Dependency Updater
Smart dependency management with security-first prioritization, intelligent batching, and learning from outcomes.
Ecosystem Detection
First, detect the project's ecosystem:
# Check for lockfiles (in priority order)
ls bun.lock bun.lockb pnpm-lock.yaml package-lock.json uv.lock poetry.lock Cargo.lock 2>/dev/null | head -1
| Lockfile | Ecosystem | Reference |
|---|---|---|
bun.lock / bun.lockb | npm (bun) | npm.md |
pnpm-lock.yaml | npm (pnpm) | npm.md |
package-lock.json | npm | npm.md |
uv.lock | Python (uv) | python.md |
poetry.lock | Python (poetry) | python.md |
Cargo.lock | Rust | cargo.md |
Load the appropriate ecosystem reference for detailed commands.
Workflow
Phase 1: Security Audit
Run security check first. Security issues always take priority.
See ecosystem reference for specific audit command.
Categorize by severity:
- Critical/High: Fix immediately, own PR
- Moderate/Low: Batch with related updates
Phase 2: Outdated Analysis
Check for outdated dependencies.
Categorize by update type:
- Patch (x.y.Z): Usually safe, batch together
- Minor (x.Y.z): Review changelog, usually safe
- Major (X.y.z): Individual review required
Phase 3: Check History
Before major updates, check if we've updated this package before:
grep "<package-name>" ~/.claude/skills/update-dependencies/data/outcomes.jsonl
Learn from past outcomes:
- Did it require migration?
- Any gotchas noted?
Phase 4: Risk Assessment
For packages with major bumps or unknown risk, fetch changelogs.
Score each update 1-5. See risk-assessment.md for guidelines.
Phase 5: Smart Grouping
Group related packages together. See grouping-strategies.md for patterns.
Priority order:
- Security fixes (own group, merge first)
- Ecosystem batches (related packages together)
- Low-risk patches (all together)
- Individual major updates
Phase 6: Execute Updates
For each group:
- Create branch:
deps/<group-name>-$(date +%Y%m%d) - Apply updates (see ecosystem reference)
- Run tests
- If tests fail: identify problematic package, exclude, continue
Phase 7: Create PR
Use format from pr-format.md.
git add <lockfile> <manifest>
git commit -m "deps: <type> update <group-name>"
git push -u origin HEAD
gh pr create --title "deps: <type> update <group-name>" --body-file -
Phase 8: Log Outcome
After PR is merged (or if update fails), log the outcome:
bun ~/.claude/skills/update-dependencies/scripts/log-outcome.ts
The script will:
- Pre-fill: date, project, ecosystem, packages, versions
- Prompt for: outcome (success/failed/required_migration) and notes
- Append to
~/.claude/skills/update-dependencies/data/outcomes.jsonl
Command Options
When invoked via /update-dependencies:
| Option | Effect |
|---|---|
security only | Only fix security vulnerabilities |
plan | Enter plan mode - analyze and design update strategy for approval |
major | Include major version updates |
group <name> | Update specific ecosystem group |
--check-history | Show past outcomes for packages being updated |
Quick Start
# Run the analyzer first
bun ~/.claude/skills/update-dependencies/scripts/analyze.ts
# Or invoke the skill
/update-dependencies plan # Analyze and plan
/update-dependencies # Full execution
Error Recovery
If update fails partway:
- If commit succeeded but push failed →
git push -u origin HEAD - If tests fail → identify problematic package, exclude, retry
- If PR creation failed →
gh pr create ...