ar4mirez/dependency-update
internal/skills/content/dependency-update/SKILL.md
Safe dependency update workflow. Use when upgrading packages, resolving vulnerability alerts, updating major versions, or auditing dependency health across project ecosystems.
$ install --global
skillsauthnpx skillsauth add ar4mirez/samuel dependency-updateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 3:53 AM27.2s2 files scanned
SKILL.md
- name:
- dependency-update
- description:
- Safe dependency update workflow. Use when upgrading packages, resolving vulnerability alerts, updating major versions, or auditing dependency health across project ecosystems.
- license:
- MIT
- author:
- samuel
- version:
- 1.0
- category:
- workflow
Dependency Update Skill
Safe and systematic dependency updates with vulnerability management, license checking, and rollback planning.
When to Use
| Trigger | Priority | Description | |---------|----------|-------------| | Security Vulnerability | Critical | Known CVE in dependency | | Monthly Maintenance | High | Regular update cycle | | Major Version | Medium | New major version available | | Pre-Release | High | Before production deployments | | Breaking Bug | Critical | Bug in current dependency |
Update Strategy
Update Types
| Type | Risk | Frequency | Testing | |------|------|-----------|---------| | Patch (x.x.1) | Low | Weekly/Auto | Basic | | Minor (x.1.0) | Low-Medium | Monthly | Standard | | Major (1.0.0) | High | Quarterly | Comprehensive |
Semantic Versioning
MAJOR.MINOR.PATCH
│ │ │
│ │ └── Bug fixes (backward compatible)
│ └──────── New features (backward compatible)
└────────────── Breaking changes
Prerequisites
Before starting:
- [ ] All tests passing
- [ ] Clean git working directory
- [ ] Recent backup/checkpoint
- [ ] Time for testing and potential rollback
- [ ] Access to changelogs/release notes
Update Process
Phase 1: Audit Dependencies
↓
Phase 2: Check Vulnerabilities
↓
Phase 3: Check License Compatibility
↓
Phase 4: Plan Updates
↓
Phase 5: Execute Updates
↓
Phase 6: Test & Validate
↓
Phase 7: Document & Deploy
Phase 1: Audit Dependencies
List outdated dependencies using ecosystem-specific tools:
# Node.js
npm outdated
# Python
pip list --outdated
# Go
go list -u -m all
# Rust
cargo outdated
# Ruby
bundle outdated
Create update inventory prioritizing direct dependencies over transitive ones.
Phase 2: Check Vulnerabilities
Run security audits:
# Node.js: npm audit
# Python: pip-audit or safety check
# Go: govulncheck ./...
# Rust: cargo audit
# Ruby: bundle audit check
Prioritize by severity: Critical (hours) → High (days) → Moderate (weeks) → Low (monthly).
Phase 3: Check License Compatibility
Check licenses before adding dependencies:
# Node.js: npx license-checker --summary
# Python: pip-licenses
Avoid: GPL-3.0, AGPL-3.0, SSPL, Unlicensed (require legal review). Safe: MIT, Apache-2.0, BSD, ISC.
Phase 4: Plan Updates
Priority: Security → Patches → Minor → Major
Update strategies:
- Individual: Major updates, risky dependencies
- Batched: Patches and minor updates together
- All at once: Only for fresh projects with comprehensive tests
Create update plan grouping by priority and risk level.
Phase 5: Execute Updates
Create branch: git checkout -b chore/dependency-updates-YYYY-MM
Update commands by ecosystem:
# Individual: npm install pkg@ver | pip install pkg==ver | go get pkg@ver
# Batch: npm update | pip install -U pkg1 pkg2 | go get -u ./... | cargo update
Verify lock files updated. Commit with descriptive messages following conventional commits.
Phase 6: Test & Validate
Run comprehensive validation:
# Tests: npm test | pytest | go test ./... | cargo test
# Types: npm run typecheck | mypy . | cargo check
# Lint: npm run lint | ruff check . | golangci-lint run | cargo clippy
# Build: npm run build | go build ./... | cargo build --release
For major updates, verify critical paths manually.
Phase 7: Document & Deploy
Create PR documenting:
- Security fixes with CVE numbers
- Package updates table
- Breaking changes addressed
- Testing checklist completed
- Rollback plan
Deploy: Dev → Staging → Production (with validation at each stage).
Rollback Procedures
If Tests Fail
# Reset to before updates
git checkout package.json package-lock.json
npm install
If Production Issues
# Revert the commit
git revert <update-commit-hash>
npm install
# Deploy revert
Pin Problematic Dependency
// package.json
{
"dependencies": {
"problematic-package": "1.2.3" // Pin to working version
},
"resolutions": {
"problematic-package": "1.2.3" // Force transitive deps
}
}
Quick Reference
Commands by Language
| Task | Node.js | Python | Go | Rust |
|------|---------|--------|----|------|
| List outdated | npm outdated | pip list --outdated | go list -u -m all | cargo outdated |
| Security audit | npm audit | pip-audit | govulncheck ./... | cargo audit |
| Update all | npm update | pip install -U | go get -u ./... | cargo update |
| Update one | npm install pkg@ver | pip install pkg==ver | go get pkg@ver | cargo update -p pkg |
Checklist
Pre-Update
- [ ] Tests passing
- [ ] Clean git state
- [ ] Outdated list generated
- [ ] Vulnerabilities checked
- [ ] Licenses checked
- [ ] Update plan created
During Update
- [ ] Branch created
- [ ] Updates applied
- [ ] Lock files updated
- [ ] Commits atomic and descriptive
Post-Update
- [ ] All tests pass
- [ ] Type checks pass
- [ ] Lint passes
- [ ] Build succeeds
- [ ] Manual testing done
- [ ] PR created
- [ ] Rollback plan ready
Related Workflows
- security-audit.md - Includes vulnerability scanning
- code-review.md - Review updated code
- troubleshooting.md - If updates cause issues
Extended Resources
For detailed per-ecosystem commands, verbose examples, and automation configuration, see:
- references/process.md - Comprehensive ecosystem-specific processes
Related Skills
ar4mirez/zig-guide
development
VerifiedTrustedCommunity
Zig language guardrails, patterns, and best practices for AI-assisted development. Use when working with Zig files (.zig), build.zig, or when the user mentions Zig. Provides comptime patterns, allocator conventions, C interop guidelines, and testing standards specific to this project's coding standards.
8SKILL.mdUpdated Apr 30, 2026
ar4mirez/wordpress
tools
VerifiedTrustedCommunity
WordPress framework guardrails, patterns, and best practices for AI-assisted development. Use when working with WordPress projects, or when the user mentions WordPress. Provides theme development, plugin architecture, REST API, blocks, and security guidelines.
8SKILL.mdUpdated Apr 30, 2026
ar4mirez/webapp-testing
tools
VerifiedTrustedCommunity
Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browser logs. Use when testing web apps, automating browser interactions, or debugging frontend issues.
8SKILL.mdUpdated Apr 30, 2026
ar4mirez/web-artifacts-builder
tools
VerifiedTrustedCommunity
Suite of tools for creating elaborate, multi-component web applications using modern frontend technologies (React, Tailwind CSS, shadcn/ui). Use for complex projects requiring state management, routing, or shadcn/ui components - not for simple single-file HTML/JSX pages.
8SKILL.mdUpdated Apr 30, 2026