RFC: group outdated packages by dependency type

[thiagodp]

This RFC proposes to group outdated packages by their corresponding dependency type in package.json (e.g. dependencies, devDependencies, etc) to facilitate package management for projects with a large number of dependencies.

Summary

Group outdated packages by with their corresponding dependency type in package.json (e.g. dependencies, devDependencies, etc).

Motivation

It helps developers to visualize and manage outdated packages according to their dependency type. This is specially useful for projects with a large number of dependencies.

Detailed Explanation

Currently, by running npm outdated --long, the output include two additional columns: Package Type and Homepage. The former indicates the dependency type as defined in package.json. However, there is no CLI option to group the packages by Package Type and, thus, the packages are sorted by Package name only.

Example

Current behavior, rows are sorted by Package.

$ npm outdated --long
Package          Current   Wanted   Latest  Location  Package Type          Homepage
@types/jest       25.2.3   25.2.3  26.0.23  example   devDependencies       ...
@types/node      8.10.66  8.10.66  15.12.1  example   devDependencies       ...
chalk              3.0.0    3.0.0    4.1.1  example   dependencies          ...
cosmiconfig        6.0.0    6.0.0    7.0.0  example   dependencies          ...
glob               7.1.6    7.1.7    7.1.7  example   bundledDependencies   ...
memfs             2.17.1   2.17.1    3.2.2  example   peerDependencies      ...
rimraf             2.7.1    2.7.1    3.0.2  example   bundledDependencies   ...
typescript         3.9.9    3.9.9    4.3.2  example   devDependencies       ...
update-notifier    4.1.3    4.1.3    5.1.0  example   dependencies          ...
xregexp            3.2.0    3.2.0    5.0.2  example   optionalDependencies  ...

Proposal

Using the new flag --by-type, rows are sorted by Package Type (alphabetically) and then by Package name

$ npm outdated --long --by-type
Package          Current   Wanted   Latest  Location  Package Type          Homepage
glob               7.1.6    7.1.7    7.1.7  example   bundledDependencies   ...
rimraf             2.7.1    2.7.1    3.0.2  example   bundledDependencies   ...
chalk              3.0.0    3.0.0    4.1.1  example   dependencies          ...
cosmiconfig        6.0.0    6.0.0    7.0.0  example   dependencies          ...
update-notifier    4.1.3    4.1.3    5.1.0  example   dependencies          ...
@types/jest       25.2.3   25.2.3  26.0.23  example   devDependencies       ...
@types/node      8.10.66  8.10.66  15.12.1  example   devDependencies       ...
typescript         3.9.9    3.9.9    4.3.2  example   devDependencies       ...
xregexp            3.2.0    3.2.0    5.0.2  example   optionalDependencies  ...
memfs             2.17.1   2.17.1    3.2.2  example   peerDependencies      ...

Rationale and Alternatives

An alternative solution is to filter the current list of outdated packages by type, using CLI options like --prod for production, --dev for development, --optional, --peer, and --bundled. Example:

$ npm outdated --prod
Package          Current   Wanted   Latest  Location
chalk              3.0.0    3.0.0    4.1.1  example
cosmiconfig        6.0.0    6.0.0    7.0.0  example
update-notifier    4.1.3    4.1.3    5.1.0  example

However, this alternative requires to give multiple commands to get all the outdated packages.

Implementation

It would affect the npm/cli repository, particularly the command outdated, implemented by outdated.js.

References

Original proposal, before figuring out the flag --long (which is not available in the CLI help).

[thiagodp]

Hello,

Right after publishing the RFC, I read outdated.js's source code and figured out the flag --long that is not shown in the CLI by using --help. The flag --long shows two additional columns, Package Type and Homepage. However, since there is no flag to group by Package Type, I'm thinking of changing the proposal to include a new flag for this purpose (i.e., --by-type).

--

ORIGINAL PROPOSAL

Show outdated packages with dependency types

This RFC proposes to show outdated packages with their corresponding dependency type in package.json (e.g. dependencies, devDependencies, etc) aiming at helping developers to know how their project is affected.

Summary

Display outdated packages with their corresponding dependency type in package.json (e.g. dependencies, devDependencies, etc).

Motivation

1. It helps developers to know how outdated packages affect their project.
2. It avoids having to manually check package.json for discovering the dependency type (which is specially useful for large projects).

Detailed Explanation

By running npm outdated, the output could include a column called Type that indicates the dependency type. Suggested values:

Property in package.json	Suggested value for Type
dependencies	production
devDependencies	development
optionalDependencies	optional
peerDependencies	peer
bundledDependencies	bundled

Example 1

Default behavior, rows are sorted by Package.

$ npm outdated
Package          Type          Current   Wanted   Latest  Location
@types/jest      development    25.2.3   25.2.3  26.0.23  example
@types/node      development   8.10.66  8.10.66  15.12.1  example
chalk            production      3.0.0    3.0.0    4.1.1  example
cosmiconfig      production      6.0.0    6.0.0    7.0.0  example
glob             bundled         7.1.6    7.1.7    7.1.7  example
memfs            peer           2.17.1   2.17.1    3.2.2  example
rimraf           bundled         2.7.1    2.7.1    3.0.2  example
typescript       development     3.9.9    3.9.9    4.3.2  example
update-notifier  production      4.1.3    4.1.3    5.1.0  example
xregexp          optional        3.2.0    3.2.0    5.0.2  example

Example 2

Using the new flag --by-type, rows are sorted by Type and then by Package name

$ npm outdated --by-type
Package          Type          Current   Wanted   Latest  Location
glob             bundled         7.1.6    7.1.7    7.1.7  example
rimraf           bundled         2.7.1    2.7.1    3.0.2  example
@types/jest      development    25.2.3   25.2.3  26.0.23  example
@types/node      development   8.10.66  8.10.66  15.12.1  example
typescript       development     3.9.9    3.9.9    4.3.2  example
xregexp          optional        3.2.0    3.2.0    5.0.2  example
memfs            peer           2.17.1   2.17.1    3.2.2  example
chalk            production      3.0.0    3.0.0    4.1.1  example
cosmiconfig      production      6.0.0    6.0.0    7.0.0  example
update-notifier  production      4.1.3    4.1.3    5.1.0  example

Rationale and Alternatives

An alternative solution is to filter the current list of outdated packages by type, using CLI options like --prod for production, --dev for development, --optional, --peer, and --bundled. Example:

$ npm outdated --prod
Package          Current   Wanted   Latest  Location
chalk              3.0.0    3.0.0    4.1.1  example
cosmiconfig        6.0.0    6.0.0    7.0.0  example
update-notifier    4.1.3    4.1.3    5.1.0  example

However, this alternative requires to give multiple commands to get all the outdated packages.

Implementation

It would affect the npm/cli repository, particularly the command outdated, implemented by outdated.js.

[wraithgar]

After discussion at the last two RFC meetings this will be able to move forward after some small additions:

• Output should be sorted by type, with a distinct order of priority (i.e. dependencies first, then devDependencies, etc).
• Packages that are represented multiple times but deduped should group with the highest priority type present, and not appear a second time under their different type.

If this PR could be updated to reflect that it can move forward.

[ljharb]

Additional caveat on that second bullet point: a package should indicate all of the groups it belongs to, despite being grouped with the highest priority one.

[thiagodp]

@wraithgar @ljharb Great, the PR can be updated as you see fit.