comparison · verified 2026-07-09
inup vs npm-check-updates
npm-check-updates (ncu) is the incumbent: over a decade old, millions of downloads a month, and a huge option surface. If you're happy with it, keep it. Here's where the two tools genuinely differ.
| Feature | inup | ncu |
|---|---|---|
| One tool for npm, yarn, pnpm & bun | ||
| Interactive upgrade UI | ||
| Monorepos & workspaces | ||
| Vulnerability audit in the picker | ||
| Changelogs in the terminal | ||
| Search & dep-type toggles in the UI | ||
| pnpm catalogs, comments preserved | ||
| CI gate + JSON report | ||
| GitHub Action included | ||
| Actively maintained (2026) | ||
| Doctor mode (test each upgrade) | ||
| Cooldown / publish-age delay | ||
| Per-package upgrade rules | ||
| Programmatic API | ||
| Deno support | ||
| Checks globally installed packages |
Where inup is stronger
- The interactive session is the product, not a flag. ncu's
--interactiveis a checkbox list bolted onto a batch tool. inup's picker has search (/), live dependency-type toggles (d/p/o), a vulnerability audit (s) and changelogs (i) without leaving the terminal. - Security context at decision time. inup cross-references every advisory against the upgrade target, so the list tells you whether the in-range bump actually escapes the vulnerable range. ncu doesn't do vulnerability checks at all.
- pnpm catalog fidelity. Both tools understand
catalog:, but ncu currently rewritespnpm-workspace.yamland drops comments and formatting (ncu#1540, open since September 2025). inup edits the value in place.
Where ncu is stronger — use it if you need these
- Doctor mode.
ncu --doctorapplies upgrades one by one, runs your tests, and identifies the exact upgrade that breaks them. inup has nothing comparable. - Cooldown.
ncu --cooldownskips versions published fewer than N days ago — a practical defence against supply-chain attacks that inup currently lacks. - Fine-grained policy. Per-package target functions and filters let you encode rules like “majors for typescript, patches for eslint”. inup's config only supports ignore and exclude.
- A programmatic API and Deno support.
Honest verdict: ncu is the safer default for batch upgrades, automation scripts and policy-heavy setups. inup is the better tool for the interactive session itself — reviewing, auditing and reading changelogs before you commit to upgrades.
Try it in any project: npx inup
Frequently asked questions
Is inup a drop-in replacement for npm-check-updates?
For interactive upgrades, yes: run npx inup where you would run ncu --interactive. For batch automation with per-package rules, doctor mode or the programmatic API, ncu remains the stronger tool.
Does npm-check-updates check for vulnerabilities?
No. ncu does not do vulnerability checks. inup runs an audit inside the picker and cross-references every advisory against the upgrade target, so you can see whether a bump actually fixes the advisory.
Which tool handles pnpm catalogs better?
Both understand catalog: entries, but ncu currently rewrites pnpm-workspace.yaml and drops comments and formatting. inup edits the version value in place and preserves the file.
Sources: ncu documentation and issue tracker, inup source. Verified 2026-07-09. Also see inup vs taze and inup vs npm-check.