diff --git a/lib/update-lockfile.js b/lib/update-lockfile.js
index f741f3b3..9a975053 100644
--- a/lib/update-lockfile.js
+++ b/lib/update-lockfile.js
@@ -16,7 +16,7 @@ const yarnFlags = {
   'optionalDependencies': ' -O'
 }
 
-module.exports = function updateLockfile (dependency, options) {
+module.exports.updateLockfile = function updateLockfile (dependency, options) {
   if (!options.yarn && semver.lt(exec('npm --version').toString().trim(), '3.0.0')) {
     exec('npm shrinkwrap')
   } else {
@@ -44,7 +44,9 @@ module.exports = function updateLockfile (dependency, options) {
       exec(`${npmBin} install${args}`)
     }
   }
+}
 
+module.exports.commitLockfile = function commitLockfile () {
   const commitEmail = process.env.GK_LOCK_COMMIT_EMAIL ? process.env.GK_LOCK_COMMIT_EMAIL.trim() : 'support@greenkeeper.io'
   const commitName = process.env.GK_LOCK_COMMIT_NAME ? process.env.GK_LOCK_COMMIT_NAME.trim() : 'greenkeeperio-bot'
   const shouldAmend = !_.includes([undefined, `0`, 'false', 'null', 'undefined'], process.env.GK_LOCK_COMMIT_AMEND)
diff --git a/package.json b/package.json
index c834e599..eae26f1f 100644
--- a/package.json
+++ b/package.json
@@ -13,6 +13,7 @@
     "url": "https://github.com/greenkeeperio/greenkeeper-lockfile/issues"
   },
   "dependencies": {
+    "fast-glob": "^2.2.0",
     "lodash": "^4.17.4",
     "require-relative": "^0.8.7",
     "semver": "^5.3.0"
diff --git a/update.js b/update.js
index f7a7416a..f6992bd0 100755
--- a/update.js
+++ b/update.js
@@ -3,35 +3,19 @@
 'use strict'
 
 const fs = require('fs')
+const path = require('path')
+const process = require('process')
 
 const relative = require('require-relative')
+const fg = require('fast-glob')
 
 const config = require('./lib/config')
 const extractDependency = require('./lib/extract-dependency')
-const updateLockfile = require('./lib/update-lockfile')
+const { updateLockfile, commitLockfile } = require('./lib/update-lockfile')
 const ci = require('./ci-services')
 
 module.exports = function update () {
   const info = ci()
-  const pkg = relative('./package.json')
-
-  const shrinkwrapExists = fs.existsSync('./npm-shrinkwrap.json')
-  const packageLockExists = fs.existsSync('./package-lock.json')
-  const yarnLockExists = fs.existsSync('./yarn.lock')
-
-  if (!(shrinkwrapExists || packageLockExists || yarnLockExists)) {
-    return console.error(
-      'Without either an "npm-shrinkwrap.json", "package-lock.json" or "yarn.lock" file present there is no need to run this script'
-    )
-  }
-
-  if (!info.correctBuild) {
-    return console.error('This build should not update the lockfile. It could be a PR, not a branch build.')
-  }
-
-  if (!info.branchName) {
-    return console.error('No branch details set, so assuming not a Greenkeeper branch')
-  }
 
   // legacy support
   if (config.branchPrefix === 'greenkeeper/' && info.branchName.startsWith('greenkeeper-')) {
@@ -46,17 +30,56 @@ module.exports = function update () {
     return console.error('Only running on first push of a new branch')
   }
 
-  const dependency = extractDependency(pkg, config.branchPrefix, info.branchName)
+  if (!info.correctBuild) {
+    return console.error('This build should not update the lockfile. It could be a PR, not a branch build.')
+  }
 
-  if (!dependency) {
-    return console.error('No dependency changed')
+  if (!info.branchName) {
+    return console.error('No branch details set, so assuming not a Greenkeeper branch')
   }
 
-  updateLockfile(dependency, {
-    yarn: yarnLockExists,
-    npm: packageLockExists || shrinkwrapExists
-  })
+  const allPackageFiles = fg.sync('./**/package.json')
+  const doCommit = allPackageFiles.reduce((didChange, pkgJson) => {
+    const lockfilePath = path.dirname(pkgJson)
+    const previousDir = process.cwd()
+    process.chdir(lockfilePath)
+
+    const pkg = relative('./package.json')
+
+    const shrinkwrapExists = fs.existsSync('./npm-shrinkwrap.json')
+    const packageLockExists = fs.existsSync('./package-lock.json')
+    const yarnLockExists = fs.existsSync('./yarn.lock')
+
+    if (!(shrinkwrapExists || packageLockExists || yarnLockExists)) {
+      console.info(
+        `${pkgJson}: Without either an "npm-shrinkwrap.json", "package-lock.json" or "yarn.lock" file present there is no need to run this script`
+      )
+      process.chdir(previousDir)
+      return didChange
+    }
+
+    const dependency = extractDependency(pkg, config.branchPrefix, info.branchName)
+
+    if (!dependency) {
+      console.error(`${pkgJson}: No dependency changed`)
+      process.chdir(previousDir)
+      return didChange
+    }
+
+    updateLockfile(dependency, {
+      yarn: yarnLockExists,
+      npm: packageLockExists || shrinkwrapExists
+    })
+    process.chdir(previousDir)
+    return true
+  }, false)
+
+  if (doCommit) {
+    commitLockfile()
+  }
 
-  console.log('Lockfile updated')
+  if (process.env.NODE_ENV && process.env.NODE_ENV !== 'test') {
+    console.log('Lockfile updated')
+  }
 }
 if (require.main === module) module.exports()