AgentSkillsCN

update-dependencies

智能地跨生态系统(npm/bun/pnpm、uv/poetry、cargo)更新依赖项。适用于升级依赖、修复漏洞,或开展主动式维护。支持智能分批处理、风险评估与结果追踪,助力持续改进。

SKILL.md
--- frontmatter
name: update-dependencies
description: |
  Smart dependency updates across ecosystems (npm/bun/pnpm, uv/poetry, cargo). Use when upgrading dependencies, fixing vulnerabilities, or performing proactive maintenance. Supports intelligent batching, risk assessment, and outcome tracking for continuous improvement.
license: Apache-2.0

Dependency Updater

Smart dependency management with security-first prioritization, intelligent batching, and learning from outcomes.

Ecosystem Detection

First, detect the project's ecosystem:

bash
# Check for lockfiles (in priority order)
ls bun.lock bun.lockb pnpm-lock.yaml package-lock.json uv.lock poetry.lock Cargo.lock 2>/dev/null | head -1
LockfileEcosystemReference
bun.lock / bun.lockbnpm (bun)npm.md
pnpm-lock.yamlnpm (pnpm)npm.md
package-lock.jsonnpmnpm.md
uv.lockPython (uv)python.md
poetry.lockPython (poetry)python.md
Cargo.lockRustcargo.md

Load the appropriate ecosystem reference for detailed commands.


Workflow

Phase 1: Security Audit

Run security check first. Security issues always take priority.

See ecosystem reference for specific audit command.

Categorize by severity:

  • Critical/High: Fix immediately, own PR
  • Moderate/Low: Batch with related updates

Phase 2: Outdated Analysis

Check for outdated dependencies.

Categorize by update type:

  • Patch (x.y.Z): Usually safe, batch together
  • Minor (x.Y.z): Review changelog, usually safe
  • Major (X.y.z): Individual review required

Phase 3: Check History

Before major updates, check if we've updated this package before:

bash
grep "<package-name>" ~/.claude/skills/update-dependencies/data/outcomes.jsonl

Learn from past outcomes:

  • Did it require migration?
  • Any gotchas noted?

Phase 4: Risk Assessment

For packages with major bumps or unknown risk, fetch changelogs.

Score each update 1-5. See risk-assessment.md for guidelines.

Phase 5: Smart Grouping

Group related packages together. See grouping-strategies.md for patterns.

Priority order:

  1. Security fixes (own group, merge first)
  2. Ecosystem batches (related packages together)
  3. Low-risk patches (all together)
  4. Individual major updates

Phase 6: Execute Updates

For each group:

  1. Create branch: deps/<group-name>-$(date +%Y%m%d)
  2. Apply updates (see ecosystem reference)
  3. Run tests
  4. If tests fail: identify problematic package, exclude, continue

Phase 7: Create PR

Use format from pr-format.md.

bash
git add <lockfile> <manifest>
git commit -m "deps: <type> update <group-name>"
git push -u origin HEAD
gh pr create --title "deps: <type> update <group-name>" --body-file -

Phase 8: Log Outcome

After PR is merged (or if update fails), log the outcome:

bash
bun ~/.claude/skills/update-dependencies/scripts/log-outcome.ts

The script will:

  1. Pre-fill: date, project, ecosystem, packages, versions
  2. Prompt for: outcome (success/failed/required_migration) and notes
  3. Append to ~/.claude/skills/update-dependencies/data/outcomes.jsonl

Command Options

When invoked via /update-dependencies:

OptionEffect
security onlyOnly fix security vulnerabilities
planEnter plan mode - analyze and design update strategy for approval
majorInclude major version updates
group <name>Update specific ecosystem group
--check-historyShow past outcomes for packages being updated

Quick Start

bash
# Run the analyzer first
bun ~/.claude/skills/update-dependencies/scripts/analyze.ts

# Or invoke the skill
/update-dependencies plan    # Analyze and plan
/update-dependencies         # Full execution

Error Recovery

If update fails partway:

  • If commit succeeded but push failed → git push -u origin HEAD
  • If tests fail → identify problematic package, exclude, retry
  • If PR creation failed → gh pr create ...