ln-820-dependency-optimization-coordinator
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePaths: File paths (,shared/,references/) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.../ln-*
路径说明: 文件路径(、shared/、references/)均相对于技能仓库根目录。如果在当前工作目录(CWD)未找到,请定位到本SKILL.md所在目录,再向上一级即为仓库根目录。../ln-*
ln-820-dependency-optimization-coordinator
ln-820-dependency-optimization-coordinator
Type: L2 Domain Coordinator
Category: 8XX Optimization
Parent: ln-700-project-bootstrap
Coordinates dependency upgrades by detecting package managers and delegating to appropriate L3 workers.
类型: L2 领域协调器
分类: 8XX 优化
父级技能: ln-700-project-bootstrap
通过检测包管理器并将任务委派给对应的L3工作器,来协调依赖项升级工作。
Overview
概述
| Aspect | Details |
|---|---|
| Input | Detected stack from ln-700 |
| Output | All dependencies upgraded to latest compatible versions |
| Workers | ln-821 (npm), ln-822 (nuget), ln-823 (pip) |
| 方面 | 详情 |
|---|---|
| 输入 | 来自ln-700的已检测技术栈 |
| 输出 | 所有依赖项升级至最新兼容版本 |
| 工作器 | ln-821(npm)、ln-822(nuget)、ln-823(pip) |
Workflow
工作流程
Phases: Pre-flight → Detect → Security Audit → Delegate → Collect → Verify → Report
阶段: 预检查 → 检测 → 安全审计 → 委派 → 收集 → 验证 → 报告
Phase 0: Pre-flight Checks
阶段0:预检查
Verify project state before starting upgrade.
| Check | Method | Block if |
|---|---|---|
| Uncommitted changes | | Non-empty output |
| Create backup branch | | Failure |
| Lock file exists | Check for lock file | Missing (warn only) |
Skip upgrade if uncommitted changes exist. User must commit or stash first.
在开始升级前验证项目状态。
| 检查项 | 方法 | 触发阻塞的条件 |
|---|---|---|
| 未提交的变更 | | 输出非空 |
| 创建备份分支 | | 执行失败 |
| 锁文件存在性 | 检查是否存在锁文件 | 缺失(仅发出警告) |
如果存在未提交的变更,则跳过升级。用户必须先提交或暂存变更。
Phase 1: Detect Package Managers
阶段1:检测包管理器
Detection Rules
检测规则
| Package Manager | Indicator Files | Worker |
|---|---|---|
| npm | package.json + package-lock.json | ln-821 |
| yarn | package.json + yarn.lock | ln-821 |
| pnpm | package.json + pnpm-lock.yaml | ln-821 |
| nuget | *.csproj files | ln-822 |
| pip | requirements.txt | ln-823 |
| poetry | pyproject.toml + poetry.lock | ln-823 |
| pipenv | Pipfile + Pipfile.lock | ln-823 |
| 包管理器 | 标识文件 | 工作器 |
|---|---|---|
| npm | package.json + package-lock.json | ln-821 |
| yarn | package.json + yarn.lock | ln-821 |
| pnpm | package.json + pnpm-lock.yaml | ln-821 |
| nuget | *.csproj 文件 | ln-822 |
| pip | requirements.txt | ln-823 |
| poetry | pyproject.toml + poetry.lock | ln-823 |
| pipenv | Pipfile + Pipfile.lock | ln-823 |
Phase 2: Security Audit (Pre-flight)
阶段2:预检查安全审计
Security Checks
安全检查
| Package Manager | Command | Block Upgrade |
|---|---|---|
| npm | | Critical only |
| pip | | Critical only |
| nuget | | Critical only |
| 包管理器 | 命令 | 触发升级阻塞的条件 |
|---|---|---|
| npm | | 仅存在严重(Critical)漏洞时 |
| pip | | 仅存在严重(Critical)漏洞时 |
| nuget | | 仅存在严重(Critical)漏洞时 |
Release Age Check
版本发布时长检查
| Option | Default | Description |
|---|---|---|
| minimumReleaseAge | 14 days | Skip packages released < 14 days ago |
| ignoreReleaseAge | false | Override for urgent security patches |
Per Renovate best practices: waiting 14 days gives registries time to pull malicious packages.
| 选项 | 默认值 | 描述 |
|---|---|---|
| minimumReleaseAge | 14天 | 跳过发布时长不足14天的包 |
| ignoreReleaseAge | false | 针对紧急安全补丁可覆盖此设置 |
遵循Renovate最佳实践:等待14天可让包注册表有时间移除恶意包。
Phase 3: Delegate to Workers
阶段3:委派至工作器
CRITICAL: All delegations use Task tool withandsubagent_type: "general-purpose"— each worker creates its own branch perisolation: "worktree".shared/references/git_worktree_fallback.md
Prompt template:
Task(description: "Upgrade deps via ln-82X",
prompt: "Execute ln-82X-{worker}. Read skill from ln-82X-{worker}/SKILL.md. Context: {delegationContext}",
subagent_type: "general-purpose",
isolation: "worktree")Anti-Patterns:
- ❌ Direct Skill tool invocation without Task wrapper
- ❌ Any execution bypassing subagent context isolation
关键注意事项: 所有委派操作均使用Task工具,并设置和subagent_type: "general-purpose"—— 每个工作器都会根据isolation: "worktree"创建独立分支。shared/references/git_worktree_fallback.md
提示模板:
Task(description: "Upgrade deps via ln-82X",
prompt: "Execute ln-82X-{worker}. Read skill from ln-82X-{worker}/SKILL.md. Context: {delegationContext}",
subagent_type: "general-purpose",
isolation: "worktree")反模式:
- ❌ 不使用Task包装器直接调用Skill工具
- ❌ 任何绕过子代理上下文隔离的执行操作
Delegation Context
委派上下文
Each worker receives standardized context:
| Field | Type | Description |
|---|---|---|
| projectPath | string | Absolute path to project |
| packageManager | enum | npm, yarn, pnpm, nuget, pip, poetry, pipenv |
| options.upgradeType | enum | major, minor, patch |
| options.allowBreaking | bool | Allow breaking changes |
| options.testAfterUpgrade | bool | Run tests after upgrade |
每个工作器都会收到标准化的上下文信息:
| 字段 | 类型 | 描述 |
|---|---|---|
| projectPath | 字符串 | 项目的绝对路径 |
| packageManager | 枚举值 | npm、yarn、pnpm、nuget、pip、poetry、pipenv |
| options.upgradeType | 枚举值 | major、minor、patch |
| options.allowBreaking | 布尔值 | 是否允许破坏性变更 |
| options.testAfterUpgrade | 布尔值 | 升级后是否运行测试 |
Worker Selection
工作器选择
| Package Manager | Worker | Notes |
|---|---|---|
| npm, yarn, pnpm | ln-821-npm-upgrader | Handles all Node.js |
| nuget | ln-822-nuget-upgrader | Handles .NET projects |
| pip, poetry, pipenv | ln-823-pip-upgrader | Handles all Python |
| 包管理器 | 工作器 | 说明 |
|---|---|---|
| npm、yarn、pnpm | ln-821-npm-upgrader | 处理所有Node.js项目 |
| nuget | ln-822-nuget-upgrader | 处理.NET项目 |
| pip、poetry、pipenv | ln-823-pip-upgrader | 处理所有Python项目 |
Phase 4: Collect Results
阶段4:收集结果
Each worker produces an isolated branch. Coordinator aggregates branch reports.
每个工作器都会生成独立分支。协调器会汇总各分支的报告。
Worker Branches
工作器分支
| Worker | Branch Pattern | Contents |
|---|---|---|
| ln-821 | | npm/yarn/pnpm dependency upgrades |
| ln-822 | | NuGet dependency upgrades |
| ln-823 | | pip/poetry/pipenv dependency upgrades |
| 工作器 | 分支命名规则 | 内容 |
|---|---|---|
| ln-821 | | npm/yarn/pnpm依赖项升级内容 |
| ln-822 | | NuGet依赖项升级内容 |
| ln-823 | | pip/poetry/pipenv依赖项升级内容 |
Result Schema
结果数据结构
| Field | Type | Description |
|---|---|---|
| worker | string | ln-821, ln-822, or ln-823 |
| status | enum | success, partial, failed |
| branch | string | Worker's result branch name |
| upgrades[] | array | List of upgraded packages |
| upgrades[].package | string | Package name |
| upgrades[].from | string | Previous version |
| upgrades[].to | string | New version |
| upgrades[].breaking | bool | Is breaking change |
| warnings[] | array | Non-blocking warnings |
| errors[] | array | Blocking errors |
| 字段 | 类型 | 描述 |
|---|---|---|
| worker | 字符串 | ln-821、ln-822或ln-823 |
| status | 枚举值 | success(成功)、partial(部分完成)、failed(失败) |
| branch | 字符串 | 工作器生成的结果分支名称 |
| upgrades[] | 数组 | 已升级包的列表 |
| upgrades[].package | 字符串 | 包名称 |
| upgrades[].from | 字符串 | 旧版本号 |
| upgrades[].to | 字符串 | 新版本号 |
| upgrades[].breaking | 布尔值 | 是否为破坏性变更 |
| warnings[] | 数组 | 非阻塞性警告 |
| errors[] | 数组 | 阻塞性错误 |
Phase 5: Aggregate Reports
阶段5:汇总报告
Each worker verified independently in its branch (build, tests run by worker itself). Coordinator does NOT rerun verification or rollback packages.
每个工作器会在自身分支中独立完成验证(构建、测试由工作器自行运行)。协调器不会重新运行验证或回滚包。
On Failure
失败处理
- Branch with failing build/tests logged as "failed" in report
- User reviews failed branch independently
- 构建/测试失败的分支会在报告中标记为“failed”
- 用户需独立审查失败分支
Phase 6: Report Summary
阶段6:报告摘要
Report Schema
报告数据结构
| Field | Type | Description |
|---|---|---|
| totalPackages | int | Total packages analyzed |
| upgraded | int | Successfully upgraded |
| skipped | int | Already latest |
| failed | int | Rolled back |
| breakingChanges | int | Major version upgrades |
| buildVerified | bool | Build passed after upgrade |
| duration | string | Total time |
| 字段 | 类型 | 描述 |
|---|---|---|
| totalPackages | 整数 | 分析的包总数 |
| upgraded | 整数 | 成功升级的包数量 |
| skipped | 整数 | 已为最新版本的包数量 |
| failed | 整数 | 已回滚的包数量 |
| breakingChanges | 整数 | 主版本升级的数量 |
| buildVerified | 布尔值 | 升级后构建是否通过 |
| duration | 字符串 | 总耗时 |
Configuration
配置
yaml
Options:
# Upgrade scope
upgradeType: major # major | minor | patch
# Breaking changes
allowBreaking: true
autoMigrate: true # Apply known migrations
# Security
auditLevel: high # none | low | moderate | high | critical
minimumReleaseAge: 14 # days, 0 to disable
blockOnVulnerability: true
# Scope
skipDev: false # Include devDependencies
skipOptional: true # Skip optional deps
# Verification
testAfterUpgrade: true
buildAfterUpgrade: true
# Rollback
rollbackOnFailure: trueyaml
Options:
# Upgrade scope
upgradeType: major # major | minor | patch
# Breaking changes
allowBreaking: true
autoMigrate: true # Apply known migrations
# Security
auditLevel: high # none | low | moderate | high | critical
minimumReleaseAge: 14 # days, 0 to disable
blockOnVulnerability: true
# Scope
skipDev: false # Include devDependencies
skipOptional: true # Skip optional deps
# Verification
testAfterUpgrade: true
buildAfterUpgrade: true
# Rollback
rollbackOnFailure: trueError Handling
错误处理
Recoverable Errors
可恢复错误
| Error | Recovery |
|---|---|
| Peer dependency conflict | Try --legacy-peer-deps |
| Build failure | Rollback package, continue |
| Network timeout | Retry 3 times |
| 错误 | 恢复措施 |
|---|---|
| 对等依赖冲突 | 尝试使用--legacy-peer-deps参数 |
| 构建失败 | 回滚该包,继续执行其他升级 |
| 网络超时 | 重试3次 |
Fatal Errors
致命错误
| Error | Action |
|---|---|
| No package managers found | Skip this step |
| All builds fail | Report to parent, suggest manual review |
| 错误 | 操作 |
|---|---|
| 未检测到任何包管理器 | 跳过此步骤 |
| 所有构建均失败 | 向父级技能报告,建议手动审查 |
References
参考资料
- breaking_changes_patterns.md
- security_audit_guide.md
- breaking_changes_patterns.md
- security_audit_guide.md
Definition of Done
完成标准
- Pre-flight checks passed (clean git state)
- All package managers detected from indicator files
- Security audit completed per manager (critical vulns block upgrade)
- Workers delegated with worktree isolation ()
isolation: "worktree" - Each worker produces isolated branch, pushed to remote
- Coordinator report aggregates per-worker results (branch, upgrades, status)
Version: 1.1.0
Last Updated: 2026-01-10
- 预检查通过(git状态干净)
- 所有包管理器均通过标识文件检测到
- 已按各包管理器要求完成安全审计(严重漏洞会阻塞升级)
- 工作器委派已使用工作树隔离()
isolation: "worktree" - 每个工作器均生成独立分支并推送至远程仓库
- 协调器报告已汇总各工作器的结果(分支、升级内容、状态)
版本: 1.1.0
最后更新时间: 2026-01-10