Linux Updates

List upgradable packages with apt

Know what will change before you run a full upgrade.

7 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Review the upgrade list before running apt upgrade on production servers. Kernel and library updates may require reboot; held packages can block security fixes.

What you will achieve

See exactly which packages APT will upgrade on Ubuntu or Debian before you commit — including version jumps, held packages, and simulated install size.

1) Refresh package lists

Always update metadata first. Without this, your upgradable list is stale fiction.

sudo apt update

2) List upgradable packages

The canonical one-liner on modern APT:

apt list --upgradable

Output shows package/repo version [upgradable from: oldversion]. Filter for security-related names or a specific package:

apt list --upgradable 2>/dev/null | grep -i linux-image
apt list --upgradable 2>/dev/null | grep nginx

3) Dry-run the upgrade

Simulate what apt upgrade would do without installing anything:

sudo apt upgrade --dry-run

Read the summary at the bottom: packages upgraded, newly installed, removed. If removals look wrong, investigate before proceeding.

4) Check for held packages

Held packages never upgrade until you release the hold:

apt-mark showhold

If a critical security update is held, understand why it was pinned before removing the hold.

5) Compare with aptitude (optional)

sudo apt install aptitude
aptitude search '~U'

~U shows upgradable packages in aptitude's query syntax — handy on older admin habits or when you want a tree view of dependencies.

6) Security updates only

On Ubuntu with unattended-upgrades, see what the security pocket would touch:

sudo unattended-upgrade --dry-run --debug

7) Count and export the list

Pipe upgradable packages to a file before maintenance windows — helps change control and rollback planning:

apt list --upgradable 2>/dev/null > /tmp/upgradable-$(date +%F).txt
wc -l /tmp/upgradable-$(date +%F).txt

Compare lists before and after pinning a package to confirm the hold worked as intended.

Prerequisites

Configured APT sources, network access to mirrors, and sudo privileges. Run from a stable shell session — not over SSH if you plan to upgrade openssh-server itself without testing a second session first.

Verify

apt list --upgradable 2>/dev/null | wc -l
sudo apt upgrade --dry-run 2>&1 | tail -5

After a real upgrade, apt list --upgradable should return few or no entries (except packages you intentionally defer).

Related guides

apt ubuntu upgrade

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Updates
Update Ubuntu safely with apt
Keep Ubuntu patched without surprises — routine updates, when to reboot, and how to recover from broken package states.
Read guide
Updates
dist-upgrade vs release upgrade
Practical Linux guide: dist-upgrade vs release upgrade without the usual guesswork.
Read guide