← All use cases
Developer & DevOpsJSONPath

NPM Package Version Tracking

Detect new versions of any npm package the moment they're published - useful for security patches, dependency upgrades, and ecosystem watch.

Verid Use Cases·3 min read·Template: npm-new-version

The scenario

Your application depends on a critical npm package - a framework, an auth library, a database client. When the maintainers publish a patch release, you want to know within the hour so you can evaluate and apply it before the next deploy. You'd also like a heads-up on the next minor so the team can plan an upgrade window.

For security teams, the same pattern is "tell me when a CVE-mentioned dependency publishes a new version."

The problem

npm outdated only tells you what's outdated when you run it. Renovate and Dependabot open PRs but on their own schedule (often daily), which is fine for routine bumps but slow for security-relevant releases. The npm registry has no public push notification - you have to poll.

How Verid solves it

The npm registry exposes a public, unauthenticated JSON document per package at https://registry.npmjs.org/{package}. The dist-tags.latest field tells you the most recent published version. Verid polls, extracts that field via JSONPath, and fires the moment the version changes.

Build the monitor

Extraction config

{
  "method": "json_path",
  "fields": {
    "latest_version": "$.dist-tags.latest",
    "modified": "$.time.modified"
  }
}

Predicate

A change in latest_version is the signal:

{ "type": "field_changes", "field": "latest_version" }

Create the monitor

Using the template:

curl -X POST https://api.verid.dev/v1/monitors/from-template/npm-new-version \
  -H "Authorization: Bearer vrd_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "npm - next/auth",
    "url": "https://registry.npmjs.org/next-auth",
    "deliveries": [
      { "type": "slack", "webhookUrl": "https://hooks.slack.com/services/..." }
    ]
  }'

SDK:

import { VeridClient } from '@verid.dev/sdk';

const client = new VeridClient({ apiKey: 'vrd_your_api_key' });

await client.monitors.createFromTemplate('npm-new-version', {
  name: 'npm - next-auth',
  url: 'https://registry.npmjs.org/next-auth',
  deliveries: [
    { type: 'slack', webhookUrl: 'https://hooks.slack.com/services/...' },
  ],
});

What the webhook delivers

{
  "id": "del_01H...",
  "fired_at": "2026-05-08T11:42:00Z",
  "diff": {
    "fields_changed": ["latest_version", "modified"],
    "before": { "latest_version": "5.2.4", "modified": "2026-04-30T13:01:00Z" },
    "after":  { "latest_version": "5.3.0", "modified": "2026-05-08T11:40:00Z" }
  }
}

Caveats & tips

  • Scoped packages need URL encoding. For @scope/pkg, encode the slash: https://registry.npmjs.org/@scope%2Fpkg. Otherwise the registry returns a redirect Verid doesn't follow into.
  • dist-tags.latest excludes prereleases. Beta and RC versions get their own dist-tags (beta, next, rc). To track those, point JSONPath at $.dist-tags.next or $.dist-tags.beta instead.
  • Hourly is the right interval. npm publishes are sparse - a single watch per hour catches everything that matters and stays well under the registry's rate ceiling.

Related use cases

For Python packages, see PyPI package updates. For GitHub releases (which often precede the npm publish by minutes), see GitHub release monitoring. For any other JSON endpoint, see JSON API field monitoring.

Related use cases

GitHub Release MonitoringPyPI Package Update AlertsStatus Page Incident Detection

Ship this monitor today

5 monitors free, no credit card. Set up takes about a minute.

Get started free