feat: subcommand to view and update outdated dependencies

[nathanwhit]

Closes #20487

Currently spelled

deno outdated

and

deno outdated --update

Works across package.json and deno.json, and in workspaces.

There's a bit of duplicated code, I'll refactor to reduce this in follow ups

Currently supported:

Printing outdated deps (current output below which basically mimics pnpm, but requesting feedback / suggestions)

deno outdated

Updating deps

semver compatible:

deno outdated --update

latest:

deno outdated --latest

current output is basic, again would love suggestions

Filters

deno outdated --update "@std/*"
deno outdated --update --latest "@std/* "!@std/fmt"

Update to specific versions

deno outdated --update @std/fmt@1.0.2 @std/cli@^1.0.3

Include all workspace members

deno outdated --recursive
deno outdated --update --recursive

Future work

• interactive update
• update deps in js/ts files
• better support for transitive deps

Known issues (to be fixed in follow ups):

• If no top level dependencies have changed, we won't update transitive deps (even if they could be updated)
• Can't filter transitive deps, or update them to specific versions

TODO (in this PR):

• spec tests for filters
• spec test for mixed workspace (have tested manually)
• tweak output
• suggestion when you try deno update

[bartlomieju]

Does this only show changes for packages that actually have newer versions?

I have a project like this:

// deno.json
{
    "imports": {
        "@std/http": "jsr:@std/http@^1.0.0"
    }
}

// package.json
{
  "dependencies": {
    "express": "^4.21.0",
    "react": "^17.0.2",
    "vite": "^4.5.5"
  }
}

Running ./target/debug/deno outdated shows:

┌───────────┬─────────┬────────┬────────┐
│ Package   │ Current │ Update │ Latest │
├───────────┼─────────┼────────┼────────┤
│ npm:react │ 17.0.2  │ 17.0.2 │ 18.3.1 │
├───────────┼─────────┼────────┼────────┤
│ npm:vite  │ 4.5.5   │ 4.5.5  │ 5.4.11 │
└───────────┴─────────┴────────┴────────┘

There's no information for express and @std/http.

[nathanwhit]

Does this only show changes for packages that actually have newer versions?

Yeah, only if the currently locked version is out of date. I went with that since that's what e.g. npm and pnpm do. It's easy if we want to change that though

[bartlomieju]

Obviously - I had a test repo for this feature and I removed my lockfile before running the command, so it first installed latest semver versions and there was nothing to upgrade 👍

[dsherret]

FWIW, there's not much point to pub(crate) in the CLI crate. I remove it whenever I see it.

[dsherret]

Nice. LGTM!

[dsherret]

Maybe DepUpdater? Generally Manager is a term that's avoided because it means the struct has more than one responsibility.

[dsherret]

In the future, it might be beneficial to separate the state out of this struct then have the "service struct" operate on the state. That way we could make everything be constructed in the factory.

[dsherret]

Yeah, generally passing dependencies around horizontally in the code is not great, but this is fine for now.