Back to Details

review-dependencies

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Review Dependencies

依赖审查

Detect package managers and discover outdated or vulnerable dependencies. Analysis only. Does not upgrade.
检测包管理器,发现过时或存在漏洞的依赖项。仅执行分析,不进行升级操作。

Step 1: Detect Package Managers

步骤1:检测包管理器

Identify which package managers are in use by searching for config files:
Config filePackage managerLockfileEcosystem
package.json
npm / yarn / pnpm
package-lock.json
/ 
yarn.lock
/ 
pnpm-lock.yaml
Node.js
Package.swift
, 
*.xcodeproj
Swift Package Manager
Package.resolved
Swift
pyproject.toml
, 
requirements.txt
, 
setup.py
pip / poetry / uv
poetry.lock
, 
uv.lock
Python
Cargo.toml
cargo
Cargo.lock
Rust
go.mod
Go modules
go.sum
Go
Gemfile
Bundler
Gemfile.lock
Ruby
pom.xml
MavenJava
build.gradle
, 
build.gradle.kts
Gradle
gradle.lockfile
Java/Kotlin
Swift dependencies can live in 
Package.swift
or be configured directly in the Xcode project file (
.xcodeproj
/
.xcworkspace
). For Xcode-managed dependencies, inspect the project's package references.
Detection steps:
  1. Search for config files in the project root and subdirectories (exclude vendored directories)
  2. If a lockfile exists, use the corresponding package manager variant (e.g., 
    yarn.lock
    → yarn, 
    pnpm-lock.yaml
    → pnpm)
  3. If multiple instances of the same package manager found (e.g., monorepo with several 
    package.json
    files): use 
    AskUserQuestion
    to let the user choose which to review (multiSelect allowed)
  4. If multiple package managers found: use 
    AskUserQuestion
    to let the user choose which to review
  5. If none found: inform user and stop
通过搜索配置文件识别项目使用的包管理器:
配置文件包管理器锁文件技术生态
package.json
npm / yarn / pnpm
package-lock.json
/ 
yarn.lock
/ 
pnpm-lock.yaml
Node.js
Package.swift
, 
*.xcodeproj
Swift Package Manager
Package.resolved
Swift
pyproject.toml
, 
requirements.txt
, 
setup.py
pip / poetry / uv
poetry.lock
, 
uv.lock
Python
Cargo.toml
cargo
Cargo.lock
Rust
go.mod
Go modules
go.sum
Go
Gemfile
Bundler
Gemfile.lock
Ruby
pom.xml
MavenJava
build.gradle
, 
build.gradle.kts
Gradle
gradle.lockfile
Java/Kotlin
Swift 依赖可存放在 
Package.swift
中,也可直接在 Xcode 项目文件(
.xcodeproj
/
.xcworkspace
)中配置。对于 Xcode 管理的依赖,请检查项目的包引用。
检测步骤:
  1. 在项目根目录和子目录中搜索配置文件(排除第三方依赖目录)
  2. 如果存在锁文件,使用对应的包管理器变体(例如 
    yarn.lock
    → yarn,
    pnpm-lock.yaml
    → pnpm)
  3. 如果发现同一包管理器的多个实例(例如包含多个 
    package.json
    文件的 monorepo):调用 
    AskUserQuestion
    让用户选择要审查的对象(允许多选)
  4. 如果发现多个不同的包管理器:调用 
    AskUserQuestion
    让用户选择要审查的对象
  5. 如果未找到任何包管理器:告知用户并终止流程

Step 2: Discovery

步骤2:依赖排查

Run the appropriate discovery command to find available updates:
Package managerDiscovery commandNotes
npm
ncu --format group
Requires 
npm-check-updates
. Suggest 
npm install -g npm-check-updates
if missing.
yarn
ncu --format group
or 
yarn upgrade-interactive
pnpm
ncu --format group
or 
pnpm outdated
Swift PMCheck resolved versions in 
Package.resolved
against latest releases via WebSearch		No built-in outdated command. Read 
Package.swift
or inspect the Xcode project to identify dependencies and their current version constraints.
pip
pip list --outdated
poetry
poetry show --outdated
uv
uv pip list --outdated
cargo
cargo outdated
Requires 
cargo-outdated
. Fall back to comparing 
Cargo.toml
versions via WebSearch.
Go modules
go list -m -u all
Bundler
bundle outdated
Maven
mvn versions:display-dependency-updates
Gradle
gradle dependencyUpdates
Requires 
com.github.ben-manes.versions
plugin.
Categorize updates:
  • Major (breaking changes) — requires migration research
  • Minor (new features, backward compatible)
  • Patch (bug fixes)
运行对应的排查命令查找可用更新:
包管理器排查命令备注
npm
ncu --format group
依赖 
npm-check-updates
。如果未安装,建议执行 
npm install -g npm-check-updates
yarn
ncu --format group
yarn upgrade-interactive
pnpm
ncu --format group
pnpm outdated
Swift PM通过 WebSearch 对比 
Package.resolved
中的已解析版本与最新发布版本		无内置的过时检查命令。读取 
Package.swift
或检查 Xcode 项目来识别依赖及其当前版本约束。
pip
pip list --outdated
poetry
poetry show --outdated
uv
uv pip list --outdated
cargo
cargo outdated
依赖 
cargo-outdated
。可降级为通过 WebSearch 对比 
Cargo.toml
中的版本。
Go modules
go list -m -u all
Bundler
bundle outdated
Maven
mvn versions:display-dependency-updates
Gradle
gradle dependencyUpdates
依赖 
com.github.ben-manes.versions
插件。
更新分类:
  • 重大版本(Major)(包含破坏性变更)—— 需要调研迁移方案
  • 次要版本(Minor)(新增功能,向后兼容)
  • 补丁版本(Patch)(修复 bug)

Step 3: Report Findings

步骤3:结果报告

If the discovery tool is not installed, suggest the installation command (see Step 2 notes column). If no tool exists for the ecosystem, fall back to manual version checking via WebSearch.
If no updates are available, report that dependencies are up to date.
如果排查工具未安装,建议对应的安装命令(见步骤2的备注列)。如果对应技术生态没有可用工具,降级为通过 WebSearch 手动检查版本。
如果没有可用更新,报告所有依赖均为最新版本。

Output Format

输出格式

Return findings as a numbered list. For each finding:
undefined
以编号列表的形式返回排查结果,每条结果格式如下:
undefined

[P<N>] <title (imperative, <=80 chars)>

[P<N>] <title (imperative, <=80 chars)>

Package: 
<name>
<current> -> <latest> Manager: <npm/pip/cargo/etc.>
<one paragraph: why this matters, known vulnerabilities if any, major version gap>

After all findings, add:
Package: 
<name>
<current> -> <latest> Manager: <npm/pip/cargo/etc.>
<one paragraph: why this matters, known vulnerabilities if any, major version gap>

所有结果展示完毕后,添加以下内容:

Overall Verdict

Overall Verdict

Dependencies: <up to date | updates available>
<summary with counts: N major, N minor, N patch> ```
Dependencies: <up to date | updates available>
<summary with counts: N major, N minor, N patch> ```

Priority Levels

优先级级别

  • P0 — Known security vulnerability (CVE) in the current version
  • P1 — Multiple major versions behind (e.g., React 17 → 19)
  • P2 — One major version behind or significantly outdated minor versions
  • P3 — Minor or patch updates available
  • P0 —— 当前版本存在已知安全漏洞(CVE)
  • P1 —— 落后多个重大版本(例如 React 17 → 19)
  • P2 —— 落后一个重大版本,或次要版本严重过时
  • P3 —— 存在可用的次要或补丁版本更新