Dependency Updater
Smart dependency management for any language with automatic detection and safe updates.
Quick Start
The skill auto-detects your project type and handles the rest.
Triggers
| Trigger | Example |
|---|
| Update dependencies | "update dependencies", "update deps" |
| Check outdated | "check for outdated packages" |
| Fix dependency issues | "fix my dependency problems" |
| Security audit | "audit dependencies for vulnerabilities" |
| Diagnose deps | "diagnose dependency issues" |
Supported Languages
| Language | Package File | Update Tool | Audit Tool |
|---|
| Node.js | package.json | | |
| Python | requirements.txt, pyproject.toml | | , |
| Go | go.mod | | |
| Rust | Cargo.toml | | |
| Ruby | Gemfile | | |
| Java | pom.xml, build.gradle | | |
| .NET | *.csproj | | dotnet list package --vulnerable
|
Quick Reference
| Update Type | Version Change | Action |
|---|
| Fixed | No or | Skip (intentionally pinned) |
| PATCH | → | Auto-apply |
| MINOR | → | Auto-apply |
| MAJOR | → | Prompt user individually |
Workflow
User Request
│
▼
┌─────────────────────────────────────────────────────┐
│ Step 1: DETECT PROJECT TYPE │
│ • Scan for package files (package.json, go.mod...) │
│ • Identify package manager │
├─────────────────────────────────────────────────────┤
│ Step 2: CHECK PREREQUISITES │
│ • Verify required tools are installed │
│ • Suggest installation if missing │
├─────────────────────────────────────────────────────┤
│ Step 3: SCAN FOR UPDATES │
│ • Run language-specific outdated check │
│ • Categorize: MAJOR / MINOR / PATCH / Fixed │
├─────────────────────────────────────────────────────┤
│ Step 4: AUTO-APPLY SAFE UPDATES │
│ • Apply MINOR and PATCH automatically │
│ • Report what was updated │
├─────────────────────────────────────────────────────┤
│ Step 5: PROMPT FOR MAJOR UPDATES │
│ • AskUserQuestion for each MAJOR update │
│ • Show current → new version │
├─────────────────────────────────────────────────────┤
│ Step 6: APPLY APPROVED MAJORS │
│ • Update only approved packages │
├─────────────────────────────────────────────────────┤
│ Step 7: FINALIZE │
│ • Run install command │
│ • Run security audit │
└─────────────────────────────────────────────────────┘
Commands by Language
Node.js (npm/yarn/pnpm)
bash
# Check prerequisites
scripts/check-tool.sh taze "npm install -g taze"
# Scan for updates
taze
# Apply minor/patch
taze minor --write
# Apply specific majors
taze major --write --include pkg1,pkg2
# Monorepo support
taze -r # recursive
# Security
npm audit
npm audit fix
Python
bash
# Check outdated
pip list --outdated
# Update all (careful!)
pip-review --auto
# Update specific
pip install --upgrade package-name
# Security
pip-audit
safety check
Go
bash
# Check outdated
go list -m -u all
# Update all
go get -u ./...
# Tidy up
go mod tidy
# Security
govulncheck ./...
Rust
bash
# Check outdated
cargo outdated
# Update within semver
cargo update
# Security
cargo audit
Ruby
bash
# Check outdated
bundle outdated
# Update all
bundle update
# Update specific
bundle update --conservative gem-name
# Security
bundle audit
Java (Maven)
bash
# Check outdated
mvn versions:display-dependency-updates
# Update to latest
mvn versions:use-latest-releases
# Security
mvn dependency:tree
mvn dependency-check:check
.NET
bash
# Check outdated
dotnet list package --outdated
# Update specific
dotnet add package PackageName
# Security
dotnet list package --vulnerable
Diagnosis Mode
When dependencies are broken, run diagnosis:
Common Issues & Fixes
| Issue | Symptoms | Fix |
|---|
| Version Conflict | "Cannot resolve dependency tree" | Clean install, use overrides/resolutions |
| Peer Dependency | "Peer dependency not satisfied" | Install required peer version |
| Security Vuln | shows issues | or manual update |
| Unused Deps | Bloated bundle | Run (Node) or equivalent |
| Duplicate Deps | Multiple versions installed | Run or equivalent |
Emergency Fixes
bash
# Node.js - Nuclear reset
rm -rf node_modules package-lock.json
npm cache clean --force
npm install
# Python - Clean virtualenv
rm -rf venv
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Go - Reset modules
rm go.sum
go mod tidy
Security Audit
Run security checks for any project:
bash
# Node.js
npm audit
npm audit --json | jq '.metadata.vulnerabilities'
# Python
pip-audit
safety check
# Go
govulncheck ./...
# Rust
cargo audit
# Ruby
bundle audit
# .NET
dotnet list package --vulnerable
Severity Response
| Severity | Action |
|---|
| Critical | Fix immediately |
| High | Fix within 24h |
| Moderate | Fix within 1 week |
| Low | Fix in next release |
Anti-Patterns
| Avoid | Why | Instead |
|---|
| Update fixed versions | Intentionally pinned | Skip them |
| Auto-apply MAJOR | Breaking changes | Prompt user |
| Batch MAJOR prompts | Loses context | Prompt individually |
| Skip lock file | Irreproducible builds | Always commit lock files |
| Ignore security alerts | Vulnerabilities | Address by severity |
Verification Checklist
After updates:
<details>
<summary><strong>Deep Dive: Project Detection</strong></summary>
The skill auto-detects project type by scanning for package files:
| File Found | Language | Package Manager |
|---|
| Node.js | npm/yarn/pnpm |
| Python | pip |
| Python | pip/poetry |
| Python | pipenv |
| Go | go modules |
| Rust | cargo |
| Ruby | bundler |
| Java | Maven |
| Java/Kotlin | Gradle |
| .NET | dotnet |
Detection order matters for monorepos:
- Check current directory first
- Then check for workspace/monorepo patterns
- Offer to run recursively if applicable
</details>
<details>
<summary><strong>Deep Dive: Node.js with taze</strong></summary>
Prerequisites
bash
# Install taze globally (recommended)
npm install -g taze
# Or use npx
npx taze
Smart Update Flow
bash
# 1. Scan all updates
taze
# 2. Apply safe updates (minor + patch)
taze minor --write
# 3. For each major, prompt user:
# "Update @types/node from ^20.0.0 to ^22.0.0?"
# If yes, add to approved list
# 4. Apply approved majors
taze major --write --include approved-pkg1,approved-pkg2
# 5. Install
npm install # or pnpm install / yarn
Auto-Approve List
Some packages have frequent major bumps but are backward-compatible:
| Package | Reason |
|---|
| Icon library, majors are additive |
| Type definitions, usually safe |
</details>
<details>
<summary><strong>Deep Dive: Version Strategies</strong></summary>
Semantic Versioning
MAJOR.MINOR.PATCH (e.g., 2.3.1)
MAJOR: Breaking changes - requires code changes
MINOR: New features - backward compatible
PATCH: Bug fixes - backward compatible
Range Specifiers
| Specifier | Meaning | Example |
|---|
| Minor + Patch OK | |
| Patch only | |
| Exact (fixed) | Only |
| At least | Any |
| Any | Latest (dangerous) |
Recommended Strategy
json
{
"dependencies": {
"critical-lib": "1.2.3", // Exact for critical
"stable-lib": "~1.2.3", // Patch only for stable
"modern-lib": "^1.2.3" // Minor OK for active
}
}
</details>
<details>
<summary><strong>Deep Dive: Conflict Resolution</strong></summary>
Node.js Conflicts
Diagnosis:
bash
npm ls package-name # See dependency tree
npm explain package-name # Why installed
yarn why package-name # Yarn equivalent
Resolution with overrides:
json
// package.json
{
"overrides": {
"lodash": "^4.18.0"
}
}
Resolution with resolutions (Yarn):
json
{
"resolutions": {
"lodash": "^4.18.0"
}
}
Python Conflicts
Diagnosis:
bash
pip check
pipdeptree -p package-name
Resolution:
bash
# Use virtual environment
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Or use constraints
pip install -c constraints.txt -r requirements.txt
</details>
Script Reference
| Script | Purpose |
|---|
| Verify tool is installed |
| Run taze with proper flags |
Related Tools