bump-dependencies
Bump or upgrade declared dependency versions in this pnpm workspace (root and packages/* package.json), with supply-chain checks before and after install. Use when the user asks to upgrade, bump, or refresh npm dependencies in manifests—not only the lockfile.
Best use case
bump-dependencies is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Bump or upgrade declared dependency versions in this pnpm workspace (root and packages/* package.json), with supply-chain checks before and after install. Use when the user asks to upgrade, bump, or refresh npm dependencies in manifests—not only the lockfile.
Teams using bump-dependencies should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/bump-dependencies/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How bump-dependencies Compares
| Feature / Agent | bump-dependencies | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Bump or upgrade declared dependency versions in this pnpm workspace (root and packages/* package.json), with supply-chain checks before and after install. Use when the user asks to upgrade, bump, or refresh npm dependencies in manifests—not only the lockfile.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Bump dependencies Apply the following scope and intent: $ARGUMENTS ## Monorepo conventions - Use **pnpm** from the **repository root** unless you are only running `npm-check-updates` inside a package directory; then return to the root for `pnpm install`. - After any change to a workspace or root `package.json`, run **`pnpm install`** at the root so [`pnpm-lock.yaml`](../../pnpm-lock.yaml) stays consistent. ## Workspace packages and manifests | Directory | `pnpm --filter` name | Manifest | | ------------------- | -------------------------- | ------------------------------------------------------------------------ | | `packages/common` | `@llmops-demo/common` | [`packages/common/package.json`](../../packages/common/package.json) | | `packages/agents` | `@llmops-demo-ts/agents` | [`packages/agents/package.json`](../../packages/agents/package.json) | | `packages/backend` | `@llmops-demo-ts/backend` | [`packages/backend/package.json`](../../packages/backend/package.json) | | `packages/frontend` | `@llmops-demo-ts/frontend` | [`packages/frontend/package.json`](../../packages/frontend/package.json) | | (root) | — | [`package.json`](../../package.json) | ## Why `pnpm up -r -L` may not change `package.json` Caret ranges (`^x.y.z`) often already allow the latest compatible release. pnpm can update the lockfile **without** rewriting `package.json`. To **raise declared versions** in a manifest, use **targeted `pnpm add`**, **`npm-check-updates`**, or **manual edits** plus root `pnpm install`. ## Commands by package ### `@llmops-demo/common` ```bash pnpm --filter @llmops-demo/common add @langchain/core@latest @google/genai@latest pnpm --filter @llmops-demo/common add -D jest@latest ``` ```bash cd packages/common && npx npm-check-updates -u cd ../.. && pnpm install ``` ```bash cd packages/common && npx npm-check-updates -u -f '/@langchain/' cd ../.. && pnpm install ``` ### `@llmops-demo-ts/agents` ```bash pnpm --filter @llmops-demo-ts/agents add @langchain/core@latest @langchain/langgraph@latest pnpm --filter @llmops-demo-ts/agents add -D typescript@latest ``` ```bash cd packages/agents && npx npm-check-updates -u cd ../.. && pnpm install ``` ```bash cd packages/agents && npx npm-check-updates -u -f '/@langchain/' cd ../.. && pnpm install ``` LangGraph / SDK release notes: [langgraphjs releases](https://github.com/langchain-ai/langgraphjs/releases). ### `@llmops-demo-ts/backend` `tsoa` and `@tsoa/runtime` are pinned to **`7.0.0-alpha.0`**. Treat upgrades as **explicit** (read release notes, run backend build). ```bash pnpm --filter @llmops-demo-ts/backend add express@latest @langchain/core@latest pnpm --filter @llmops-demo-ts/backend add -D typescript@latest ``` ```bash cd packages/backend && npx npm-check-updates -u cd ../.. && pnpm install ``` ### `@llmops-demo-ts/frontend` ```bash pnpm --filter @llmops-demo-ts/frontend add vue@latest pinia@latest pnpm --filter @llmops-demo-ts/frontend add -D vite@latest ``` ```bash cd packages/frontend && npx npm-check-updates -u cd ../.. && pnpm install ``` ### Root `package.json` ```bash npx npm-check-updates -u pnpm install ``` Or for specific devDependencies: `pnpm add -D <package>@latest` at the repo root, then `pnpm install`. **Manual edit:** change version strings in the relevant `package.json`, then `pnpm install` at the root. Always **review the diff** before committing (especially the lockfile and new package names). ## Supply-chain checks (before upgrade or install) Run these **before** `pnpm add`, `pnpm install`, or bulk `ncu` when they will pull new registry versions. They reduce typosquatting, unexpected packages, and “install first, think later” risk; they do not guarantee absence of compromise. 1. **Baseline the current tree:** `pnpm audit` (and `pnpm run audit:osv` if available) on the branch **before** changing manifests, so you know pre-existing vs new findings after the bump. 2. **Validate every package name you type or approve:** Compare spelling to **official** docs or the maintainer’s install instructions (typosquats often differ by one character or scope). 3. **Prefer scoped packages from known publishers** (e.g. `@langchain/*`, `@google/*`) when that matches the ecosystem; question unsolicited substitutes with similar names. 4. **Inspect metadata before trusting a new or unfamiliar package:** e.g. `pnpm view <name> version repository homepage` — confirm the repository URL matches the project you expect. 5. **Avoid new `git:` / tarball / non-registry URLs** unless explicitly approved for this repo; stick to the default npm registry. 6. **Bulk upgrades (`ncu -u`, “bump all”):** Treat as higher risk—scan the planned version list; skip or manually review anything that introduces a **new** dependency name or a suspicious major jump. 7. **`npx` helpers:** Prefer pinned invocations (`npx npm-check-updates@<version> -u`) if you want less drift from a moving global tool; understand `npx` may download a package. Then run the **execution commands** above for the chosen scope. After `pnpm install`, run the **post-change** gate below. ## Coordination rules - **`@langchain/*`:** Declared in **common**, **agents**, and **backend**. When upgrading LangChain, bump those packages **together** when possible so the lockfile stays consistent. - **`workspace:*`:** Do not replace internal workspace dependencies with registry versions. - **Backend `tsoa` / `@tsoa/runtime`:** Pinned to **`7.0.0-alpha.0`**. Treat upgrades as **explicit**—read upstream release notes and run the backend build; do not blind bulk-bump without review. ## Supply-chain gate (after lockfile changes) 1. Re-run `pnpm audit` and `pnpm run audit:osv` (or `osv-scanner scan -r .`); compare to the **pre-change** baseline. 2. Review **`git diff pnpm-lock.yaml`** for unexpected **new package names** or version jumps (typosquats, dependency confusion, surprising transitives). Use `pnpm why <name>` if something looks wrong. 3. Respect existing [`pnpm.overrides`](../../package.json) when interpreting audit results; document any new override rationale if you add one. 4. Root scripts: `pnpm run audit:supply-chain` runs `pnpm audit`; `pnpm run audit:osv` runs OSV Scanner when installed. If `osv-scanner` is missing, install it from [OSV Scanner](https://google.github.io/osv-scanner/) for `pnpm audit:osv`. ## Verification (after any dependency bump) From the repo root: ```bash pnpm install pnpm build pnpm test pnpm audit:supply-chain pnpm audit:osv ``` If `osv-scanner` is not installed, run `pnpm audit` and install the scanner for `pnpm audit:osv`. If **frontend** e2e tests fail for missing browsers (after a Playwright upgrade or fresh machine): ```bash pnpm run install:playwright ``` Playwright is only installed under **`@llmops-demo-ts/frontend`**. Do not run `pnpm exec playwright` from the repo root. To open the last HTML report from the root: ```bash pnpm run playwright:report ``` ## Automation Ongoing version PRs: [`.github/dependabot.yml`](../../.github/dependabot.yml). Enable **Dependabot security updates** in the GitHub repo settings where applicable. Review **CI**, lockfile diffs, and supply-chain checks before merging those PRs.
Related Skills
write-tests
Write unit tests, integration tests, or E2E tests for code. Use after implementing a feature or when test coverage is needed.
write-requirements
Write user stories, acceptance criteria, and technical requirements for a feature or change. Use when defining what needs to be built.
security-audit
Perform a security audit of the codebase. Checks for OWASP Top 10, AI-specific vulnerabilities, dependency issues, and configuration problems.
review-code
Review code changes for quality, security, and adherence to project conventions. Use after making code changes or when reviewing a pull request.
research
Research and gather reliable information about libraries, APIs, specifications, and best practices. Use when you need to understand external documentation before planning or implementing a feature.
plan-task
Create a structured implementation plan for a feature, refactoring, or multi-step task. Use as the first step in the pipeline before /orchestrate. Produces a plan that the orchestrator can turn into a delegation plan.
orchestrate
Produce a structured delegation plan for parallel agent execution. Takes a task description or plan output, analyzes dependencies, assigns agents, and groups tasks for parallel execution. Use after /plan-task or when you need to plan how to delegate work across agents.
implement-feature
Implement a feature or fix a bug following the project's TypeScript patterns and conventions. Use when code changes are needed.
design-component
Design a UI component with specifications for layout, states, interactions, and accessibility. Use when creating new Vue.js components or redesigning existing ones.
deploy
Deploy the application or manage infrastructure. Handles Docker builds, CI/CD, and deployment workflows.
compliance-check
Check license compatibility, data privacy compliance, and AI ethics. Use when adding dependencies, handling user data, or reviewing regulatory requirements.
security-scanning-security-dependencies
You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across multiple ecosystems to identify vulnerabilities, assess risks, and provide automated remediation strategies.