dirien/dep-upgrade
.claude/skills/dep-upgrade/SKILL.md
Safe systematic dependency upgrade with vulnerability scanning and rollback capability. Detects project ecosystem, audits outdated and vulnerable packages, presents a prioritized upgrade plan, and executes upgrades one at a time with test verification after each. Use when updating dependencies, fixing vulnerability alerts, or performing periodic dependency maintenance.
$ install --global
skillsauthnpx skillsauth add dirien/yet-another-agent-harness dep-upgradeInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 9:43 PM14.1s4 files scanned
SKILL.md
- name:
- dep-upgrade
- description:
- >
- compatibility:
- >
<!-- Copyright 2025-2026 Richard Shade. Licensed under Apache-2.0. -->
<!-- SPDX-License-Identifier: Apache-2.0 -->
Safe Dependency Upgrade
Systematically upgrade dependencies with zero breakage. Detects the project ecosystem, audits for outdated and vulnerable packages, presents a prioritized plan for approval, then executes upgrades one at a time with test verification after each.
Core principle: One upgrade at a time. Test after each. Roll back on failure. Never auto-commit.
Prerequisite check
Detect the project ecosystem by scanning for package manager files:
ls go.mod package.json pyproject.toml Cargo.toml *.csproj 2>/dev/null
If no package manager file is found, report to the user and stop. Mixed projects (e.g., Go backend + Node frontend) are supported — audit and upgrade each ecosystem separately.
Step 1: Audit dependencies
List outdated packages and run vulnerability scanners for each detected ecosystem.
Go:
go list -u -m all 2>/dev/null | grep '\['
govulncheck ./... 2>/dev/null
Node.js:
npm outdated 2>/dev/null
npm audit 2>/dev/null
Python:
pip list --outdated 2>/dev/null
pip-audit 2>/dev/null
Rust:
cargo outdated 2>/dev/null
cargo audit 2>/dev/null
.NET:
dotnet list package --outdated 2>/dev/null
dotnet list package --vulnerable 2>/dev/null
For detailed commands per ecosystem, see
references/upgrade-commands.md.
If a vulnerability scanner is not installed, note it in the report but continue with the outdated package list.
Step 2: Categorize and prioritize
For each outdated package, assign a priority:
- CRITICAL — known CVE or security advisory
- HIGH — major version behind or dependency EOL
- MEDIUM — minor version behind
- LOW — patch version behind only
For detailed priority signals and breaking change assessment, see
references/priority-matrix.md.
Step 3: Present upgrade plan
Present the prioritized list to the user before any upgrades. Use
the plan format in references/report-template.md.
Dependency Upgrade Plan
Ecosystem: Go
Outdated: 5 packages
Vulnerable: 1 package
| # | Package | Current | Target | Priority |
|---|-------------------|---------|--------|----------|
| 1 | example/vuln-pkg | v1.2.0 | v1.2.5 | CRITICAL |
| 2 | example/old-pkg | v2.0.0 | v4.1.0 | HIGH |
| 3 | example/minor-pkg | v3.1.0 | v3.4.0 | MEDIUM |
Proceed with upgrades?
Wait for user approval before proceeding. The user may choose to upgrade all, select specific packages, or skip.
Step 4: Upgrade one at a time
For each approved package, in priority order:
- Research — check changelog or release notes for breaking changes. If crossing a major version, read the migration guide.
- Upgrade — run the ecosystem-specific upgrade command
- Update lockfile —
go mod tidy,npm install, etc. - Run tests — execute the project's test suite
- If tests pass — move to the next package
- If tests fail — roll back this upgrade immediately:
# Rollback: restore dependency files from git
git checkout -- <dependency-file> <lockfile>
Report the failure (package, target version, test error) and continue with the remaining packages.
For ecosystem-specific upgrade and rollback commands, see
references/upgrade-commands.md.
Step 5: Verify lockfiles
After all upgrades are complete, verify lockfile integrity:
# Go
go mod verify
# Node
npm ci --dry-run
# Rust
cargo build --dry-run
Confirm that lockfiles are updated and consistent with the dependency manifest.
Step 6: Present summary
Present the upgrade results using the template in
references/report-template.md. Include:
- Successfully upgraded — package, from version, to version, test status
- Failed and rolled back — package, target version, failure reason
- Skipped — package, reason (user chose to skip, or breaking change needs manual migration)
- Remaining vulnerabilities — any CVEs not resolved
- Lockfile status — updated and verified per ecosystem
Do not commit the changes. The user decides when and how to commit. Suggest a commit message:
deps: upgrade X packages (Y security fixes)
Important constraints
- Never auto-commit — upgrading packages changes files, but committing is the user's decision
- Never create branches — leave git operations to the user
- One at a time — upgrading multiple packages simultaneously makes it impossible to identify which upgrade broke tests
- Roll back immediately on failure — do not continue with a broken dependency state
- Report everything — even if the user chose to skip a package, include it in the summary with the reason
Related Skills
dirien/typescript-pro
tools
VerifiedTrustedCommunity
Implements advanced TypeScript type systems, creates custom type guards, utility types, and branded types, and configures tRPC for end-to-end type safety. Use when building TypeScript applications requiring advanced generics, conditional or mapped types, discriminated unions, monorepo setup, or full-stack type safety with tRPC.
13SKILL.mdUpdated Apr 17, 2026
dirien/the-fool
development
VerifiedTrustedCommunity
Use when challenging ideas, plans, decisions, or proposals using structured critical reasoning. Invoke to play devil's advocate, run a pre-mortem, red team, or audit evidence and assumptions.
13SKILL.mdUpdated Apr 17, 2026
dirien/tech-debt
development
VerifiedTrustedCommunity
Systematic technical debt analysis across architecture, testing, documentation, and infrastructure. Investigates the codebase, scores findings by impact and effort, and generates a prioritized TECH_DEBT.md remediation plan. Delegates to specialized skills for code quality (scout) and linting (lint-fix). Use when assessing overall project health, planning cleanup sprints, or onboarding to an unfamiliar codebase.
13SKILL.mdUpdated Apr 17, 2026
dirien/tailscale-install
testing
VerifiedTrustedCommunity
Install and configure Tailscale across platforms. Detects OS, distro, and environment (including WSL2 and containers). Verifies existing installations, performs platform-appropriate install, and guides initial connection. Use when setting up Tailscale on a new machine, onboarding a server to a tailnet, or verifying an existing install.
13SKILL.mdUpdated Apr 17, 2026