update-dependencies
Original:🇺🇸 English
Translated
2 scriptsChecked / no sensitive code detected
Smart dependency updates across ecosystems (npm/bun/pnpm, uv/poetry, cargo). Use when upgrading dependencies, fixing vulnerabilities, or performing proactive maintenance. Supports intelligent batching, risk assessment, and outcome tracking for continuous improvement.
5installs
Sourcefairchild/dotclaude
Added on
NPX Install
npx skill4agent add fairchild/dotclaude update-dependenciesTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →Dependency Updater
Smart dependency management with security-first prioritization, intelligent batching, and learning from outcomes.
Ecosystem Detection
First, detect the project's ecosystem:
bash
# Check for lockfiles (in priority order)
ls bun.lock bun.lockb pnpm-lock.yaml package-lock.json uv.lock poetry.lock Cargo.lock 2>/dev/null | head -1| Lockfile | Ecosystem | Reference |
|---|---|---|
| npm (bun) | npm.md |
| npm (pnpm) | npm.md |
| npm | npm.md |
| Python (uv) | python.md |
| Python (poetry) | python.md |
| Rust | cargo.md |
Load the appropriate ecosystem reference for detailed commands.
Workflow
Phase 1: Security Audit
Run security check first. Security issues always take priority.
See ecosystem reference for specific audit command.
Categorize by severity:
- Critical/High: Fix immediately, own PR
- Moderate/Low: Batch with related updates
Phase 2: Outdated Analysis
Check for outdated dependencies.
Categorize by update type:
- Patch (x.y.Z): Usually safe, batch together
- Minor (x.Y.z): Review changelog, usually safe
- Major (X.y.z): Individual review required
Phase 3: Check History
Before major updates, check if we've updated this package before:
bash
grep "<package-name>" ~/.claude/skills/update-dependencies/data/outcomes.jsonlLearn from past outcomes:
- Did it require migration?
- Any gotchas noted?
Phase 4: Risk Assessment
For packages with major bumps or unknown risk, fetch changelogs.
Score each update 1-5. See risk-assessment.md for guidelines.
Phase 5: Smart Grouping
Group related packages together. See grouping-strategies.md for patterns.
Priority order:
- Security fixes (own group, merge first)
- Ecosystem batches (related packages together)
- Low-risk patches (all together)
- Individual major updates
Phase 6: Execute Updates
For each group:
- Create branch:
deps/<group-name>-$(date +%Y%m%d) - Apply updates (see ecosystem reference)
- Run tests
- If tests fail: identify problematic package, exclude, continue
Phase 7: Create PR
Use format from pr-format.md.
bash
git add <lockfile> <manifest>
git commit -m "deps: <type> update <group-name>"
git push -u origin HEAD
gh pr create --title "deps: <type> update <group-name>" --body-file -Phase 8: Log Outcome
After PR is merged (or if update fails), log the outcome:
bash
bun ~/.claude/skills/update-dependencies/scripts/log-outcome.tsThe script will:
- Pre-fill: date, project, ecosystem, packages, versions
- Prompt for: outcome (success/failed/required_migration) and notes
- Append to
~/.claude/skills/update-dependencies/data/outcomes.jsonl
Command Options
When invoked via :
/update-dependencies| Option | Effect |
|---|---|
| Only fix security vulnerabilities |
| Enter plan mode - analyze and design update strategy for approval |
| Include major version updates |
| Update specific ecosystem group |
| Show past outcomes for packages being updated |
Quick Start
bash
# Run the analyzer first
bun ~/.claude/skills/update-dependencies/scripts/analyze.ts
# Or invoke the skill
/update-dependencies plan # Analyze and plan
/update-dependencies # Full executionError Recovery
If update fails partway:
- If commit succeeded but push failed →
git push -u origin HEAD - If tests fail → identify problematic package, exclude, retry
- If PR creation failed →
gh pr create ...