cbbkrd-tech/ln-710-dependency-upgrader
.claude/skills/ln-710-dependency-upgrader/SKILL.md
Coordinates dependency upgrades across all detected package managers
tools
Updated Apr 17, 2026
$ install --global
skillsauthnpx skillsauth add cbbkrd-tech/jl-finishes ln-710-dependency-upgraderInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 6:52 AM208.4s3 files scanned
SKILL.md
- name:
- ln-710-dependency-upgrader
- description:
- Coordinates dependency upgrades across all detected package managers
Paths: File paths (
shared/,references/,../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.
ln-710-dependency-upgrader
Type: L2 Domain Coordinator Category: 7XX Project Bootstrap Parent: ln-700-project-bootstrap
Coordinates dependency upgrades by detecting package managers and delegating to appropriate L3 workers.
Overview
| Aspect | Details | |--------|---------| | Input | Detected stack from ln-700 | | Output | All dependencies upgraded to latest compatible versions | | Workers | ln-711 (npm), ln-712 (nuget), ln-713 (pip) |
Workflow
See diagram.html for visual workflow.
Phases: Pre-flight → Detect → Security Audit → Delegate → Collect → Verify → Report
Phase 0: Pre-flight Checks
Verify project state before starting upgrade.
| Check | Method | Block if |
|-------|--------|----------|
| Uncommitted changes | git status --porcelain | Non-empty output |
| Create backup branch | git checkout -b upgrade-backup-{timestamp} | Failure |
| Lock file exists | Check for lock file | Missing (warn only) |
Skip upgrade if uncommitted changes exist. User must commit or stash first.
Phase 1: Detect Package Managers
Detection Rules
| Package Manager | Indicator Files | Worker | |-----------------|-----------------|--------| | npm | package.json + package-lock.json | ln-711 | | yarn | package.json + yarn.lock | ln-711 | | pnpm | package.json + pnpm-lock.yaml | ln-711 | | nuget | *.csproj files | ln-712 | | pip | requirements.txt | ln-713 | | poetry | pyproject.toml + poetry.lock | ln-713 | | pipenv | Pipfile + Pipfile.lock | ln-713 |
Phase 2: Security Audit (Pre-flight)
Security Checks
| Package Manager | Command | Block Upgrade |
|-----------------|---------|---------------|
| npm | npm audit --audit-level=high | Critical only |
| pip | pip-audit --json | Critical only |
| nuget | dotnet list package --vulnerable | Critical only |
Release Age Check
| Option | Default | Description | |--------|---------|-------------| | minimumReleaseAge | 14 days | Skip packages released < 14 days ago | | ignoreReleaseAge | false | Override for urgent security patches |
Per Renovate best practices: waiting 14 days gives registries time to pull malicious packages.
Phase 3: Delegate to Workers
CRITICAL: All delegations use Task tool with
subagent_type: "general-purpose"for context isolation.
Prompt template:
Task(description: "Upgrade deps via ln-71X",
prompt: "Execute ln-71X-{worker}. Read skill from ln-71X-{worker}/SKILL.md. Context: {delegationContext}",
subagent_type: "general-purpose")
Anti-Patterns:
- ❌ Direct Skill tool invocation without Task wrapper
- ❌ Any execution bypassing subagent context isolation
Delegation Context
Each worker receives standardized context:
| Field | Type | Description | |-------|------|-------------| | projectPath | string | Absolute path to project | | packageManager | enum | npm, yarn, pnpm, nuget, pip, poetry, pipenv | | options.upgradeType | enum | major, minor, patch | | options.allowBreaking | bool | Allow breaking changes | | options.testAfterUpgrade | bool | Run tests after upgrade |
Worker Selection
| Package Manager | Worker | Notes | |-----------------|--------|-------| | npm, yarn, pnpm | ln-711-npm-upgrader | Handles all Node.js | | nuget | ln-712-nuget-upgrader | Handles .NET projects | | pip, poetry, pipenv | ln-713-pip-upgrader | Handles all Python |
Phase 4: Collect Results
Result Schema
| Field | Type | Description | |-------|------|-------------| | status | enum | success, partial, failed | | upgrades[] | array | List of upgraded packages | | upgrades[].package | string | Package name | | upgrades[].from | string | Previous version | | upgrades[].to | string | New version | | upgrades[].breaking | bool | Is breaking change | | warnings[] | array | Non-blocking warnings | | errors[] | array | Blocking errors |
Phase 5: Verify Build
Build Commands by Stack
| Stack | Command |
|-------|---------|
| Node.js | npm run build or yarn build |
| .NET | dotnet build --configuration Release |
| Python | pytest or python -m pytest |
On Build Failure
- Identify failing package from error
- Search Context7/Ref for migration guide
- Apply known fixes
- If still fails: rollback package, log warning
Phase 6: Report Summary
Report Schema
| Field | Type | Description | |-------|------|-------------| | totalPackages | int | Total packages analyzed | | upgraded | int | Successfully upgraded | | skipped | int | Already latest | | failed | int | Rolled back | | breakingChanges | int | Major version upgrades | | buildVerified | bool | Build passed after upgrade | | duration | string | Total time |
Configuration
Options:
# Upgrade scope
upgradeType: major # major | minor | patch
# Breaking changes
allowBreaking: true
autoMigrate: true # Apply known migrations
# Security
auditLevel: high # none | low | moderate | high | critical
minimumReleaseAge: 14 # days, 0 to disable
blockOnVulnerability: true
# Scope
skipDev: false # Include devDependencies
skipOptional: true # Skip optional deps
# Verification
testAfterUpgrade: true
buildAfterUpgrade: true
# Rollback
rollbackOnFailure: true
Error Handling
Recoverable Errors
| Error | Recovery | |-------|----------| | Peer dependency conflict | Try --legacy-peer-deps | | Build failure | Rollback package, continue | | Network timeout | Retry 3 times |
Fatal Errors
| Error | Action | |-------|--------| | No package managers found | Skip this step | | All builds fail | Report to parent, suggest manual review |
References
- breaking_changes_patterns.md
- security_audit_guide.md
Definition of Done
- Pre-flight checks passed (clean git state, backup branch created)
- All package managers detected from indicator files
- Security audit completed per manager (critical vulns block upgrade)
- Workers delegated via Task tool with context isolation
- Worker results collected with upgrade/skip/fail counts
- Build verified after all upgrades applied
- Summary report generated with totalPackages, upgraded, skipped, failed, buildVerified
Version: 1.1.0 Last Updated: 2026-01-10
Related Skills
cbbkrd-tech/content-strategy
testing
VerifiedTrustedCommunity
When the user wants to plan a content strategy, decide what content to create, or figure out what topics to cover. Also use when the user mentions "content strategy," "what should I write about," "content ideas," "blog strategy," "topic clusters," or "content planning." For writing individual pieces, see copywriting. For SEO-specific audits, see seo-audit.
SKILL.mdUpdated Apr 17, 2026
cbbkrd-tech/competitor-alternatives
development
VerifiedTrustedCommunity
When the user wants to create competitor comparison or alternative pages for SEO and sales enablement. Also use when the user mentions 'alternative page,' 'vs page,' 'competitor comparison,' 'comparison page,' '[Product] vs [Product],' '[Product] alternative,' or 'competitive landing pages.' Covers four formats: singular alternative, plural alternatives, you vs competitor, and competitor vs competitor. Emphasizes deep research, modular content architecture, and varied section types beyond feature tables.
SKILL.mdUpdated Apr 17, 2026
cbbkrd-tech/cold-email
development
VerifiedTrustedCommunity
Write B2B cold emails and follow-up sequences that get replies. Use when the user wants to write cold outreach emails, prospecting emails, cold email campaigns, sales development emails, or SDR emails. Covers subject lines, opening lines, body copy, CTAs, personalization, and multi-touch follow-up sequences.
SKILL.mdUpdated Apr 17, 2026
cbbkrd-tech/churn-prevention
development
VerifiedTrustedCommunity
When the user wants to reduce churn, build cancellation flows, set up save offers, recover failed payments, or implement retention strategies. Also use when the user mentions 'churn,' 'cancel flow,' 'offboarding,' 'save offer,' 'dunning,' 'failed payment recovery,' 'win-back,' 'retention,' 'exit survey,' 'pause subscription,' or 'involuntary churn.' This skill covers voluntary churn (cancel flows, save offers, exit surveys) and involuntary churn (dunning, payment recovery). For post-cancel win-back email sequences, see email-sequence. For in-app upgrade paywalls, see paywall-upgrade-cro.
SKILL.mdUpdated Apr 17, 2026