OpenSkillIndex← back to search
claude-code

Skills dependency-updater

install
source · Clone the upstream repo
git clone https://github.com/TerminalSkills/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/TerminalSkills/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/dependency-updater" ~/.claude/skills/terminalskills-skills-dependency-updater && rm -rf "$T"
manifest: skills/dependency-updater/SKILL.md
safety · automated scan (low risk)
This is a pattern-based risk scan, not a security review. Our crawler flagged:
  • pip install
Always read a skill's source content before installing. Patterns alone don't mean the skill is malicious — but they warrant attention.
source content

Dependency Updater

Overview

This skill analyzes your project's dependency tree to find outdated packages, known vulnerabilities, and breaking API changes. It produces a prioritized upgrade plan with specific migration steps, ordered to minimize risk and maximize safety.

Instructions

1. Parse the Dependency File

  • Read 
    package.json
    + lockfile (npm/yarn/pnpm), 
    requirements.txt
    /
    pyproject.toml
    , or 
    go.mod
  • List all direct dependencies with current pinned versions
  • Note version constraints (^, ~, exact, ranges)

2. Check Each Package

For each dependency:

  • Latest version: What's available on the registry
  • Version gap: How many major/minor/patch versions behind
  • Security: Known CVEs from npm audit, Snyk, or GitHub Advisory Database
  • Maintenance: Last publish date, open issues count, whether it's deprecated
  • Breaking changes: Read CHANGELOG.md or GitHub releases for breaking change notes between current and latest

3. Classify by Risk

Group packages into four tiers:

  • Critical: Known CVE with severity HIGH or CRITICAL — update immediately
  • Major: Major version bump with confirmed breaking API changes — needs migration
  • Minor: Minor/patch updates with no breaking changes — safe to batch update
  • Stale: Package unmaintained (no release in >12 months) — consider replacement

4. Scan for Impact

For Major-tier packages:

  • Read the changelog/migration guide for the new version
  • Search the codebase for imports and usages of changed APIs
  • List affected files with line numbers
  • Estimate effort: how many patterns need changing and whether they're automatable

5. Generate Upgrade Plan

Produce an ordered plan:

  1. Critical (CVE fixes) first — usually patch-level, zero code changes
  2. Minor/patch batch — single 
    npm update
    command
  3. Each Major upgrade individually, with:
    • Exact install command (
      npm install package@version
      )
    • Code changes needed (as diffs when possible)
    • Test commands to verify

Examples

Example 1: Node.js Project Audit

Input: User provides package.json with 94 dependencies.

Output:

Dependency Audit — 94 packages

CRITICAL (2 packages):
  lodash 4.17.20 → 4.17.21
    CVE-2021-23337 (Command Injection, HIGH)
    Fix: npm install lodash@4.17.21 (patch, no code changes)

  node-fetch 2.6.1 → 2.6.13
    CVE-2022-0235 (Information Exposure, MEDIUM)
    Fix: npm install node-fetch@2.6.13 (patch, no code changes)

MAJOR (1 package):
  express 4.18.2 → 5.0.0
    Breaking: req.host now returns host without port
    Breaking: app.del() removed, use app.delete()
    Affected files: src/server.ts:45 (uses req.host), src/routes/legacy.ts:12 (uses app.del)
    Migration effort: Low — 2 files, 2 line changes

MINOR (18 packages):
  Can be batch-updated: npm update (no breaking changes detected)

STALE (1 package):
  request 2.88.2 — DEPRECATED, last release Feb 2020
  Recommended replacement: undici or node-fetch
  Used in: src/lib/http-client.ts (3 call sites)

Upgrade Order:
  Step 1: npm install lodash@4.17.21 node-fetch@2.6.13
  Step 2: npm update
  Step 3: npm install express@5.0.0 (apply 2 code changes first)
  Step 4: Replace request with undici (separate PR recommended)

Example 2: Python Requirements

Input: User provides requirements.txt with pinned versions.

Output:

Dependency Audit — 23 packages

CRITICAL:
  django==3.2.18 → 3.2.25
    CVE-2024-24680 (DoS via intcomma, MEDIUM)
    Fix: pip install django==3.2.25 (patch within same minor)

MAJOR:
  django==3.2.25 → 5.0.6 (if full upgrade desired)
    Breaking: DEFAULT_AUTO_FIELD must be set explicitly
    Breaking: url() removed, use path()
    Affected: 8 files in urls/, settings.py

Guidelines

  • Never recommend upgrading all major versions at once — one at a time, with tests between each
  • For monorepos, check if packages have peer dependency conflicts before recommending upgrades
  • If a package is deprecated with no CVE, it's STALE not CRITICAL — don't panic the user
  • Always check if the project has a test suite (
    npm test
    , 
    pytest
    ) and recommend running it after each step
  • When generating diffs, use the project's actual code, not generic examples
  • For workspaces/monorepos, note which workspace each dependency belongs to