update-dependencies

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Dependency Updater

依赖更新工具

Smart dependency management with security-first prioritization, intelligent batching, and learning from outcomes.

以安全为优先的智能依赖管理，支持智能批量处理并能从历史结果中学习。

Ecosystem Detection

生态系统检测

First, detect the project's ecosystem:

bash

undefined

首先检测项目所属的生态系统：

bash

undefined

Check for lockfiles (in priority order)

检查锁文件（按优先级顺序）

ls bun.lock bun.lockb pnpm-lock.yaml package-lock.json uv.lock poetry.lock Cargo.lock 2>/dev/null | head -1


| Lockfile | Ecosystem | Reference |
|----------|-----------|-----------|
| `bun.lock` / `bun.lockb` | npm (bun) | [npm.md](references/ecosystems/npm.md) |
| `pnpm-lock.yaml` | npm (pnpm) | [npm.md](references/ecosystems/npm.md) |
| `package-lock.json` | npm | [npm.md](references/ecosystems/npm.md) |
| `uv.lock` | Python (uv) | [python.md](references/ecosystems/python.md) |
| `poetry.lock` | Python (poetry) | [python.md](references/ecosystems/python.md) |
| `Cargo.lock` | Rust | [cargo.md](references/ecosystems/cargo.md) |

Load the appropriate ecosystem reference for detailed commands.

---

ls bun.lock bun.lockb pnpm-lock.yaml package-lock.json uv.lock poetry.lock Cargo.lock 2>/dev/null | head -1


| 锁文件 | 生态系统 | 参考文档 |
|----------|-----------|-----------|
| `bun.lock` / `bun.lockb` | npm（bun） | [npm.md](references/ecosystems/npm.md) |
| `pnpm-lock.yaml` | npm（pnpm） | [npm.md](references/ecosystems/npm.md) |
| `package-lock.json` | npm | [npm.md](references/ecosystems/npm.md) |
| `uv.lock` | Python（uv） | [python.md](references/ecosystems/python.md) |
| `poetry.lock` | Python（poetry） | [python.md](references/ecosystems/python.md) |
| `Cargo.lock` | Rust | [cargo.md](references/ecosystems/cargo.md) |

加载对应生态系统的参考文档以获取详细命令。

---

Workflow

工作流程

Phase 1: Security Audit

阶段1：安全审计

Run security check first. Security issues always take priority.

See ecosystem reference for specific audit command.

Categorize by severity:

Critical/High: Fix immediately, own PR
Moderate/Low: Batch with related updates

首先运行安全检查。安全问题始终优先处理。

请查看对应生态系统的参考文档获取具体审计命令。

按严重程度分类：

严重/高危：立即修复，单独创建PR
中危/低危：与相关更新批量处理

Phase 2: Outdated Analysis

阶段2：过时依赖分析

Check for outdated dependencies.

Categorize by update type:

Patch (x.y.Z): Usually safe, batch together
Minor (x.Y.z): Review changelog, usually safe
Major (X.y.z): Individual review required

检查过时的依赖。

按更新类型分类：

补丁版本（x.y.Z）：通常安全，可批量处理
次版本（x.Y.z）：查看变更日志，通常安全
主版本（X.y.z）：需要单独评审

Phase 3: Check History

阶段3：查看历史记录

Before major updates, check if we've updated this package before:

bash

grep "<package-name>" ~/.claude/skills/update-dependencies/data/outcomes.jsonl

Learn from past outcomes:

Did it require migration?
Any gotchas noted?

在进行主版本更新前，检查是否曾更新过该包：

bash

grep "<package-name>" ~/.claude/skills/update-dependencies/data/outcomes.jsonl

从历史结果中学习：

是否需要迁移？
有没有需要注意的问题？

Phase 4: Risk Assessment

阶段4：风险评估

For packages with major bumps or unknown risk, fetch changelogs.

Score each update 1-5. See risk-assessment.md for guidelines.

对于主版本升级或风险未知的包，获取其变更日志。

为每个更新打分（1-5分）。评分准则请参考risk-assessment.md。

Phase 5: Smart Grouping

阶段5：智能分组

Group related packages together. See grouping-strategies.md for patterns.

Priority order:

Security fixes (own group, merge first)
Ecosystem batches (related packages together)
Low-risk patches (all together)
Individual major updates

将相关包分组处理。分组模式请参考grouping-strategies.md。

优先级顺序：

安全修复（单独分组，优先合并）
生态系统批量更新（相关包放在一起）
低风险补丁版本（全部批量处理）
单个主版本更新

Phase 6: Execute Updates

阶段6：执行更新

For each group:

Create branch:
```
deps/<group-name>-$(date +%Y%m%d)
```
Apply updates (see ecosystem reference)
Run tests
If tests fail: identify problematic package, exclude, continue

针对每个分组：

创建分支：
```
deps/<group-name>-$(date +%Y%m%d)
```
执行更新（查看对应生态系统的参考文档）
运行测试
若测试失败：定位问题包，排除后重试

Phase 7: Create PR

阶段7：创建PR

Use format from pr-format.md.

bash

git add <lockfile> <manifest>
git commit -m "deps: <type> update <group-name>"
git push -u origin HEAD
gh pr create --title "deps: <type> update <group-name>" --body-file -

使用pr-format.md中的格式。

bash

git add <lockfile> <manifest>
git commit -m "deps: <type> update <group-name>"
git push -u origin HEAD
gh pr create --title "deps: <type> update <group-name>" --body-file -

Phase 8: Log Outcome

阶段8：记录结果

After PR is merged (or if update fails), log the outcome:

bash

bun ~/.claude/skills/update-dependencies/scripts/log-outcome.ts

The script will:

Pre-fill: date, project, ecosystem, packages, versions
Prompt for: outcome (success/failed/required_migration) and notes

Append to

~/.claude/skills/update-dependencies/data/outcomes.jsonl

PR合并后（或更新失败时），记录结果：

bash

bun ~/.claude/skills/update-dependencies/scripts/log-outcome.ts

该脚本会：

自动填充：日期、项目、生态系统、包、版本
提示输入：结果（成功/失败/需要迁移）和备注

将记录追加到

~/.claude/skills/update-dependencies/data/outcomes.jsonl

Command Options

命令选项

When invoked via

/update-dependencies

Option	Effect
`security only`	Only fix security vulnerabilities
`plan`	Enter plan mode - analyze and design update strategy for approval
`major`	Include major version updates
`group <name>`	Update specific ecosystem group
`--check-history`	Show past outcomes for packages being updated

通过

/update-dependencies

调用时的选项：

选项	作用
`security only`	仅修复安全漏洞
`plan`	进入规划模式 - 分析并设计更新策略，待审批后执行
`major`	包含主版本更新
`group <name>`	更新指定的生态系统分组
`--check-history`	显示待更新包的历史处理结果

Quick Start

快速开始

bash

undefined

bash

undefined

Run the analyzer first

先运行分析器

bun ~/.claude/skills/update-dependencies/scripts/analyze.ts

Or invoke the skill

或直接调用该工具

/update-dependencies plan # Analyze and plan /update-dependencies # Full execution

---

/update-dependencies plan # 分析并制定更新计划 /update-dependencies # 执行完整更新流程

---

Error Recovery

错误恢复

If update fails partway:

If commit succeeded but push failed →
```
git push -u origin HEAD
```
If tests fail → identify problematic package, exclude, retry
If PR creation failed →
```
gh pr create ...
```

若更新中途失败：

若提交成功但推送失败 → 执行
```
git push -u origin HEAD
```
若测试失败 → 定位问题包，排除后重试
若PR创建失败 → 执行
```
gh pr create ...
```