/upkeep-deps
Upgrade JavaScript/TypeScript dependencies with intelligent risk assessment.
Overview
This skill helps you upgrade dependencies safely by:
- •Identifying outdated packages and pending Dependabot PRs
- •Assessing the risk of each upgrade
- •Executing upgrades with proper testing
- •Rolling back if tests fail
Git Workflow Defaults
IMPORTANT: Always follow these defaults unless the user explicitly requests otherwise:
- •
Work in a branch - Never commit directly to main. Create a feature branch:
bashgit checkout -b deps/update-packages
- •
Handle Dependabot PRs in main - Merge existing Dependabot PRs to main first (they're already in PRs), then switch to a feature branch for additional updates.
- •
Create a PR - After committing changes, create a pull request:
bashgh pr create --title "chore: update dependencies" --body "## Summary - Updated X packages - Fixed Y vulnerabilities ## Changes [list changes]"
- •
No attribution - Do NOT include any of these in commits or PRs:
- •
Co-Authored-By: Claudeor any Claude attribution - •
🤖 Generated with Claude Codeor similar footers - •Any AI/assistant attribution or emoji markers
- •
Prerequisites
- •
./bin/upkeepbinary must be available in this skill's directory - •
ghCLI for Dependabot PR integration (optional but recommended)
Workflow
Step 1: Detect Project Configuration
./bin/upkeep detect --json
This tells you:
- •Which package manager to use (npm, yarn, pnpm, bun)
- •What test runner is configured
- •Whether TypeScript/linting is set up
Step 2: Check for Dependabot PRs (if gh CLI available)
./bin/upkeep dependabot --json
Dependabot PRs are pre-tested and often the safest to merge first.
Step 3: Get Outdated Packages
./bin/upkeep deps --json
This returns all outdated packages categorized by update type (major/minor/patch).
Step 4: Prioritize Upgrades
Present upgrades to the user in this priority order:
- •Dependabot PRs - Already have PRs ready, checks may be passing
- •Security fixes - Check
./bin/upkeep audit --jsonfor vulnerabilities - •Patch updates - Lowest risk, bug fixes only
- •Minor updates - New features, should be backward compatible
- •Major updates - Breaking changes, highest risk
Step 5: For Each Upgrade
Before upgrading, assess the risk:
./bin/upkeep risk <package> --json
This analyzes:
- •How many files use the package
- •Whether it's used in critical paths (API routes, auth)
- •Test coverage of affected files
Then show the user the risk assessment and ask for confirmation.
Step 6: Execute Upgrade
Use the detected package manager:
- •npm:
npm update <package>ornpm install <package>@latest - •yarn:
yarn upgrade <package> - •pnpm:
pnpm update <package> - •bun:
bun update <package>
For major upgrades, use explicit version:
<pm> install <package>@<version>
Step 7: Verify
- •Run tests:
<pm> test - •Run linter:
<pm> lintor check with the detected linter - •Run type check if TypeScript:
<pm> typecheckortsc --noEmit
Step 8: Handle Results
If tests pass:
- •Summarize changes made
- •Offer to commit (if user wants)
If tests fail:
- •Show test output
- •Analyze failures - are they related to the upgrade?
- •Offer to rollback:
git checkout package.json <lockfile> - •Suggest fixes if obvious
Example Session
User: "Update my dependencies"
- •Run
./bin/upkeep detect --jsonto understand the project - •Run
./bin/upkeep deps --jsonto see what's outdated - •Run
./bin/upkeep audit --jsonto check for security issues - •Present a prioritized list to the user
- •For approved upgrades, run risk assessment and execute
- •Test after each upgrade
- •Summarize all changes at the end
Batch Upgrades
For low-risk upgrades (patches with good test coverage), offer to batch them:
<pm> update # Updates all to latest within semver range
Only do this if:
- •All updates are patch level
- •Risk scores are all "low"
- •User confirms
Commands Reference
| Command | Purpose |
|---|---|
./bin/upkeep detect | Detect project configuration |
./bin/upkeep deps | List outdated packages |
./bin/upkeep audit | Security vulnerability scan |
./bin/upkeep imports <pkg> | Find where package is used |
./bin/upkeep risk <pkg> | Assess upgrade risk |
./bin/upkeep dependabot | List Dependabot PRs |