jkker/dependency-maintenance
.agents/skills/dependency-maintenance/SKILL.md
Routine dependency maintenance for vite+ pnpm monorepo workspaces. Use when asked to update deps, run audits, fix vulnerabilities, bump packages, or perform periodic maintenance. Covers pnpm catalog protocol, workspace overrides, audit fixes, major version migrations, changelog review, and Node subpath imports.
testing
Updated Apr 17, 2026
$ install --global
skillsauthnpx skillsauth add jkker/react-template dependency-maintenanceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 12:21 PM17.2s1 file scanned
SKILL.md
- name:
- dependency-maintenance
- description:
- Routine dependency maintenance for vite+ pnpm monorepo workspaces. Use when asked to update deps, run audits, fix vulnerabilities, bump packages, or perform periodic maintenance. Covers pnpm catalog protocol, workspace overrides, audit fixes, major version migrations, changelog review, and Node subpath imports.
Dependency Maintenance
Systematic methodology for routine dependency updates in a vite+ pnpm monorepo.
Workflow
1. Reconnaissance
vpx taze -r major # what's outdated
vp pm audit # What's vulnerable
Check pnpm-workspace.yaml catalog entries — these are the SSOT for shared versions. Every workspace should reference catalog: for shared deps.
2. Triage
Classify each outdated package:
| Type | Risk | Action |
| --------- | ----------- | ----------------------------------------------------- |
| Patch | None | Bulk update via vpx taze --write --install |
| Minor | Low | Scan changelog, update |
| Major | Medium–High | Read changelog/migration guide, plan breaking changes |
| Audit fix | Critical | Fix immediately, even if it means override |
For major bumps, always check the changelog:
gh api repos/{owner}/{repo}/releases/latest --jq '.body' | head -80
3. pnpm Catalog Protocol
The catalog: protocol in pnpm-workspace.yaml is the single source of truth for shared versions.
# pnpm-workspace.yaml
catalog:
react: ^19.2.4
vite: ^8.0.2
vitest: 4.1.1 # Pin exact for test reproducibility
# In any package.json:
'dependencies': {
'react': 'catalog:', # Resolves to ^19.2.4
'vitest': 'catalog:', # Resolves to 4.1.1
}
Rules:
- All shared deps go in catalog — never duplicate versions across workspaces
- Pin test tooling to exact versions (no
^) for reproducibility - Use
catalog:for@types/*used in multiple packages - Add the
updateConfig.ignoreDependencieslist in workspace yaml for deps managed elsewhere (e.g.,@types/nodepinned to a specific LTS)
4. Audit Overrides
When a vulnerability is in a transitive dependency you can't update directly:
overrides:
# Target specific dependency chains
drizzle-orm>kysely: '>=0.28.14'
# Or blanket override by version range
kysely@<=0.28.13: '>=0.28.14'
# Remove unwanted optional deps
better-auth>@better-auth/mongo-adapter: '-'
Quirk: parent>dep overrides only affect direct deps, not peers. For peer deps pulled transitively, use the version-range pattern dep@<=bad: '>=fixed'.
After overrides, verify: pnpm ls <pkg> --depth=5 to confirm the patched version resolved.
5. Node Subpath Imports (#)
Prefer # subpath imports over TypeScript paths for intra-package references:
// package.json
{
"imports": {
"#*": ["./src/*", "./src/*.ts", "./src/*.tsx"]
}
}
// Before: import { cn } from '@mylib/ui/lib/utils'
// After: import { cn } from '#lib/utils'
Quirks:
- TypeScript resolves
#viapackage.jsonimportswhenresolvePackageJsonImports: true(default inbundlermoduleResolution) - Must provide array with extension variants (
*.ts,*.tsx) for TypeScript to find type declarations - Update
components.json(shadcn) aliases to match:"utils": "#lib/utils" - Bulk rename:
sed -i '' "s|from '@pkg/name/|from '#|g" $(find src -name '*.tsx' -o -name '*.ts')
6. Verification Sequence
vp i # Should be clean, no warnings
vp pm audit # Must be 0 vulnerabilities
vp check # 0 errors
vp test run # Relevant tests pass
7. Documentation
Create docs/maintenance/YYYY-MM-DD-<slug>.md with:
- Table of version changes (from → to)
- Security fixes applied
- Breaking changes and how they were handled
- Pre-existing issues discovered but not fixed (with justification)
Common Gotchas
- TypeScript major bumps: May surface latent type issues (stricter module augmentation,
@types/nodeauto-discovery changes). CheckmoduleResolution: "node16"packages — they may need explicit"types": ["node"]. - @tanstack version mismatches:
@tanstack/*packages across all workspaces must be on the same minor. @vitejs/plugin-react6.0: Babel integration extracted — use@rolldown/plugin-babelwithreactCompilerPreset()instead of inline babel config.@base-ui/reactrenames: Components periodically graduate from*Previewto stable names (e.g.,DrawerPreview→Drawer).- Peer dep warnings: Add to
peerDependencyRules.allowedVersionswhen upstream packages haven't updated their peer ranges for a new major. pnpm auditvs overrides: Overrides take effect aftervp i— always re-install before re-auditing.
Related Skills
jkker/zustand-x
tools
VerifiedTrustedCommunity
Type-safe Zustand state management with auto-generated hooks, selectors, and actions. Use when implementing or working with Zustand stores in React apps, especially when creating new stores, adding selectors/actions, using middleware (devtools, persist, immer, mutative), or migrating from plain Zustand to get better DX with less boilerplate.
SKILL.mdUpdated Apr 17, 2026
jkker/vitest
development
VerifiedTrustedCommunity
Vitest fast unit testing framework powered by Vite with Jest-compatible API. Use when writing tests, mocking, configuring coverage, or working with test filtering and fixtures.
SKILL.mdUpdated Apr 17, 2026
jkker/tdd
development
VerifiedTrustedCommunity
Test-driven development with red-green-refactor loop. Use when user wants to build features or fix bugs using TDD, mentions "red-green-refactor", wants integration tests, or asks for test-first development.
SKILL.mdUpdated Apr 17, 2026
jkker/tanstack-intent
testing
VerifiedTrustedCommunity
Manage TanStack Intent skill-to-task mappings. Use when adding, updating, or discovering agent skills from installed npm packages, or when re-syncing intent-skills after dependency updates.
SKILL.mdUpdated Apr 17, 2026