Back to Details

dependency-update

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Update Skill

依赖更新技能

Safe and systematic dependency updates with vulnerability management, license checking, and rollback planning.
具备漏洞管理、许可证检查和回滚规划能力的安全系统化依赖更新方案。

When to Use

适用场景

TriggerPriorityDescription
Security VulnerabilityCriticalKnown CVE in dependency
Monthly MaintenanceHighRegular update cycle
Major VersionMediumNew major version available
Pre-ReleaseHighBefore production deployments
Breaking BugCriticalBug in current dependency
触发条件优先级说明
安全漏洞最高依赖中存在已知CVE漏洞
月度维护常规更新周期
主版本发布有新的主版本可用
预发布阶段生产环境部署前
阻断性Bug最高当前依赖存在严重Bug

Update Strategy

更新策略

Update Types

更新类型

TypeRiskFrequencyTesting
Patch (x.x.1)LowWeekly/AutoBasic
Minor (x.1.0)Low-MediumMonthlyStandard
Major (1.0.0)HighQuarterlyComprehensive
类型风险更新频率测试要求
补丁版本 (x.x.1)每周/自动基础测试
次版本 (x.1.0)低-中每月标准测试
主版本 (1.0.0)每季度全面测试

Semantic Versioning

语义化版本规范

MAJOR.MINOR.PATCH
  │     │     │
  │     │     └── Bug fixes (backward compatible)
  │     └──────── New features (backward compatible)
  └────────────── Breaking changes
MAJOR.MINOR.PATCH
  │     │     │
  │     │     └── Bug修复(向后兼容)
  │     └──────── 新增功能(向后兼容)
  └────────────── 不兼容的破坏性变更

Prerequisites

前置条件

Before starting:
  • All tests passing
  • Clean git working directory
  • Recent backup/checkpoint
  • Time for testing and potential rollback
  • Access to changelogs/release notes
开始更新前:
  • 所有测试用例通过
  • git工作目录干净
  • 近期有备份/检查点
  • 预留测试和潜在回滚的时间
  • 有权限查看变更日志/发布说明

Update Process

更新流程

Phase 1: Audit Dependencies
Phase 2: Check Vulnerabilities
Phase 3: Check License Compatibility
Phase 4: Plan Updates
Phase 5: Execute Updates
Phase 6: Test & Validate
Phase 7: Document & Deploy
第一阶段:依赖审计
第二阶段:漏洞检查
第三阶段:许可证兼容性检查
第四阶段:更新规划
第五阶段:执行更新
第六阶段:测试与验证
第七阶段:文档记录与部署

Phase 1: Audit Dependencies

第一阶段:依赖审计

List outdated dependencies using ecosystem-specific tools:
bash
undefined
使用对应生态的工具列出过时依赖:
bash
undefined

Node.js

Node.js

npm outdated
npm outdated

Python

Python

pip list --outdated
pip list --outdated

Go

Go

go list -u -m all
go list -u -m all

Rust

Rust

cargo outdated
cargo outdated

Ruby

Ruby

bundle outdated

Create update inventory prioritizing direct dependencies over transitive ones.

---
bundle outdated

创建更新清单,优先处理直接依赖,再处理传递依赖。

---

Phase 2: Check Vulnerabilities

第二阶段:漏洞检查

Run security audits:
bash
undefined
执行安全审计:
bash
undefined

Node.js: npm audit

Node.js: npm audit

Python: pip-audit or safety check

Python: pip-audit 或 safety check

Go: govulncheck ./...

Go: govulncheck ./...

Rust: cargo audit

Rust: cargo audit

Ruby: bundle audit check

Ruby: bundle audit check


Prioritize by severity: Critical (hours) → High (days) → Moderate (weeks) → Low (monthly).

---

按严重程度优先级处理:最高(小时级响应)→ 高(天级响应)→ 中(周级响应)→ 低(月度处理)。

---

Phase 3: Check License Compatibility

第三阶段:许可证兼容性检查

Check licenses before adding dependencies:
bash
undefined
新增依赖前检查许可证:
bash
undefined

Node.js: npx license-checker --summary

Node.js: npx license-checker --summary

Python: pip-licenses

Python: pip-licenses


Avoid: GPL-3.0, AGPL-3.0, SSPL, Unlicensed (require legal review).
Safe: MIT, Apache-2.0, BSD, ISC.

---

避免使用:GPL-3.0、AGPL-3.0、SSPL、无许可证(需要法务审核)。
安全许可证:MIT、Apache-2.0、BSD、ISC。

---

Phase 4: Plan Updates

第四阶段:更新规划

Priority: Security → Patches → Minor → Major
Update strategies:
  • Individual: Major updates, risky dependencies
  • Batched: Patches and minor updates together
  • All at once: Only for fresh projects with comprehensive tests
Create update plan grouping by priority and risk level.
优先级:安全修复 → 补丁版本 → 次版本 → 主版本
更新策略:
  • 单独更新:主版本更新、高风险依赖
  • 批量更新:补丁版本和次版本一起更新
  • 全量更新:仅适用于有全面测试覆盖的新项目
按优先级和风险等级分组制定更新计划。

Phase 5: Execute Updates

第五阶段:执行更新

Create branch: 
git checkout -b chore/dependency-updates-YYYY-MM
Update commands by ecosystem:
bash
undefined
创建分支:
git checkout -b chore/dependency-updates-YYYY-MM
不同生态的更新命令:
bash
undefined

Individual: npm install pkg@ver | pip install pkg==ver | go get pkg@ver

单独更新:npm install pkg@ver | pip install pkg==ver | go get pkg@ver

Batch: npm update | pip install -U pkg1 pkg2 | go get -u ./... | cargo update

批量更新:npm update | pip install -U pkg1 pkg2 | go get -u ./... | cargo update


Verify lock files updated. Commit with descriptive messages following conventional commits.

---

确认锁定文件已更新,按照约定式提交规范编写清晰的提交信息。

---

Phase 6: Test & Validate

第六阶段:测试与验证

Run comprehensive validation:
bash
undefined
执行全面验证:
bash
undefined

Tests: npm test | pytest | go test ./... | cargo test

测试:npm test | pytest | go test ./... | cargo test

Types: npm run typecheck | mypy . | cargo check

类型检查:npm run typecheck | mypy . | cargo check

Lint: npm run lint | ruff check . | golangci-lint run | cargo clippy

代码规范检查:npm run lint | ruff check . | golangci-lint run | cargo clippy

Build: npm run build | go build ./... | cargo build --release

构建:npm run build | go build ./... | cargo build --release


For major updates, verify critical paths manually.

---

主版本更新需要手动验证核心路径功能正常。

---

Phase 7: Document & Deploy

第七阶段:文档记录与部署

Create PR documenting:
  • Security fixes with CVE numbers
  • Package updates table
  • Breaking changes addressed
  • Testing checklist completed
  • Rollback plan
Deploy: Dev → Staging → Production (with validation at each stage).
创建PR,记录以下内容:
  • 带CVE编号的安全修复
  • 包更新明细表格
  • 已处理的破坏性变更
  • 已完成的测试检查清单
  • 回滚计划
部署流程:开发环境 → 预发环境 → 生产环境(每个阶段都需验证)。

Rollback Procedures

回滚流程

If Tests Fail

测试失败时

bash
undefined
bash
undefined

Reset to before updates

重置到更新前状态

git checkout package.json package-lock.json npm install
undefined
git checkout package.json package-lock.json npm install
undefined

If Production Issues

生产环境出现问题时

bash
undefined
bash
undefined

Revert the commit

回滚提交

git revert <update-commit-hash> npm install
git revert <update-commit-hash> npm install

Deploy revert

部署回滚版本

undefined
undefined

Pin Problematic Dependency

锁定有问题的依赖版本

json
// package.json
{
  "dependencies": {
    "problematic-package": "1.2.3"  // Pin to working version
  },
  "resolutions": {
    "problematic-package": "1.2.3"  // Force transitive deps
  }
}
json
// package.json
{
  "dependencies": {
    "problematic-package": "1.2.3"  // 锁定到可用版本
  },
  "resolutions": {
    "problematic-package": "1.2.3"  // 强制传递依赖使用该版本
  }
}

Quick Reference

快速参考

Commands by Language

不同语言对应命令

TaskNode.jsPythonGoRust
List outdated
npm outdated
pip list --outdated
go list -u -m all
cargo outdated
Security audit
npm audit
pip-audit
govulncheck ./...
cargo audit
Update all
npm update
pip install -U
go get -u ./...
cargo update
Update one
npm install pkg@ver
pip install pkg==ver
go get pkg@ver
cargo update -p pkg
任务Node.jsPythonGoRust
列出过时依赖
npm outdated
pip list --outdated
go list -u -m all
cargo outdated
安全审计
npm audit
pip-audit
govulncheck ./...
cargo audit
全量更新
npm update
pip install -U
go get -u ./...
cargo update
单个更新
npm install pkg@ver
pip install pkg==ver
go get pkg@ver
cargo update -p pkg

Checklist

检查清单

Pre-Update

更新前

  • Tests passing
  • Clean git state
  • Outdated list generated
  • Vulnerabilities checked
  • Licenses checked
  • Update plan created
  • 所有测试通过
  • git状态干净
  • 已生成过时依赖列表
  • 已完成漏洞检查
  • 已完成许可证检查
  • 已制定更新计划

During Update

更新中

  • Branch created
  • Updates applied
  • Lock files updated
  • Commits atomic and descriptive
  • 已创建更新分支
  • 已执行更新
  • 锁定文件已更新
  • 提交原子化且描述清晰

Post-Update

更新后

  • All tests pass
  • Type checks pass
  • Lint passes
  • Build succeeds
  • Manual testing done
  • PR created
  • Rollback plan ready
  • 所有测试通过
  • 类型检查通过
  • 代码规范检查通过
  • 构建成功
  • 完成手动测试
  • 已创建PR
  • 回滚计划已准备

Related Workflows

相关工作流

  • security-audit.md - Includes vulnerability scanning
  • code-review.md - Review updated code
  • troubleshooting.md - If updates cause issues
  • security-audit.md - 包含漏洞扫描相关内容
  • code-review.md - 审核更新后的代码
  • troubleshooting.md - 处理更新导致的问题

Extended Resources

扩展资源

For detailed per-ecosystem commands, verbose examples, and automation configuration, see:
  • references/process.md - Comprehensive ecosystem-specific processes
如需查看各生态详细命令、完整示例和自动化配置,请参考:
  • references/process.md - 各生态专属的完整更新流程