update-dependencies

Original：🇺🇸 English

Translated

2 scriptsChecked / no sensitive code detected

Smart dependency updates across ecosystems (npm/bun/pnpm, uv/poetry, cargo). Use when upgrading dependencies, fixing vulnerabilities, or performing proactive maintenance. Supports intelligent batching, risk assessment, and outcome tracking for continuous improvement.

1installs

Sourcefairchild/dotclaude

Added on2026-02-10

NPX Install

npx skill4agent add fairchild/dotclaude update-dependencies

SKILL.md Content

View Translation Comparison →

Dependency Updater

Smart dependency management with security-first prioritization, intelligent batching, and learning from outcomes.

Ecosystem Detection

First, detect the project's ecosystem:

bash

# Check for lockfiles (in priority order)
ls bun.lock bun.lockb pnpm-lock.yaml package-lock.json uv.lock poetry.lock Cargo.lock 2>/dev/null | head -1

Lockfile	Ecosystem	Reference
`bun.lock` / `bun.lockb`	npm (bun)	npm.md
`pnpm-lock.yaml`	npm (pnpm)	npm.md
`package-lock.json`	npm	npm.md
`uv.lock`	Python (uv)	python.md
`poetry.lock`	Python (poetry)	python.md
`Cargo.lock`	Rust	cargo.md

Load the appropriate ecosystem reference for detailed commands.

Workflow

Phase 1: Security Audit

Run security check first. Security issues always take priority.

See ecosystem reference for specific audit command.

Categorize by severity:

Critical/High: Fix immediately, own PR
Moderate/Low: Batch with related updates

Phase 2: Outdated Analysis

Check for outdated dependencies.

Categorize by update type:

Patch (x.y.Z): Usually safe, batch together
Minor (x.Y.z): Review changelog, usually safe
Major (X.y.z): Individual review required

Phase 3: Check History

Before major updates, check if we've updated this package before:

bash

grep "<package-name>" ~/.claude/skills/update-dependencies/data/outcomes.jsonl

Learn from past outcomes:

Did it require migration?
Any gotchas noted?

Phase 4: Risk Assessment

For packages with major bumps or unknown risk, fetch changelogs.

Score each update 1-5. See risk-assessment.md for guidelines.

Phase 5: Smart Grouping

Group related packages together. See grouping-strategies.md for patterns.

Priority order:

Security fixes (own group, merge first)
Ecosystem batches (related packages together)
Low-risk patches (all together)
Individual major updates

Phase 6: Execute Updates

For each group:

Create branch:
```
deps/<group-name>-$(date +%Y%m%d)
```
Apply updates (see ecosystem reference)
Run tests
If tests fail: identify problematic package, exclude, continue

Phase 7: Create PR

Use format from pr-format.md.

bash

git add <lockfile> <manifest>
git commit -m "deps: <type> update <group-name>"
git push -u origin HEAD
gh pr create --title "deps: <type> update <group-name>" --body-file -

Phase 8: Log Outcome

After PR is merged (or if update fails), log the outcome:

bash

bun ~/.claude/skills/update-dependencies/scripts/log-outcome.ts

The script will:

Pre-fill: date, project, ecosystem, packages, versions
Prompt for: outcome (success/failed/required_migration) and notes

Append to

~/.claude/skills/update-dependencies/data/outcomes.jsonl

Command Options

When invoked via

/update-dependencies

:

Option	Effect
`security only`	Only fix security vulnerabilities
`plan`	Enter plan mode - analyze and design update strategy for approval
`major`	Include major version updates
`group <name>`	Update specific ecosystem group
`--check-history`	Show past outcomes for packages being updated

Quick Start

bash

# Run the analyzer first
bun ~/.claude/skills/update-dependencies/scripts/analyze.ts

# Or invoke the skill
/update-dependencies plan    # Analyze and plan
/update-dependencies         # Full execution

Error Recovery

If update fails partway:

If commit succeeded but push failed →
```
git push -u origin HEAD
```
If tests fail → identify problematic package, exclude, retry
If PR creation failed →
```
gh pr create ...
```

update-dependencies

NPX Install

Tags

SKILL.md Content

Dependency Updater

Ecosystem Detection

Workflow

Phase 1: Security Audit

Phase 2: Outdated Analysis

Phase 3: Check History

Phase 4: Risk Assessment

Phase 5: Smart Grouping

Phase 6: Execute Updates

Phase 7: Create PR

Phase 8: Log Outcome

Command Options

Quick Start

Error Recovery