eliferjunior/dependency-updater
.claude/skills/ts-dependency-updater/SKILL.md
Audit project dependencies for outdated packages, security vulnerabilities, and breaking changes. Use when someone asks to "check for outdated packages", "audit dependencies", "find vulnerable dependencies", "plan dependency upgrades", "detect breaking changes", or "update npm packages safely". Analyzes package.json/lock files, cross-references changelogs, and produces ordered upgrade plans.
testing
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add eliferjunior/Claude dependency-updaterInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 1:31 AM37.4s1 file scanned
SKILL.md
- name:
- dependency-updater
- description:
- >-
- license:
- Apache-2.0
- compatibility:
- Supports npm (package.json), yarn (yarn.lock), pnpm (pnpm-lock.yaml), pip (requirements.txt), and Go (go.mod)
- author:
- terminal-skills
- version:
- 1.0.0
- category:
- development
- tags:
- ["dependencies", "npm", "security", "upgrades", "semver"]
Dependency Updater
Overview
This skill analyzes your project's dependency tree to find outdated packages, known vulnerabilities, and breaking API changes. It produces a prioritized upgrade plan with specific migration steps, ordered to minimize risk and maximize safety.
Instructions
1. Parse the Dependency File
- Read
package.json+ lockfile (npm/yarn/pnpm),requirements.txt/pyproject.toml, orgo.mod - List all direct dependencies with current pinned versions
- Note version constraints (^, ~, exact, ranges)
2. Check Each Package
For each dependency:
- Latest version: What's available on the registry
- Version gap: How many major/minor/patch versions behind
- Security: Known CVEs from npm audit, Snyk, or GitHub Advisory Database
- Maintenance: Last publish date, open issues count, whether it's deprecated
- Breaking changes: Read CHANGELOG.md or GitHub releases for breaking change notes between current and latest
3. Classify by Risk
Group packages into four tiers:
- Critical: Known CVE with severity HIGH or CRITICAL — update immediately
- Major: Major version bump with confirmed breaking API changes — needs migration
- Minor: Minor/patch updates with no breaking changes — safe to batch update
- Stale: Package unmaintained (no release in >12 months) — consider replacement
4. Scan for Impact
For Major-tier packages:
- Read the changelog/migration guide for the new version
- Search the codebase for imports and usages of changed APIs
- List affected files with line numbers
- Estimate effort: how many patterns need changing and whether they're automatable
5. Generate Upgrade Plan
Produce an ordered plan:
- Critical (CVE fixes) first — usually patch-level, zero code changes
- Minor/patch batch — single
npm updatecommand - Each Major upgrade individually, with:
- Exact install command (
npm install package@version) - Code changes needed (as diffs when possible)
- Test commands to verify
- Exact install command (
Examples
Example 1: Node.js Project Audit
Input: User provides package.json with 94 dependencies.
Output:
Dependency Audit — 94 packages
CRITICAL (2 packages):
lodash 4.17.20 → 4.17.21
CVE-2021-23337 (Command Injection, HIGH)
Fix: npm install [email protected] (patch, no code changes)
node-fetch 2.6.1 → 2.6.13
CVE-2022-0235 (Information Exposure, MEDIUM)
Fix: npm install [email protected] (patch, no code changes)
MAJOR (1 package):
express 4.18.2 → 5.0.0
Breaking: req.host now returns host without port
Breaking: app.del() removed, use app.delete()
Affected files: src/server.ts:45 (uses req.host), src/routes/legacy.ts:12 (uses app.del)
Migration effort: Low — 2 files, 2 line changes
MINOR (18 packages):
Can be batch-updated: npm update (no breaking changes detected)
STALE (1 package):
request 2.88.2 — DEPRECATED, last release Feb 2020
Recommended replacement: undici or node-fetch
Used in: src/lib/http-client.ts (3 call sites)
Upgrade Order:
Step 1: npm install [email protected] [email protected]
Step 2: npm update
Step 3: npm install [email protected] (apply 2 code changes first)
Step 4: Replace request with undici (separate PR recommended)
Example 2: Python Requirements
Input: User provides requirements.txt with pinned versions.
Output:
Dependency Audit — 23 packages
CRITICAL:
django==3.2.18 → 3.2.25
CVE-2024-24680 (DoS via intcomma, MEDIUM)
Fix: pip install django==3.2.25 (patch within same minor)
MAJOR:
django==3.2.25 → 5.0.6 (if full upgrade desired)
Breaking: DEFAULT_AUTO_FIELD must be set explicitly
Breaking: url() removed, use path()
Affected: 8 files in urls/, settings.py
Guidelines
- Never recommend upgrading all major versions at once — one at a time, with tests between each
- For monorepos, check if packages have peer dependency conflicts before recommending upgrades
- If a package is deprecated with no CVE, it's STALE not CRITICAL — don't panic the user
- Always check if the project has a test suite (
npm test,pytest) and recommend running it after each step - When generating diffs, use the project's actual code, not generic examples
- For workspaces/monorepos, note which workspace each dependency belongs to
Related Skills
eliferjunior/fireworks-ai
development
VerifiedTrustedCommunity
Expert guidance for Fireworks AI, the platform for running open-source LLMs (Llama, Mixtral, Qwen, etc.) with enterprise-grade speed and reliability. Helps developers integrate Fireworks' inference API, fine-tune models, and deploy custom model endpoints with function calling and structured output support.
SKILL.mdUpdated Apr 17, 2026
eliferjunior/firecrawl
development
VerifiedTrustedCommunity
Convert any website into clean, structured data with Firecrawl — API-first web scraping service. Use when someone asks to "turn a website into markdown", "scrape website for LLM", "Firecrawl", "extract website content as clean text", "crawl and convert to structured data", or "scrape website for RAG". Covers single-page scraping, full-site crawling, structured extraction, and LLM-ready output.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/firebase
tools
VerifiedTrustedCommunity
Expert guidance for Firebase, Google's platform for building and scaling web and mobile applications. Helps developers set up authentication, Firestore/Realtime Database, Cloud Functions, hosting, storage, and analytics using Firebase's SDK and CLI.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/file-upload-processor
development
VerifiedTrustedCommunity
When the user needs to build file upload functionality for a web application. Use when the user mentions "file upload," "image upload," "upload endpoint," "multipart upload," "presigned URL," "S3 upload," "file validation," "upload to cloud storage," or "accept user files." Handles upload endpoints, file validation (type, size, magic bytes), cloud storage integration, and upload status tracking. For image/video processing after upload, see media-transcoder.
SKILL.mdUpdated Apr 16, 2026