npm update update packages to their latest stable versions.
npm update also installs missing packages.
npm update respects semvar. This means if the latest version of dep1 is 1.3.0 but your package.json specifies "dep1" : "~1.2.3" you wont get the latest version. Instead, npm will install the latest version of dep1 that also satisfies semvar (if there is one).
If no packages are specified, npm update will update every (non-dev) dependency listed in package.json...
Just like npm install, if the --save-dev flag is specified, npm update will update devDependencies as well...
npm update --save-dev
npm update --dev
Both --save-dev and --dev do the same thing.
If packages are specified then only those packages will be updated...
npm update express
If you want to update a package to specific version, use npm install with the specified @version tag instead...
npm install email@example.com --save
Using the --save flag is important for updating the package.json.
For more information on updating packages to a specific version, see npm install | how it works.
npm update will update packages globally if the global flag is specified...
npm update --global
npm update express --g
Both --global and -g do the same thing. Also notice how the --global flag works with both individual package arguments and no arguments. If no package arguments are specified, all global packages will be updated.
Any changes to the node_modules tree or package.json will automatically generate a package-lock.json file.
As of firstname.lastname@example.org, the package.json file is updated when running npm update. This means npm update will update the package-lock.json file automatically with any corresponding updates to package.json.
Remember that updates have to be available for a package that also respect your semvar definitions for npm update to do anything. A common mistake is to run npm update and think things are broken because nothing changes.
If you don't see npm update working, be sure to verify that an updated package exists that also satisfies your semvar specification for that package.