So, for a long time now our projects CI/CD pipelines have an audit step and will prevent merging if there and high risk issues. Nothing complicated just
npm audit
Then a developer would need to sit down and follow their own approach to updating NPM packages. Mine was to install all the patch versions – test, minor versions and test. Then I’d take a stab at any major versions after reading any release notes.
See: https://docs.npmjs.com/about-semantic-versioning
It works, but it is a pain.
Then I found NPM GUI
https://www.npmjs.com/package/npm-gui
After installing it globally, I run the following command
npm-gui
This opens a browser tab and will first show all the global packages and versions. Navigate to your directory that has the package.json file, a nice table of installed node packages is displayed with required, current, compatible and latest versions. Clicking the versions will install them.
I still follow the same work flow of patches, minor and major versions but it takes me far less time and cognitive load to update projects.
It might not be perfect, but the rest of my team have started using this and its helped overcome the dread of package maintenance.