v1.6.8 · interactive dependency upgrader
The upgrade-interactive
npm never shipped.
One command for npm, yarn, pnpm & bun. Pick upgrades in an interactive terminal UI — see vulnerabilities and changelogs before you commit. Zero config, monorepo-ready.
or install: npm i -g inup · pnpm add -g inup · yarn global add inup · bun add -g inup
the picker
The picker knows more than outdated does
Every feature is a keystroke away — no flags to remember, no re-runs.
Audit before you upgrade
Known vulnerabilities appear next to each package, cross-referenced against the bump — so you know whether it actually clears the advisory.
Search the picker
Filter hundreds of workspace dependencies as you type. / to search, Esc clears.
- dpo
Live dependency-type toggles
Show or hide dev, peer and optional dependencies on the fly — instead of restarting with different flags.
Changelogs in the terminal
Read release notes inline before selecting a major. No browser tab, no guessing what changed.
Bulk select, precisely
Select every safe in-range update with one key, or everything including majors — then deselect the risky ones.
Range or latest, per package
Cycle each package between no upgrade, the in-range bump and the latest major. Mixed strategies in one pass.
monorepos
pnpm catalogs, without ceremony
inup discovers every workspace in one pass. Dependencies declared ascatalog: are resolved from pnpm-workspace.yamland upgraded right there — comments and formatting preserved, not rewritten.
Private registries work exactly like npm's own resolution: scoped registries and credentials from your project, user and global.npmrc, including ${ENV_VAR} expansion.
# comments survive the upgrade
catalog:
# pinned for the design system
react: "18.3.1" → "19.1.0"
vue: "^3.5.13"# gate the build on outdated deps
inup --check
✗ 3 packages behind · 1 advisory
# structured report for dashboards
inup --json | jq '.summary'
# apply safe in-range bumps + install
inup --apply --target minorautomation
Headless in CI, by default
When stdout isn't a TTY or $CI is set, inup never opens the UI — it reports. --check and --json are read-only, and JSON output carries a schemaVersion so agents can pin to a known shape.
The GitHub Action runs on a schedule and maintains one rolling PR with safe upgrades applied — re-runs update the same PR.
comparison
How inup compares
Honest marks — including the rows where the others win. Verified against each tool's docs on 2026-07-09.
"PM built-ins" = yarn upgrade-interactive,pnpm update -i, bun update -i,deno outdated -i — each works with its own package manager only. Detailed head-to-heads: inup vs npm-check-updates, taze, npm-check, npm-upgrade, updates, PM built-ins, Renovate and Dependabot.
no telemetry
Try it on your messiest repo
No tracking, no data collection. Metadata comes straight from the npm registry and changelogs from GitHub. MIT licensed — read the source.