Dependency Updater Skill

Dependency Updater

Smart dependency management for any language with automatic detection and safe updates.

Quick Start

update my dependencies

The skill auto-detects your project type and handles the rest.

Triggers

| Trigger | Example | |---------|---------| | Update dependencies | "update dependencies", "update deps" | | Check outdated | "check for outdated packages" | | Fix dependency issues | "fix my dependency problems" | | Security audit | "audit dependencies for vulnerabilities" | | Diagnose deps | "diagnose dependency issues" |

Supported Languages

| Language | Package File | Update Tool | Audit Tool | |----------|--------------|-------------|------------| | Node.js | package.json | taze | npm audit | | Python | requirements.txt, pyproject.toml | pip-review | safety, pip-audit | | Go | go.mod | go get -u | govulncheck | | Rust | Cargo.toml | cargo update | cargo audit | | Ruby | Gemfile | bundle update | bundle audit | | Java | pom.xml, build.gradle | mvn versions:* | mvn dependency:* | | .NET | *.csproj | dotnet outdated | dotnet list package --vulnerable |

Quick Reference

| Update Type | Version Change | Action | |-------------|----------------|--------| | Fixed | No ^ or ~ | Skip (intentionally pinned) | | PATCH | x.y.z → x.y.Z | Auto-apply | | MINOR | x.y.z → x.Y.0 | Auto-apply | | MAJOR | x.y.z → X.0.0 | Prompt user individually |

Workflow

User Request
    │
    ▼
┌─────────────────────────────────────────────────────┐
│ Step 1: DETECT PROJECT TYPE                         │
│ • Scan for package files (package.json, go.mod...) │
│ • Identify package manager                          │
├─────────────────────────────────────────────────────┤
│ Step 2: CHECK PREREQUISITES                         │
│ • Verify required tools are installed               │
│ • Suggest installation if missing                   │
├─────────────────────────────────────────────────────┤
│ Step 3: SCAN FOR UPDATES                            │
│ • Run language-specific outdated check              │
│ • Categorize: MAJOR / MINOR / PATCH / Fixed         │
├─────────────────────────────────────────────────────┤
│ Step 4: AUTO-APPLY SAFE UPDATES                     │
│ • Apply MINOR and PATCH automatically               │
│ • Report what was updated                           │
├─────────────────────────────────────────────────────┤
│ Step 5: PROMPT FOR MAJOR UPDATES                    │
│ • AskUserQuestion for each MAJOR update             │
│ • Show current → new version                        │
├─────────────────────────────────────────────────────┤
│ Step 6: APPLY APPROVED MAJORS                       │
│ • Update only approved packages                     │
├─────────────────────────────────────────────────────┤
│ Step 7: FINALIZE                                    │
│ • Run install command                               │
│ • Run security audit                                │
└─────────────────────────────────────────────────────┘

Commands by Language

Node.js (npm/yarn/pnpm)

# Check prerequisites
scripts/check-tool.sh taze "npm install -g taze"

# Scan for updates
taze

# Apply minor/patch
taze minor --write

# Apply specific majors
taze major --write --include pkg1,pkg2

# Monorepo support
taze -r  # recursive

# Security
npm audit
npm audit fix

Python

# Check outdated
pip list --outdated

# Update all (careful!)
pip-review --auto

# Update specific
pip install --upgrade package-name

# Security
pip-audit
safety check

Go

# Check outdated
go list -m -u all

# Update all
go get -u ./...

# Tidy up
go mod tidy

# Security
govulncheck ./...

Rust

# Check outdated
cargo outdated

# Update within semver
cargo update

# Security
cargo audit

Ruby

# Check outdated
bundle outdated

# Update all
bundle update

# Update specific
bundle update --conservative gem-name

# Security
bundle audit

Java (Maven)

# Check outdated
mvn versions:display-dependency-updates

# Update to latest
mvn versions:use-latest-releases

# Security
mvn dependency:tree
mvn dependency-check:check

.NET

# Check outdated
dotnet list package --outdated

# Update specific
dotnet add package PackageName

# Security
dotnet list package --vulnerable

Diagnosis Mode

When dependencies are broken, run diagnosis:

Common Issues & Fixes

| Issue | Symptoms | Fix | |-------|----------|-----| | Version Conflict | "Cannot resolve dependency tree" | Clean install, use overrides/resolutions | | Peer Dependency | "Peer dependency not satisfied" | Install required peer version | | Security Vuln | npm audit shows issues | npm audit fix or manual update | | Unused Deps | Bloated bundle | Run depcheck (Node) or equivalent | | Duplicate Deps | Multiple versions installed | Run npm dedupe or equivalent |

Emergency Fixes

# Node.js - Nuclear reset
rm -rf node_modules package-lock.json
npm cache clean --force
npm install

# Python - Clean virtualenv
rm -rf venv
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# Go - Reset modules
rm go.sum
go mod tidy

Security Audit

Run security checks for any project:

# Node.js
npm audit
npm audit --json | jq '.metadata.vulnerabilities'

# Python
pip-audit
safety check

# Go
govulncheck ./...

# Rust
cargo audit

# Ruby
bundle audit

# .NET
dotnet list package --vulnerable

Severity Response

| Severity | Action | |----------|--------| | Critical | Fix immediately | | High | Fix within 24h | | Moderate | Fix within 1 week | | Low | Fix in next release |

Anti-Patterns

| Avoid | Why | Instead | |-------|-----|---------| | Update fixed versions | Intentionally pinned | Skip them | | Auto-apply MAJOR | Breaking changes | Prompt user | | Batch MAJOR prompts | Loses context | Prompt individually | | Skip lock file | Irreproducible builds | Always commit lock files | | Ignore security alerts | Vulnerabilities | Address by severity |

Verification Checklist

After updates:

[ ] Updates scanned without errors
[ ] MINOR/PATCH auto-applied
[ ] MAJOR updates prompted individually
[ ] Fixed versions untouched
[ ] Lock file updated
[ ] Install command ran
[ ] Security audit passed (or issues noted)

<details> <summary>Deep Dive: Project Detection</summary>

The skill auto-detects project type by scanning for package files:

| File Found | Language | Package Manager | |------------|----------|-----------------| | package.json | Node.js | npm/yarn/pnpm | | requirements.txt | Python | pip | | pyproject.toml | Python | pip/poetry | | Pipfile | Python | pipenv | | go.mod | Go | go modules | | Cargo.toml | Rust | cargo | | Gemfile | Ruby | bundler | | pom.xml | Java | Maven | | build.gradle | Java/Kotlin | Gradle | | *.csproj | .NET | dotnet |

Detection order matters for monorepos:

Check current directory first
Then check for workspace/monorepo patterns
Offer to run recursively if applicable

</details> <details> <summary>Deep Dive: Node.js with taze</summary>

Prerequisites

# Install taze globally (recommended)
npm install -g taze

# Or use npx
npx taze

Smart Update Flow

# 1. Scan all updates
taze

# 2. Apply safe updates (minor + patch)
taze minor --write

# 3. For each major, prompt user:
#    "Update @types/node from ^20.0.0 to ^22.0.0?"
#    If yes, add to approved list

# 4. Apply approved majors
taze major --write --include approved-pkg1,approved-pkg2

# 5. Install
npm install  # or pnpm install / yarn

Auto-Approve List

Some packages have frequent major bumps but are backward-compatible:

| Package | Reason | |---------|--------| | lucide-react | Icon library, majors are additive | | @types/* | Type definitions, usually safe |

</details> <details> <summary>Deep Dive: Version Strategies</summary>

Semantic Versioning

MAJOR.MINOR.PATCH (e.g., 2.3.1)

MAJOR: Breaking changes - requires code changes
MINOR: New features - backward compatible
PATCH: Bug fixes - backward compatible

Range Specifiers

| Specifier | Meaning | Example | |-----------|---------|---------| | ^1.2.3 | Minor + Patch OK | >=1.2.3 <2.0.0 | | ~1.2.3 | Patch only | >=1.2.3 <1.3.0 | | 1.2.3 | Exact (fixed) | Only 1.2.3 | | >=1.2.3 | At least | Any >=1.2.3 | | * | Any | Latest (dangerous) |

Recommended Strategy

{
  "dependencies": {
    "critical-lib": "1.2.3",      // Exact for critical
    "stable-lib": "~1.2.3",       // Patch only for stable
    "modern-lib": "^1.2.3"        // Minor OK for active
  }
}

</details> <details> <summary>Deep Dive: Conflict Resolution</summary>

Node.js Conflicts

Diagnosis:

npm ls package-name      # See dependency tree
npm explain package-name # Why installed
yarn why package-name    # Yarn equivalent

Resolution with overrides:

// package.json
{
  "overrides": {
    "lodash": "^4.18.0"
  }
}

Resolution with resolutions (Yarn):

{
  "resolutions": {
    "lodash": "^4.18.0"
  }
}

Python Conflicts

Diagnosis:

pip check
pipdeptree -p package-name

Resolution:

# Use virtual environment
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# Or use constraints
pip install -c constraints.txt -r requirements.txt

</details>

Script Reference

| Script | Purpose | |--------|---------| | scripts/check-tool.sh | Verify tool is installed | | scripts/run-taze.sh | Run taze with proper flags |

Related Tools

| Tool | Language | Purpose | |------|----------|---------| | taze | Node.js | Smart dependency updates | | npm-check-updates | Node.js | Alternative to taze | | pip-review | Python | Interactive pip updates | | cargo-edit | Rust | Cargo dependency management | | bundler-audit | Ruby | Security auditing |

Agent Skills: Dependency Updater

Install this agent skill to your local

Skill Files