Skip to content
This script will help you keep your Javascript repos up to date with the latest patches, and help resolve known vulnerabilities in your open source packages. It's intended to be run from a daily or weekly build, because it mucks around with the Git repo settings.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This script makes it easier to keep Javascript repositories up to date with the latest patches, and resolve known vulnerabilities in open source npm packages.

The recommended use is to run a daily build that includes this script, then review and merge the pull requests it creates. If you prefer, you can commit changes directly to master.

Running this script from a command line is generally NOT recommended, because it will change your Github repo settings.


  • Works with by default. Works with Github Enterprise servers by setting GITHUB_HOST="".
  • For repos in an org, also set GITHUB_ORG="xyz".
  • Requires a GITHUB_TOKEN. The Github access token must have repo permissions. If running this in a build, you may want to use a token for a functional ID.
  • Requires GITHUB_EMAIL and GITHUB_NAME for the Github and If running this in a build, you may want to use a functional ID email and name here.
  • Uses 'npx npm-check-updates -u' followed by 'npm install' and then 'npm audit fix'. If you need to customize the behavior of this command, use a '.ncurc.json' configuration file as described in the npm-check-updates documentation.
  • Alternatively, for Angular apps, you can use 'ng update --all --force' followed by 'npm install' and then 'npm audit fix'. Set UPGRADE_ANGULAR="true" for this behavior. This is unlikely to work automatically for major version upgrades.
  • If the script is bothering you with too many pull requests, you can set ONLY_FIX_VULNERABILITIES="true" to exit without changes when npm audit doesn't report any known vulnerabilities.
  • If one of these fails, the script will exit without updating the code: 'npm build','npm test','npm audit'.
  • Updates will result in new package.json and package-lock.json files. This uses the hub command line to create pull requests to update your packages. Or if you trust your 'npm test' and prefer to just commit the changes to your master branch if your tests pass, set UPDATE_MASTER="true".
You can’t perform that action at this time.