Opensrc Inspect
Use this skill when source-level dependency inspection materially changes the answer. Prefer docs and types first; pull source when behavior, migration risk, or internal implementation details matter.
Core Workflow
- Read the repo
AGENTS.mdand inspect the repo's manifests and lockfiles. - Use the global
opensrcbinary when available. Fall back tobunx opensrconly if the binary is unavailable. - Use
opensrc fetchwhen the goal is cache-only prep for CI, scripts, or multi-package warmup:opensrc fetch --cwd <repo-root> zod react nextopensrc fetch <pkg>@<current_version> <pkg>@<target_version>
- Use
opensrc pathfor actual inspection, composition, and diffs:rg "pattern" $(opensrc path zod)cat $(opensrc path zod)/src/types.tsfind $(opensrc path pypi:requests) -name "*.py"git diff --no-index "$(opensrc path <pkg>@<current_version>)" "$(opensrc path <pkg>@<target_version>)"
- Cite exact versions and local paths when source evidence affects the recommendation.
- Use web/docs sources for release notes, API references, and changelogs; use opensrc for implementation internals and source diffs.
- If
/home/bjorn/.codex/skill-support/bin/deps-workbenchexists and the task is an npm/Bun dependency upgrade, use it as the fast prep layer before the deeper source reasoning:deps-workbench upgrade-prep --cwd <repo-root> --package <pkg> --out <tmp.json>deps-workbench report --input <tmp.json> --format md
Version Resolution Guardrails
opensrc0.7.x caches globally at~/.opensrc/and keys cache entries by resolved version or ref. The global cache is not the main risk.- The real risk is incorrect version resolution before fetch.
opensrc0.7.2 improved pnpm workspace and Yarn workspace/protocol handling, but you still need to verify the resolved version before trusting it.- For npm-family packages, current upstream code checks:
node_modules/<pkg>/package.jsonpackage-lock.jsonpnpm-lock.yamlyarn.lockpackage.json
- In Bun repos, use the workspace root as
--cwdby default. Ifnode_modulesis stale, opensrc can resolve a stale installed version first. - Verify the resolved version from the returned path before trusting it.
- For upgrade work or any ambiguity, pin versions explicitly:
opensrc path pkg@current_versionopensrc path pkg@target_version
Cache and Specs
- Source is cached globally in
~/.opensrc/.OPENSRC_HOMEoverrides the cache root. - Metadata lives in
~/.opensrc/sources.json, not in the project. - Use current spec forms only:
- npm:
zodwith accepted aliasnpm:zod - PyPI:
pypi:requestswith accepted aliasespip:requests,python:requests - crates.io:
crates:serdewith accepted aliasescargo:serde,rust:serde - repos:
owner/repo,github:owner/repo,gitlab:owner/repo,bitbucket:owner/repo, or full URLs - pinned refs:
owner/repo@tag,owner/repo#branch,pkg@version
- npm:
- Private repo auth uses
GITHUB_TOKEN,GITLAB_TOKEN, andBITBUCKET_TOKEN.
Prefer fetch vs path
- Use
opensrc fetchwhen you want deterministic cache warmup without printing paths, especially in CI, prep scripts, or before a multi-version comparison. - Use
opensrc pathwhen the next command needs the resolved filesystem path. - For current-versus-target analysis, prewarming with
fetchis optional; the important rule is that the actual inspection uses explicitly pinned versions.
Load These References When Needed
- Read
references/opensrc-cli-reference.mdwhen you need the exact modern CLI surface, cache model, supported spec forms and aliases, auth env vars, or release deltas. - Read
references/dependency-upgrade-audit.mdwhen the task is a package upgrade, current-versus-target comparison, migration audit, or hard-cut removal of obsolete package integrations. - Use the shared helper only to gather fast inventory, Bun signals, usage hits, and current/target opensrc paths. Keep the actual migration reasoning with the model.
Do Not Use This Skill For
- broad web research that does not require source inspection
- release-note summaries where docs alone answer the question
- simple API usage questions that types and official docs already resolve
Outputs
- resolved current and target versions
- exact local source paths used for analysis
- concise note on whether source inspection changed the conclusion
- for upgrade work, a hard-cut migration brief with obsolete code to remove