rollup-watch
★
★
★
★
★
3
reviews
Watch files for changes and perform incremental rebuilds with Rollup
90
Security
36
Quality
5
Maintenance
47
Overall
v4.3.1
npm
JavaScript
Jul 12, 2017
by Rich Harris
No Known Issues
This package has a good security score with no known vulnerabilities.
92
GitHub Stars
2.0/5
Avg Rating
Community Reviews
AVOID
Deprecated Package with Security and Maintenance Concerns
This package has been abandoned since 2017 and should not be used in new projects. The last release was over 6 years ago, and Rollup itself has moved watch functionality into the core package. From a security perspective, this is a significant red flag - no CVE response capability, no dependency updates, and no maintenance for modern Node.js versions.
When I used this in legacy projects, the watch implementation was basic but functional. However, the error handling is minimal and doesn't provide useful context when file watching fails. There's no input validation on watch paths, which could potentially be exploited if user input reaches the configuration. The library doesn't handle symlinks securely and can follow them unexpectedly.
The biggest practical issue is dependency rot. Running npm audit shows transitive dependencies with known vulnerabilities that will never be patched. Modern Rollup projects should use the built-in watch mode (rollup -w) or rollup-plugin-serve, which are actively maintained and have proper security support.
When I used this in legacy projects, the watch implementation was basic but functional. However, the error handling is minimal and doesn't provide useful context when file watching fails. There's no input validation on watch paths, which could potentially be exploited if user input reaches the configuration. The library doesn't handle symlinks securely and can follow them unexpectedly.
The biggest practical issue is dependency rot. Running npm audit shows transitive dependencies with known vulnerabilities that will never be patched. Modern Rollup projects should use the built-in watch mode (rollup -w) or rollup-plugin-serve, which are actively maintained and have proper security support.
Simple API for basic file watching scenarios
Lightweight with minimal configuration required
Completely abandoned since 2017 with no security updates or CVE response
Outdated dependencies with known vulnerabilities in the supply chain
Functionality now built into Rollup core, making this package redundant
No input validation on file paths or watch patterns
Best for: Maintaining legacy projects where migration effort isn't justified (only until dependencies force an upgrade).
Avoid if: You're starting any new project or care about security updates and supply chain risk.
AVOID
Deprecated Package - Use Rollup's Built-in Watch Mode Instead
This package is effectively deprecated and shouldn't be used for new projects. The last release was in 2017, and its functionality has been integrated directly into Rollup core since version 0.50. If you try to use rollup-watch today, you'll encounter dependency conflicts and compatibility issues with modern Rollup versions.
When I initially tried this package before realizing it was deprecated, the setup was confusing because the documentation doesn't clearly indicate its obsolete status. The API itself was straightforward - you'd pass your Rollup config and get file watching - but error messages when things went wrong were minimal. The package would silently fail or throw cryptic errors when module resolution failed.
The migration path is simple: just use Rollup's native watch API (`rollup.watch()`) which has better error handling, active maintenance, and clearer documentation. The built-in watch mode provides the same functionality with better performance and integration.
When I initially tried this package before realizing it was deprecated, the setup was confusing because the documentation doesn't clearly indicate its obsolete status. The API itself was straightforward - you'd pass your Rollup config and get file watching - but error messages when things went wrong were minimal. The package would silently fail or throw cryptic errors when module resolution failed.
The migration path is simple: just use Rollup's native watch API (`rollup.watch()`) which has better error handling, active maintenance, and clearer documentation. The built-in watch mode provides the same functionality with better performance and integration.
Simple API concept that influenced Rollup's current watch implementation
Minimal configuration if you can get it working with old Rollup versions
Package is abandoned with last release in 2017, causing dependency conflicts
Functionality now built into Rollup core, making this package redundant
Poor error messages that don't help diagnose configuration or file watching issues
No community support or GitHub issue responses for modern problems
Best for: Legacy projects already using it that haven't migrated to modern Rollup versions.
Avoid if: You're starting any new project or using Rollup 0.50 or later, which includes native watch functionality.
AVOID
Deprecated Package - Use Rollup's Built-in Watch Mode Instead
This package hasn't been updated since 2017 and is effectively deprecated. In modern Rollup (v0.60+), watch functionality is built directly into the core package, making rollup-watch unnecessary. If you're still using this, you're likely working with a legacy codebase that needs upgrading.
The API itself was straightforward when it was relevant - you'd import the watcher, pass your Rollup config, and listen for events. However, the lack of TypeScript definitions, outdated dependencies, and absence of modern JavaScript features make it painful to work with today. Error messages are basic and don't provide the helpful context you'd expect from current tooling.
The migration path is clear: remove this package and use Rollup's native `rollup.watch()` API instead. The modern API is better documented, actively maintained, and provides superior type safety. There's simply no reason to use rollup-watch in any new or actively maintained project.
The API itself was straightforward when it was relevant - you'd import the watcher, pass your Rollup config, and listen for events. However, the lack of TypeScript definitions, outdated dependencies, and absence of modern JavaScript features make it painful to work with today. Error messages are basic and don't provide the helpful context you'd expect from current tooling.
The migration path is clear: remove this package and use Rollup's native `rollup.watch()` API instead. The modern API is better documented, actively maintained, and provides superior type safety. There's simply no reason to use rollup-watch in any new or actively maintained project.
Simple event-based API that was intuitive for its time
Clear migration path to Rollup's built-in watch functionality
Abandoned since 2017 with no updates or security patches
No TypeScript definitions or modern IDE support
Completely superseded by Rollup's core watch API since v0.60
Missing features and improvements available in modern Rollup watch mode
Best for: Legacy projects that haven't yet migrated to modern Rollup versions.
Avoid if: You're starting a new project or can upgrade to Rollup v0.60 or later (which you should).
Write a Review
Sign in to write a review
Sign In
Dependencies