DEV Community

Ishfaq Maknoo
Ishfaq Maknoo

Posted on

How to Update and Fix Vulnerabilities in Global Packages

If you're working on Javascript-based projects, chances are you've installed some packages globally-tools like eslint, nodemon, typescript and others.

Over time it's easy to forget about these global packages. But here's the thing:they can became outdated and vulnerable to security issues. Just like local project dependencies, global packages need regular updates.

Below are a few simple steps to help you check and update globally installed packages using npm and pnpm.

Check global installed packages

# For npm
npm list -g --depth=0

# For pnpm
pnpm list -g --depth=0
Enter fullscreen mode Exit fullscreen mode

This lists all globally installed packages along with their versions.

Check outdated Global packages

# For npm
npm outdated -g --depth=0

# For pnpm
pnpm outdated -g
Enter fullscreen mode Exit fullscreen mode

This shows which global packages have versions available.

Update a specific Global package

# For npm
npm i -g <package-name>

# For pnpm
pnpm update -g <package-name>
Enter fullscreen mode Exit fullscreen mode

Replace with the name of the package you want to update.

Update all Global packages at once

If you want to update everything in one go, try:
🐧 For Linux, macOS, and Git Bash (Unix Shells):

# For npm
npm outdated -g --parseable --depth=0 | cut -d: -f4 | xargs npm install -g

# For pnpm
npm outdated -g --parseable --depth=0 | cut -d: -f4 | xargs pnpm update -g
Enter fullscreen mode Exit fullscreen mode

🪟 For Windows PowerShell:

# For npm
npm outdated -g --depth=0 | ForEach-Object {
  ($_ -split '\s+')[0] | ForEach-Object { npm install -g $_ }
}

# For pnpm
npm outdated -g --depth=0 | ForEach-Object {
  ($_ -split '\s+')[0] | ForEach-Object { pnpm update -g $_ }
}

Enter fullscreen mode Exit fullscreen mode

This command will find all outdated global packages and update them automatically.

Keeping global packages up to date helps you avoid bugs, take advantage of new features, and—most importantly—stay protected from known security vulnerabilities.

What About Yarn?

Yarn (especially v2 and above) doesn’t support global packages the same way as npm or pnpm. Instead, it encourages using tools per project to avoid conflicts.

If you want to run a CLI tool with Yarn, use:

yarn dlx <package-name>
yarn dlx create-vite

yarn dlx -p typescript -p ts-node ts-node --transpile-only -e "console.log('hello!')"
Enter fullscreen mode Exit fullscreen mode

Details

This command will install a package within a temporary environment, and run its binary script if it contains any. The binary will run within the current cwd.

By default Yarn will download the package named command, but this can be changed through the use of the -p,--package flag which will instruct Yarn to still run the same command but from a different package.

Using yarn dlx as a replacement of yarn add isn't recommended, as it makes your project non-deterministic (Yarn doesn't keep track of the packages installed through dlx - neither their name, nor their version).

Top comments (0)