How Long Until npm Packages Get Updates? Maintenance Analysis
·PkgPulse Team
TL;DR
The top 100 npm packages average a new release every 18 days. The bottom 1000 haven't released in 8+ months. Security patches come faster (median: 6 days for critical CVEs in actively-maintained packages) but are unpredictably slow for single-maintainer packages. The safest dependency strategy: use well-funded packages (corporate backing or OpenJS Foundation), automate updates with Renovate/Dependabot, and have a migration plan for anything older than 2 years with no major release.
Key Takeaways
- Critical CVE patches: median 6 days for top 100 packages, 45+ days for mid-tier
- Minor releases: top packages every 2-4 weeks, mid-tier every 2-3 months
- Major versions: once every 12-24 months for stable packages
- 62% of npm packages haven't been updated in over a year
- Automated update tools (Renovate, Dependabot) make patch adoption effortless
Update Frequency by Package Tier
Release cadence data (approximate, 2024-2026):
Tier 1: Top 100 packages by downloads
→ Average days between releases: 18
→ Critical security patch: 6 days median
→ Examples: react, vite, next, zustand, tailwindcss
Tier 2: Packages 101-1000 by downloads
→ Average days between releases: 52
→ Critical security patch: 31 days median
→ Examples: many specialized libraries, older frameworks
Tier 3: Packages 1001-10000 by downloads
→ Average days between releases: 130
→ Critical security patch: 87 days median
→ Examples: niche utilities, older middleware
Tier 4: Long tail (10000+)
→ Average days between releases: 400+
→ Critical security patch: often never (abandoned)
→ 62% haven't been updated in 12+ months
→ 38% haven't been updated in 24+ months
Security Patch Speed by Category
Time from CVE disclosure to patch release (median, by category):
Build tools: 3 days ← fastest (high-profile, well-staffed)
Test frameworks: 5 days
Major frameworks: 5 days (React, Vue, Angular — large teams)
Auth packages: 7 days (high severity = fast response)
State management: 8 days
HTTP clients: 12 days
Input parsing: 21 days (slower: often low-level, complex fixes)
Database drivers: 25 days
Utility packages: 45 days (varies widely)
Single-maintainer util: 90+ days (often blocked on maintainer availability)
Abandoned packages: never (create-react-app, request, bower)
Major Version Release Patterns
// How to read npm version history:
npm view react --json | jq '.time | to_entries | map(select(.key | startswith("1") or startswith("2") or startswith("3") or startswith("4") or startswith("5") or startswith("6") or startswith("7") or startswith("8") or startswith("9")))'
// React major version history:
// v15 → v16: 2017 (3 years after v15)
// v16 → v17: 2020 (3 years)
// v17 → v18: 2022 (2 years)
// v18 → v19: 2024 (2 years)
// Cadence: every 2-3 years for React major
// Comparison:
// Vite: majors roughly every 12-18 months
// Next.js: majors roughly every 12 months
// Fastify: majors every 18-24 months
// Prisma: majors every 12 months
// What "major version" signals:
// - Breaking changes (API changes you need to adapt to)
// - New paradigm (e.g., React Hooks, Vue 3 Composition API)
// - Performance rewrite (Next.js App Router)
// - Platform target change (Node.js version requirements)
The Lag Between Release and Your Adoption
Real-world adoption patterns for major releases:
Next.js 14 (Nov 2023) → App Router adoption:
→ 3 months post-release: 15% of Next.js projects
→ 6 months: 35%
→ 12 months: 60%
→ 24 months: 80%
Why adoption lags:
1. Wait-and-see: let early adopters find bugs
2. Migration effort: App Router is NOT a drop-in for Pages Router
3. Tutorial gap: courses/tutorials lag behind releases
4. Dependency compatibility: some packages need to update for new APIs
This pattern means:
→ Don't upgrade on release day (let bugs surface)
→ But don't wait 2+ years (you accumulate security debt)
→ Sweet spot: 3-6 months after major release for most packages
→ Exception: critical security patches → apply immediately
Automated Update Strategy
Option 1: Dependabot (Simple)
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly # Open PRs weekly
day: monday
time: "09:00"
# Group related updates to reduce PR noise
groups:
eslint:
patterns: ["eslint*", "@eslint/*"]
vitest:
patterns: ["vitest*", "@vitest/*"]
# Auto-merge patch updates
open-pull-requests-limit: 10
Option 2: Renovate (More Powerful)
// renovate.json
{
"extends": ["config:base"],
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"schedule": ["before 9am on monday"],
"packageRules": [
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["patch", "minor"],
"automerge": true,
"automergeType": "branch"
},
{
"matchUpdateTypes": ["major"],
"labels": ["major-update"],
"automerge": false
},
{
"matchPackagePatterns": ["^eslint"],
"groupName": "ESLint packages"
},
{
"matchPackagePatterns": ["^@tanstack/"],
"groupName": "TanStack packages"
}
],
"vulnerabilityAlerts": {
"labels": ["security"],
"automerge": true // Auto-merge security patches
}
}
When to Skip Updates vs Apply Immediately
Framework for deciding:
Apply immediately (< 24 hours):
- CRITICAL or HIGH CVE in a direct dependency
- Zero-day exploits being actively used in the wild
- CVE in auth, cryptography, or input-parsing packages
Apply within 1 week:
- MODERATE security advisories
- Patch releases in actively used packages
- Bug fixes for issues affecting your app
Apply within 1 month:
- Minor version updates to direct dependencies
- Patch updates to transitive (indirect) dependencies
- Dev dependency updates (no production risk)
Evaluate before applying:
- Major version updates (check breaking changes)
- Updates to deeply integrated packages (ORM, router, bundler)
- Updates that require code changes
Skip or delay:
- Alpha/beta versions of dependencies (unless you're early adopting)
- Major versions of non-critical dev tools
- Updates that drop support for your Node.js version
Automated approach:
- Dependabot/Renovate patches → auto-merge if CI passes
- Dependabot minor updates → auto-merge dev deps, manual review prod deps
- Major updates → manual review always
Checking How Up-to-Date Your Dependencies Are
# List outdated packages
npm outdated
# Shows: current, wanted, latest versions
# Output example:
# Package Current Wanted Latest Location
# react 18.0.0 18.3.1 19.0.0 node_modules/react
# typescript 5.0.0 5.8.0 5.8.0 node_modules/typescript
# Interactive update with ncu (npm-check-updates)
npx npm-check-updates
npx npm-check-updates -u # Update package.json
npx npm-check-updates -u --target minor # Only minor/patch
# Check if you're on the latest major version:
npx npm-check-updates --doctor
# Tests each update individually, reverts if tests break
# Quick audit: what's > 2 major versions behind?
npm outdated | awk 'NR > 1 {
# Parse and compare major versions
split($2, cur, "."); split($4, lat, ".")
if (lat[1] - cur[1] >= 2) print $1, "is far behind:", $2, "→", $4
}'
The Cost of Not Updating
What happens when you let dependencies get stale:
1 year behind:
→ Missing 3-5 security patches on average (HIGH/CRITICAL)
→ Accumulated 10-20 MODERATE vulnerabilities
→ Compatibility issues with new Node.js versions starting to appear
→ npm audit outputs are noisy with known issues
2 years behind:
→ Multiple CVEs, potentially including unpatched critical ones
→ Node.js LTS compatibility broken (if still on Node 16 EOL)
→ New developers struggle ("why does this version behavior differ?")
→ Major version upgrade more painful (2 versions of API changes)
3+ years behind:
→ Dependency hell: upgrading one package now requires upgrading 5 others
→ npm WARN "peer dependency" messages everywhere
→ You're on EOL packages that will never get security patches
→ The cost of staying outweighs the cost of migrating
The cheapest time to upgrade is always now.
Every month you wait makes the upgrade more expensive.
Monitor package health, update frequency, and maintenance scores at PkgPulse.
See the live comparison
View pnpm vs. npm on PkgPulse →