lpm outdated
List dependencies with newer versions available.
lpm outdatedCompares every entry in package.json > dependencies and package.json > devDependencies against the registry and prints the ones with newer versions available. Read-only — never modifies anything.
Example output
Section Package Current Wanted Latest
dependencies react 18.2.0 18.3.1 19.0.0
dependencies zod 4.3.5 4.3.6 4.4.0
devDependencies typescript 5.4.0 5.6.2 5.7.0A row appears when the installed version (from lpm.lock) differs from the registry's latest tag. wanted is the newest published version that still satisfies the declared range; latest is the newest published version overall.
Ecosystem scope
By default, lpm outdated checks both @lpm.dev/* packages and npm packages whose lockfile source can be checked without disclosing a private name to a new registry.
lpm outdated # both ecosystems (default)
lpm outdated --registry-only=lpm # @lpm.dev only — useful when npm is rate-limiting or offline--registry-only=all is the explicit form of the default.
Acting on the report
lpm upgrade applies the report for @lpm.dev/* packages and for npm packages whose existing lpm.lock entry records either public npm or the configured LPM registry as the source. That keeps the common flow as:
lpm outdated
lpm upgrade -yFor one-off manual bumps, use lpm install with the spec you want:
lpm install zod@latest
lpm install react@^19 # explicit rangePackages without a recorded public npm or LPM-registry source are still skipped instead of being queried against registry.npmjs.org. Run lpm install first so the source is captured in lpm.lock, then rerun lpm outdated or lpm upgrade.
JSON output
lpm outdated --jsonEmits a schema-versioned envelope with schema_version, success, count, outdated_count, and a packages[] array. Each row carries:
| Field | Meaning |
|---|---|
schema_version | JSON contract version for the envelope. Current value: 2 |
name | Package name |
current | Version resolved in lpm.lock, or "?" if the lockfile is missing |
wanted | The newest published version that satisfies the declared range, or null when nothing published satisfies it |
wanted_range | The raw declared spec from package.json (for example "^4.3.0") |
latest | The newest version on the registry, regardless of range |
section | Which dependency map produced the row: dependencies or devDependencies |
outdated | true when current differs from latest |
When lpm outdated skips non-@lpm.dev/* packages because they do not have recorded public npm or LPM-registry source attribution in lpm.lock, the envelope also includes skipped_private and skipped_private_reason.
Registry lookup failures are not silently skipped. In human mode, LPM lists the packages it could not check and exits non-zero. In --json mode, the envelope keeps any successfully checked rows, sets success: false, adds unresolved_count and unresolved[] (name, section, reason), then exits with code 1.
Flags
| Flag | Effect |
|---|---|
--registry-only <all|lpm> | Limit checks to a single ecosystem (default: all) |
Plus the global flags — --json is especially useful for scripting.
See also
lpm upgrade— apply the updates surfaced bylpm outdatedlpm audit— check for vulnerable versions you should bump