Best use case
Dependency Updater is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
## Overview
Teams using Dependency Updater should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/dependency-updater/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Dependency Updater Compares
| Feature / Agent | Dependency Updater | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
## Overview
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Dependency Updater
## Overview
This skill analyzes your project's dependency tree to find outdated packages, known vulnerabilities, and breaking API changes. It produces a prioritized upgrade plan with specific migration steps, ordered to minimize risk and maximize safety.
## Instructions
### 1. Parse the Dependency File
- Read `package.json` + lockfile (npm/yarn/pnpm), `requirements.txt`/`pyproject.toml`, or `go.mod`
- List all direct dependencies with current pinned versions
- Note version constraints (^, ~, exact, ranges)
### 2. Check Each Package
For each dependency:
- **Latest version**: What's available on the registry
- **Version gap**: How many major/minor/patch versions behind
- **Security**: Known CVEs from npm audit, Snyk, or GitHub Advisory Database
- **Maintenance**: Last publish date, open issues count, whether it's deprecated
- **Breaking changes**: Read CHANGELOG.md or GitHub releases for breaking change notes between current and latest
### 3. Classify by Risk
Group packages into four tiers:
- **Critical**: Known CVE with severity HIGH or CRITICAL — update immediately
- **Major**: Major version bump with confirmed breaking API changes — needs migration
- **Minor**: Minor/patch updates with no breaking changes — safe to batch update
- **Stale**: Package unmaintained (no release in >12 months) — consider replacement
### 4. Scan for Impact
For Major-tier packages:
- Read the changelog/migration guide for the new version
- Search the codebase for imports and usages of changed APIs
- List affected files with line numbers
- Estimate effort: how many patterns need changing and whether they're automatable
### 5. Generate Upgrade Plan
Produce an ordered plan:
1. Critical (CVE fixes) first — usually patch-level, zero code changes
2. Minor/patch batch — single `npm update` command
3. Each Major upgrade individually, with:
- Exact install command (`npm install package@version`)
- Code changes needed (as diffs when possible)
- Test commands to verify
## Examples
### Example 1: Node.js Project Audit
**Input**: User provides package.json with 94 dependencies.
**Output**:
```
Dependency Audit — 94 packages
CRITICAL (2 packages):
lodash 4.17.20 → 4.17.21
CVE-2021-23337 (Command Injection, HIGH)
Fix: npm install lodash@4.17.21 (patch, no code changes)
node-fetch 2.6.1 → 2.6.13
CVE-2022-0235 (Information Exposure, MEDIUM)
Fix: npm install node-fetch@2.6.13 (patch, no code changes)
MAJOR (1 package):
express 4.18.2 → 5.0.0
Breaking: req.host now returns host without port
Breaking: app.del() removed, use app.delete()
Affected files: src/server.ts:45 (uses req.host), src/routes/legacy.ts:12 (uses app.del)
Migration effort: Low — 2 files, 2 line changes
MINOR (18 packages):
Can be batch-updated: npm update (no breaking changes detected)
STALE (1 package):
request 2.88.2 — DEPRECATED, last release Feb 2020
Recommended replacement: undici or node-fetch
Used in: src/lib/http-client.ts (3 call sites)
Upgrade Order:
Step 1: npm install lodash@4.17.21 node-fetch@2.6.13
Step 2: npm update
Step 3: npm install express@5.0.0 (apply 2 code changes first)
Step 4: Replace request with undici (separate PR recommended)
```
### Example 2: Python Requirements
**Input**: User provides requirements.txt with pinned versions.
**Output**:
```
Dependency Audit — 23 packages
CRITICAL:
django==3.2.18 → 3.2.25
CVE-2024-24680 (DoS via intcomma, MEDIUM)
Fix: pip install django==3.2.25 (patch within same minor)
MAJOR:
django==3.2.25 → 5.0.6 (if full upgrade desired)
Breaking: DEFAULT_AUTO_FIELD must be set explicitly
Breaking: url() removed, use path()
Affected: 8 files in urls/, settings.py
```
## Guidelines
- Never recommend upgrading all major versions at once — one at a time, with tests between each
- For monorepos, check if packages have peer dependency conflicts before recommending upgrades
- If a package is deprecated with no CVE, it's STALE not CRITICAL — don't panic the user
- Always check if the project has a test suite (`npm test`, `pytest`) and recommend running it after each step
- When generating diffs, use the project's actual code, not generic examples
- For workspaces/monorepos, note which workspace each dependency belongs toRelated Skills
dependency-vulnerability-checker
Dependency Vulnerability Checker - Auto-activating skill for Security Fundamentals. Triggers on: dependency vulnerability checker, dependency vulnerability checker Part of the Security Fundamentals skill category.
data-catalog-updater
Data Catalog Updater - Auto-activating skill for Data Pipelines. Triggers on: data catalog updater, data catalog updater Part of the Data Pipelines skill category.
dependency-upgrade
Manage major dependency version upgrades with compatibility analysis, staged rollout, and comprehensive testing. Use when upgrading framework versions, updating major dependencies, or managing breaking changes in libraries.
dependency-management-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
dependency-security
Enforce dependency security scanning and SBOM generation. Use when adding dependencies, reviewing package.json, or during security audits. Covers OWASP dependency check, npm audit, and supply chain security.
when-mapping-dependencies-use-dependency-mapper
Comprehensive dependency mapping, analysis, and visualization tool for software projects
dependency-auditor
Automated security auditing of project dependencies to identify known vulnerabilities.
dependency-audit-assistant
Reviews package dependencies for security vulnerabilities, outdated versions, and license compliance. Use when user asks about dependencies, security audits, or before releases.
dependency-sync
Detect new imports in modified files and auto-install missing dependencies. Works with npm, uv, pip, cargo, go mod, and other package managers. Triggers after code implementation to keep manifests in sync.
blocklet-updater
Creates a new release for a blocklet project by bumping version, building, and bundling. Use when asked to "create a new release", "bump and bundle", or "update blocklet version".
add-dependency
Add a new third-party dependency to the project following the version catalog and approval workflow.
dependency-management
Dependency management specialist. Use when updating dependencies, scanning for vulnerabilities, analyzing dependency trees, or ensuring license compliance. Handles npm, pip, maven, and other package managers.