Appearance
Dependency Management
Corral inspects your project's dependencies and shows which ones are outdated, what safe updates are available, and lets you update them directly from the app.
How It Works
When you open the Dependencies tab for a project, Corral:
- Reads
package.jsonto find declared dependencies and their semver ranges - Parses the lock file (npm, yarn, pnpm, or bun) to determine installed versions
- Queries the npm registry to fetch all published versions for each package
- Computes two key versions per dependency:
- Wanted — the highest published version that satisfies the declared semver range (e.g., if your range is
^5.9.0, wanted might be5.9.5) - Latest — the highest published version overall (e.g.,
6.0.2)
- Wanted — the highest published version that satisfies the declared semver range (e.g., if your range is
- Classifies the update type as patch, minor, or major based on the version difference
Pre-release versions are excluded from both wanted and latest computations.
Version Caching
Version lists are cached per package (not per project) with a 1-hour TTL. If two projects both depend on typescript, the registry is queried once and both benefit from the cache. Refreshing the dependency list re-reads the lock file from disk but reuses cached registry data.
Updating Dependencies
Update All
Runs the equivalent of npm update — updates every package to the latest version within its declared semver range. This modifies the lock file but not package.json. A confirmation dialog shows how many packages will be affected.
Update to Wanted
Updates specific packages within their declared semver ranges. Available via the right-click context menu on selected rows. This is always a safe operation — it won't introduce breaking changes.
Update to Latest
Updates specific packages to the absolute latest version, regardless of the declared range. This modifies package.json. A confirmation dialog warns about potential breaking changes.
Supported Package Managers
Corral detects the package manager from the project's lock file and uses the correct syntax:
| Manager | Lockfile | Detected by |
|---|---|---|
| npm | package-lock.json | Lock file presence |
| yarn (v1 & Berry) | yarn.lock | Lock file presence; v1 vs Berry detected by __metadata: key |
| pnpm | pnpm-lock.yaml | Lock file presence |
| bun | bun.lock or bun.lockb | Lock file presence |
If no lock file is found, Corral defaults to npm.
Semver Range Support
Corral uses npm-compatible semver range matching (via the node-semver library), supporting:
- Caret ranges:
^1.2.3 - Tilde ranges:
~1.2.3 - Exact versions:
1.2.3 - Comparators:
>=1.0.0 <2.0.0 - OR ranges:
^1.0.0 || ^2.0.0 - Hyphen ranges:
1.0.0 - 2.0.0 - X-ranges:
1.x,1.2.*
Non-standard specifiers like workspace:*, file:../, or git URLs will show "—" for the wanted version.