan)
  • Suggest / plan ordered upgrades; migration templates (React, Next, Vue, …)
  • Radar reports for a central dependency health view

Credits

upshift explain --ai and upshift fix use a credit bank (10 free credits by default). When credits run out, the CLI exits with code 2. Credits are stored in ~/.upshift/credits.json.

Credit packs and subscription tiers are listed in pricing.json. Pro/Team subscribers receive a 20% bonus on credit purchases. Unused credits roll over.

You can validate credits remotely by setting:

UPSHIFT_CREDITS_ENDPOINT=http://localhost:8787
UPSHIFT_API_TOKEN=dev-token-1

Local LLM: If OPENAI_BASE_URL does not point at api.openai.com, credits are still consumed by default (same as hosted AI). To skip credit checks for a local OpenAI-compatible server (LM Studio, Ollama, etc.), set UPSHIFT_SKIP_CREDITS_FOR_LOCAL_LLM=1.

GitHub Action

Add to your repo for automated scanning on PRs:

# .github/workflows/upshift.yml
name: UpShift Scan
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: repairman29/upshift@main
        with:
          comment-on-pr: "true"
          fail-on-vulnerabilities: "false"

See .github/workflows/example-scan.yml for a full example.

Install the GitHub App (team entry point)

Install once on your org or selected repos so every developer gets scan signal on pushes and PRs—without asking each person to install the CLI first.

  1. Install the App: Install Upshift (or your own GitHub App URL).
  2. Add the workflow to the repo: copy .github/workflows/upshift-app-scan.yml into .github/workflows/.
  3. Add repo secrets: APP_ID and APP_PRIVATE_KEY (.pem contents).

Full setup: GitHub App ship checklist · product overview: GitHub App.

What's available now

  • Safety loop: test-gated upgrade, rollback, fix --dry-run, approval modes (prompt / webhook)
  • Radar (free paste + Pro/Team persistence) and optional audit logging for Team (UPSHIFT_AUDIT_URL)
  • AI-powered explanations (explain --ai) and code fixes (fix)
  • VS Code extension (install)
  • GitHub Action and GitHub App for CI / org-wide scan
  • Interactive mode and monorepo workspaces
  • Slack / Discord notifications (notify)

Coming next

See ROADMAP.md and Roadmap for Innovation.

Radar

Radar is the central view of dependency health across all your repos. Free: paste or upload scan reports at upshiftai.dev/radar. Pro/Team: persisted dashboard, history, alerts, PDF-style exports for leadership reporting. See docs/radar.md.

upshift scan --report report.json   # in each repo
upshift radar                      # open Radar in browser

Website

The landing page lives in web/. Deploy at upshiftai.dev:

Deploy with Vercel

After importing, set Root Directory to web, then add domains upshiftai.dev and www.upshiftai.dev in Project → Settings → Domains. See web/README.md.

JARVIS in Cursor

Use JARVIS from Cursor when you need dependency analysis, blog media, or UpshiftAI skill work. One-time setup:

scripts/setup-jarvis-cursor.sh
cd upshiftai/platform && node ../../scripts/create-upshift-api-key.cjs

Then put JARVIS_EDGE_URL in vault/jarvis.json (or run the create script with --edge-url https://YOUR_REF.supabase.co/functions/v1/jarvis). Deploy Edge first: supabase functions deploy jarvis. See upshiftai/docs/JARVIS-EDGE-SUPABASE.md. Invoke JARVIS via node scripts/call-jarvis.js <task> '<json>'.

Documentation

Product / users: User guide · CLI reference · Configuration · Radar · When it breaks & guardrails · Opt-in insights

Developers: Development guide · GitHub App (ship checklist) · Contributing

Reference: API Endpoints · Roadmap · Release v0.4.0 · Docs index

Blog: When it breaks, guardrails, and HITL · Introduction