Registry Monitoring

24/7 npm registry watching. Security advisories detected and prioritized. Jobs queued automatically.

Deep Dive

Always watching, so you don't have to

Ovvoc continuously monitors the npm registry _changes feed \u2014 the same firehose that npm itself uses to propagate updates. Every new version is detected within minutes of publication.

Each update is cross-referenced against your dependencies. Only packages you actually use trigger action. No noise from packages you don't depend on.

Security advisories are tracked and prioritized. Critical CVEs get priority queue position, so security patches are applied before feature updates.

Registry Feed

express

5.2.1queued

chalk

6.0.0

lodashCVE

4.17.22queued

vue

3.6.0

@types/express

5.0.2queued

webpack

5.99.0

Grayed out = not in your dependencies

How It Works

Detect, filter, prioritize, queue

Poll Registry

Continuous polling of the npm registry _changes feed. Every new version detected within minutes of publication.

Version Compare

Each update compared against your package.json. Only relevant updates for your actual dependencies trigger action.

CVE Cross-Reference

Security advisories checked against your dependency tree. CVEs prioritized by severity and exploitability.

Auto-Queue

Relevant updates queued as jobs automatically. Critical security patches get priority queue position.

Technical Demo

Live registry monitoring

Watch Ovvoc detect updates and security advisories in real-time.

Ovvoc monitorlive

Use Cases

Proactive, not reactive

Zero-Day Security Patch

Critical CVE published for a package you use. Ovvoc detects it, queues a priority job, and opens a PR with the fix within hours.

Major Version Release

Express 6.0.0 drops. Ovvoc analyzes the breaking changes, plans the migration, and queues jobs for all affected repositories.

Multi-Repo Parallel Updates

You have 5 repos using the same outdated package. All 5 get update jobs queued simultaneously. No manual triage.

Registry Feed

Connected to npm's real-time stream

Ovvoc monitors the npm registry _changes feed — a real-time stream of every package publication on npm. This is the same feed that npm's own infrastructure uses to propagate updates across its CDN. Every new version published to npm is detected by Ovvoc within minutes.

This is not a polling-based approach that checks packages on a schedule. The _changes feed is a continuous stream that delivers events as they happen. No polling delays, no missed updates, no gaps between scheduled scans.

The feed includes all metadata needed for initial filtering: package name, version number, publication timestamp, and dist-tags. Ovvoc uses this metadata to immediately determine relevance before fetching full package details.

Detection Speed

From publish to PR in minutes

1–5 min

From npm publish to Ovvoc detection

Immediate

Job queuing for security patches

10–30 min

End-to-end: detect, run, PR opened

Security patches are queued with immediate priority, bypassing the normal queue order. Feature updates are batched based on your configured schedule — daily, weekly, or on-demand. This means critical CVE fixes are applied as fast as possible, while routine version bumps don't overwhelm your PR queue.

Smart Filtering

Only the updates that matter to you

Not every new npm version triggers a job. Ovvoc applies a four-condition filter to every detected update. All four conditions must be true for a job to be queued:

In Your Dependencies

The package must be listed in your package.json as a dependency or devDependency. Updates to packages you don't use are silently ignored.

Version Relevance

The new version must satisfy or exceed your current version spec. If you're on ^2.0.0 and version 3.0.0 is published, it triggers a major update job.

Not Ignored

The package is not in your ignore list. You can exclude specific packages or version ranges from automatic updates via dashboard settings.

Auto-Update Enabled

Automatic updates must be enabled for this dependency in your repo settings. You have full control over which packages get automatic updates.

Version Intelligence

Semver-aware upgrade path selection

Ovvoc fully understands semantic versioning: caret (^), tilde (~), greater-than-or-equal (>=), and exact version specifiers. The upgrade path is chosen based on your current version spec and the nature of the update.

Patch within range^2.1.0 → 2.1.5

No version spec change needed. Lockfile updated, tests run as verification.

Minor within range^2.1.0 → 2.3.0

No version spec change needed. New features available. Tests run to verify backward compatibility.

Major upgrade^2.1.0 → ^3.0.0

Version spec updated in package.json. Full migration pipeline: scan, transform, build, test.

Pre-release3.0.0-rc.1

Skipped by default. Pre-release versions are not applied unless explicitly opted in via settings.

Dist-tagslatest, next, canary

Tracked separately. Only the “latest” dist-tag triggers updates by default. “next” and “canary” are opt-in.

Future Ecosystems

npm is just the beginning

Ovvoc's architecture is ecosystem-agnostic. The pipeline — clone, scan, transform, build, test, PR — works the same regardless of the package ecosystem. What changes is the registry monitor, the scanner, and the rule registry.

npm

registry.npmjs.org

Live

Python

pypi.org

proxy.golang.org

Planned

Rust

crates.io

Planned

Each ecosystem gets its own registry monitor, scanner, and rule registry. The same pipeline handles cloning, building, testing, and PR creation. Different parsers, same reliability. The goal: one tool for all your dependency updates, regardless of language.

Ready to automate your dependency updates?

Start with one repo. See the difference in your first PR.

Get Started Explore all features