[Request]: Document @strapi/upgrade "to" parameter

[DanielRoeven-Intunio]

Summary

npx @strapi/upgrade always upgrades to the latest version (regardless of which version of @strapi/upgrade one chooses to execute!). There is a hidden to parameter in the CLI that allows for specifying a version.

Why is it needed?

With all the supply-chain attacks happening in the NPM ecosystem, a common piece of advice is to add a min-release-age: 7 #days to .npmrc (or likewise in pnpm). npx @strapi/upgrade does not work with this setting, as it tries to upgrade to the latest release, regardless of release date.

Suggested solution(s)

A great solution would be to respect the min-release-age setting, but I'm not sure how the interplay with NPM works here; maybe this is out of @strapi/upgrades control.

In any case, the to parameter exists (see line 100 here) and works just fine despite not being advertised. My suggestion is to document this parameter and officially support it. It seems actively hidden and I wonder what the reason for that is?

Related issue(s)/PR(s)

No response

[github-actions]

🤖 I've analyzed your question and here's what I found:

⚠️ Note: This response may not be completely accurate. Please verify the information.

Thanks for taking the time to write this up so thoroughly — this is a great observation, and your security-conscious reasoning around min-release-age is totally valid! 🙌

About the hidden to parameter

You're absolutely right that the to subcommand exists in the CLI. Looking at the source code, it is intentionally marked as hidden:

program
  .command('to <target>', { hidden: true })
  .description('Upgrade to the specified version of Strapi')
  // ...

This means it won't show up in npx @strapi/upgrade -h output, but it does work. You can use it like this:

npx @strapi/upgrade to 5.1.2

It also supports a --codemods-target option for targeting pre-releases:

npx @strapi/upgrade to 5.1.2 --codemods-target 5.1.2

All the standard options (--dry, --debug, --silent, --project-path, --yes) are also available with this command. [Upgrade tool docs]

Why is it hidden?

The knowledge sources don't explicitly state the reason for hiding the to command. It may have been intentionally kept undocumented while the team evaluates its stability or decides on the official API surface. That said, your request to officially document and support it is very reasonable.

What you can do right now

• For pinning to a specific version, the hidden to command works today:

  npx @strapi/upgrade to <target-version>

• For the min-release-age concern, this is a more nuanced issue — the upgrade tool fetches versions directly from the NPM registry, so whether it respects .npmrc settings like min-release-age is unclear from the available documentation. This may indeed be outside the tool's current scope.

Suggested next steps

1. Documentation request: This is a great candidate for the Strapi feedback portal to formally request that the to parameter be documented and officially supported.
2. min-release-age support: If you'd like the upgrade tool to respect NPM's min-release-age setting, that would be a feature request worth submitting at feedback.strapi.io as well.
3. This touches on core CLI behavior, so tagging @pwizla in case this warrants transfer to the strapi/strapi repository for the team's consideration.

Thanks again for the detailed report and for caring about supply-chain security — this kind of feedback genuinely helps make Strapi better for everyone! 💙

📚 Relevant documentation:

• Documentation release notes - 5.1.2
• How do I upgrade my Strapi version in Strapi Cloud?
• Strapi > Strapi > Blob > Develop > Packages > Utils > Upgrade > Src > Cli - options.ts
• Strapi > Strapi > Blob > Develop > Packages > Utils > Upgrade > Src > Cli - types.ts
• Strapi > Strapi > Blob > Develop > Packages > Utils > Upgrade > Src > Cli > Commands - upgrade.ts
• Strapi > Strapi > Blob > Develop > Packages > Utils > Upgrade > Src > Modules > Upgrader - upgrader.ts (L28-L138)
• Strapi > Strapi > Blob > Develop > Packages > Utils > Upgrade > Src > Modules > Upgrader - upgrader.ts (L341-L398)
• Strapi > Strapi > Blob > Develop > Packages > Utils > Upgrade > Src > Tasks > Upgrade - types.ts
• Strapi > Strapi > Blob > Develop > Packages > Utils > Upgrade > Src > Tasks > Upgrade - upgrade.ts
• Strapi > Strapi > Blob > Develop > Packages > Utils > Upgrade > Src > Tasks > Upgrade > Prompts - latest.ts
• Strapi Upgrade Tool
• Upgrade tool
• Upgrade tool - Get help
• Upgrade tool - Options
• Upgrade tool - Upgrade to a new version

---

ℹ️ This response was generated automatically. If this doesn't fully answer your question or if you need further assistance, please mention @pwizla in a comment and a human maintainer will help you.

You can also try our interactive AI chat for more detailed assistance.

💡 For feature requests or product feedback, visit feedback.strapi.io.