Dependency Update Manager
Analyzes project dependencies, identifies outdated or vulnerable packages, and creates organized PRs to update them safely.
🎯 Use Case Demo
Scenario: Monthly Dependency Maintenance
Before (Manual Process):
Developer spends Friday afternoon on dependency updates:
- Run
dotnet list package --outdated- copy results somewhere- Research each package: breaking changes? security fixes?
- Update one by one, hoping nothing breaks
- Run tests, find something broke
- Debug for 2 hours
- Give up on some updates, leave for "later"
Time: 4-6 hours, often incomplete
After (With This Skill):
Developer: "Check for dependency updates and create PRs"
Agent Response:
📦 DEPENDENCY UPDATE REPORT ═══════════════════════════════════════════════════════════════ 🔍 Scanned: FlightBookingAPI.csproj 📅 Report Date: December 20, 2024 ═══════════════════════════════════════════════════════════════ 🚨 SECURITY UPDATES (Critical - Update Immediately) ═══════════════════════════════════════════════════════════════ | Package | Current | Latest | Severity | CVE | |---------|---------|--------|----------|-----| | System.Text.Json | 7.0.2 | 7.0.4 | HIGH | CVE-2024-1234 | | Microsoft.Data.SqlClient | 5.1.0 | 5.1.4 | MEDIUM | CVE-2024-5678 | ✅ Created PR #241: "🚨 Security: Update packages with known vulnerabilities" → https://github.com/org/flight-booking/pull/241 → Labels: security, dependencies, critical ═══════════════════════════════════════════════════════════════ ⬆️ MINOR/PATCH UPDATES (Safe to Update) ═══════════════════════════════════════════════════════════════ | Package | Current | Latest | Type | Notes | |---------|---------|--------|------|-------| | Swashbuckle.AspNetCore | 6.5.0 | 6.6.2 | Minor | New features | | FluentValidation | 11.8.0 | 11.9.0 | Minor | Bug fixes | | Serilog | 3.1.0 | 3.1.1 | Patch | Performance | | xunit | 2.6.1 | 2.6.4 | Patch | Bug fixes | ✅ Created PR #242: "chore(deps): Update minor/patch dependencies" → https://github.com/org/flight-booking/pull/242 → Labels: dependencies, minor ═══════════════════════════════════════════════════════════════ ⚠️ MAJOR UPDATES (Review Required) ═══════════════════════════════════════════════════════════════ | Package | Current | Latest | Breaking Changes | |---------|---------|--------|------------------| | AutoMapper | 12.0.1 | 13.0.0 | Yes - Profile changes | | MediatR | 11.1.0 | 12.2.0 | Yes - New registration | 📝 Created Issue #243: "Evaluate major dependency updates" → https://github.com/org/flight-booking/issues/243 → Contains migration guides and breaking change analysis ═══════════════════════════════════════════════════════════════ ✅ UP TO DATE (No Action Needed) ═══════════════════════════════════════════════════════════════ Microsoft.AspNetCore.* packages - Latest Microsoft.EntityFrameworkCore - 8.0.0 (Latest) ═══════════════════════════════════════════════════════════════ 📊 SUMMARY ═══════════════════════════════════════════════════════════════ Total packages: 24 Up to date: 18 (75%) Security updates: 2 (PR #241 ready) Minor updates: 4 (PR #242 ready) Major updates: 2 (Issue #243 for review) ═══════════════════════════════════════════════════════════════
Time Saved: 5 hours → 10 minutes (30x faster, more thorough)
Agent Instructions
When this skill is activated:
-
Scan Dependencies:
- For .NET:
dotnet list package --outdated - For Node.js:
npm outdatedoryarn outdated - For Python:
pip list --outdated - Parse all project files for dependencies
- For .NET:
-
Check Security Advisories:
- Query GitHub Advisory Database
- Check NVD (National Vulnerability Database)
- Identify CVEs affecting current versions
-
Categorize Updates:
- Security: Any package with known CVE
- Patch: x.y.Z changes (bug fixes)
- Minor: x.Y.z changes (new features, backward compatible)
- Major: X.y.z changes (breaking changes)
-
Research Breaking Changes:
- For major updates, fetch release notes
- Identify breaking changes and migration steps
- Assess impact on codebase
-
Create Appropriate PRs:
- Security updates: Single PR, urgent labels
- Minor/Patch: Combined PR, low priority
- Major: Create issue with analysis, not PR
-
Include Context:
- Link to changelogs in PR description
- Note any code changes needed
- Add testing recommendations
Example Prompts
- "Check for dependency updates"
- "Are there any security vulnerabilities in our packages?"
- "Update all minor dependencies"
- "Create a dependency update report"
- "What packages need updating?"
Supported Package Managers
| Platform | Package Manager | Security Check |
|---|---|---|
| .NET | NuGet | ✅ GitHub Advisory |
| Node.js | npm/yarn/pnpm | ✅ npm audit |
| Python | pip/poetry | ✅ safety check |
| Java | Maven/Gradle | ✅ OWASP check |
Benefits
| Metric | Before | After | Improvement |
|---|---|---|---|
| Update time | 5 hours | 10 min | 30x faster |
| Security coverage | Reactive | Proactive | Prevent breaches |
| Update frequency | Quarterly | Weekly | Always current |
| Breaking changes | Surprise | Documented | No surprises |