Skip to content
inup

comparison · verified 2026-07-09

inup vs npm-check-updates

npm-check-updates (ncu) is the incumbent: over a decade old, millions of downloads a month, and a huge option surface. If you're happy with it, keep it. Here's where the two tools genuinely differ.

Featureinupncu
One tool for npm, yarn, pnpm & bun
Interactive upgrade UI
Monorepos & workspaces
Vulnerability audit in the picker
Changelogs in the terminal
Search & dep-type toggles in the UI
pnpm catalogs, comments preserved
CI gate + JSON report
GitHub Action included
Actively maintained (2026)
Doctor mode (test each upgrade)
Cooldown / publish-age delay
Per-package upgrade rules
Programmatic API
Deno support
Checks globally installed packages

Where inup is stronger

  • The interactive session is the product, not a flag. ncu's --interactive is a checkbox list bolted onto a batch tool. inup's picker has search (/), live dependency-type toggles (d/p/o), a vulnerability audit (s) and changelogs (i) without leaving the terminal.
  • Security context at decision time. inup cross-references every advisory against the upgrade target, so the list tells you whether the in-range bump actually escapes the vulnerable range. ncu doesn't do vulnerability checks at all.
  • pnpm catalog fidelity. Both tools understandcatalog:, but ncu currently rewritespnpm-workspace.yaml and drops comments and formatting (ncu#1540, open since September 2025). inup edits the value in place.

Where ncu is stronger — use it if you need these

  • Doctor mode. ncu --doctor applies upgrades one by one, runs your tests, and identifies the exact upgrade that breaks them. inup has nothing comparable.
  • Cooldown. ncu --cooldown skips versions published fewer than N days ago — a practical defence against supply-chain attacks that inup currently lacks.
  • Fine-grained policy. Per-package target functions and filters let you encode rules like “majors for typescript, patches for eslint”. inup's config only supports ignore and exclude.
  • A programmatic API and Deno support.

Honest verdict: ncu is the safer default for batch upgrades, automation scripts and policy-heavy setups. inup is the better tool for the interactive session itself — reviewing, auditing and reading changelogs before you commit to upgrades.

Try it in any project: npx inup

Frequently asked questions

Is inup a drop-in replacement for npm-check-updates?

For interactive upgrades, yes: run npx inup where you would run ncu --interactive. For batch automation with per-package rules, doctor mode or the programmatic API, ncu remains the stronger tool.

Does npm-check-updates check for vulnerabilities?

No. ncu does not do vulnerability checks. inup runs an audit inside the picker and cross-references every advisory against the upgrade target, so you can see whether a bump actually fixes the advisory.

Which tool handles pnpm catalogs better?

Both understand catalog: entries, but ncu currently rewrites pnpm-workspace.yaml and drops comments and formatting. inup edits the version value in place and preserves the file.

Sources: ncu documentation and issue tracker, inup source. Verified 2026-07-09. Also see inup vs taze and inup vs npm-check.