logseq/logseq-dependency-upgrade
.agents/skills/logseq-dependency-upgrade/SKILL.md
Audit, plan, and refresh dependency upgrades for the Logseq repository by scanning every non-gitignored package.json, deps.edn, bb.edn and nbb.edn manifest, checking latest upstream versions, cross-root consistency, lockfile resolution, deprecation, staleness, and OSV vulnerabilities, then generating a batch-ordered upgrade plan and compact JSON artifact.
$ install --global
skillsauthnpx skillsauth add logseq/logseq logseq-dependency-upgradeInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 9:10 PM41.0s2 files scanned
SKILL.md
- name:
- logseq-dependency-upgrade
- description:
- Audit, plan, and refresh dependency upgrades for the Logseq repository by scanning every non-gitignored package.json, deps.edn, bb.edn and nbb.edn manifest, checking latest upstream versions, cross-root consistency, lockfile resolution, deprecation, staleness, and OSV vulnerabilities, then generating a batch-ordered upgrade plan and compact JSON artifact.
Logseq Dependency Upgrade
Use this skill when the task is to audit dependencies, build an upgrade plan, or refresh dependency-upgrade facts for this repository.
Workflow
- Run the audit script:
node .agents/skills/logseq-dependency-upgrade/scripts/audit_logseq_dependencies.mjs \
--output-json <json-output-path> \
--output-md <markdown-output-path> \
[--stale-months <months>] \
[--include-prerelease]
--stale-months— number of months since last publish to flag a package as stale (default:36).--include-prerelease— boolean flag (no value). When present, the Risk column annotates any newer upstream pre-release version (SNAPSHOT / RC / alpha / beta / nightly / canary etc.). The target version is always the latest stable release regardless of this flag. When absent (default), pre-release versions are neither fetched nor shown.
-
Read the generated Markdown report — it is the primary planning document, structured for batch-wise execution.
-
To execute an upgrade batch:
- Read the target batch section from the Markdown report (one read, one self-contained table).
- Apply the upgrades (change manifest files, run install/test).
- Overwrite the batch's Status line and table to record results.
- Update the Summary counts at the top.
CAUTION: Verify dependency usage before updating; remove unused packages instead of upgrading. For any dependency crossing a major version boundary, perform a rigorous review for breaking changes.
- After all batches, or to refresh data, rerun the audit script to regenerate both files.
Audit scope
- Every non-gitignored
package.json(dependencies+devDependencies). - Every non-gitignored
deps.ednandnbb.edn(:deps+:aliasesextra-deps / replace-deps — covers clj-kondo, test deps, etc.). - Every non-gitignored
bb.edn(:deps+:pods). - Project-internal
local/rootdeps (e.g.logseq/db,logseq/common) are excluded. - Gitignored / generated manifests are excluded.
Classification
- Toolchain
- Root JS Incremental
- Root JS Major / High-Risk
- Clojure / Babashka Libraries
- deps/* & libs/* Package Islands
- packages/ui
- Mobile / Capacitor
- Infra / Build Islands
- Manual Review
Version prefix preservation
Target versions preserve the original specifier prefix. If current is ^1.0.0 and latest is 1.5.0, target is ^1.5.0. If current is 1.0.0 (fixed), target is 1.5.0.
Lockfile resolution
For npm packages with a range specifier (e.g. ^), the script checks yarn.lock to see if the resolved version already matches latest. These packages are flagged as already resolved — they need only a lockfile refresh, not a manifest change, and carry zero upgrade risk.
Output contract
The script writes:
- JSON — compact, no null/false/empty-default fields. Structured by
batches[]array for machine consumption. - Markdown — batch-centric layout. Each batch is a self-contained section with a Status line and a table. An agent can read one batch section, execute it, and overwrite that section to record results — no scattered edits needed.
Notes
deprecatedcomes from upstream package metadata.vulnerabilitiescome from OSV batch queries.stale / low-maintenanceis based on upstream publish dates.- Clojure package latest versions are fetched from Clojars first, then Maven Central as fallback.
Script
- Main script: audit_logseq_dependencies.mjs
Related Skills
logseq/esm-cjs-risk-scan
development
VerifiedTrustedCommunity
Scan Logseq ClojureScript Node/Electron targets for npm module loading risks, especially ESM-only packages that may fail when loaded through js/require or shadow-cljs require-based shims. Use when changing Electron/main-process dependencies, debugging startup import errors, or auditing packages before dependency upgrades.
41,893SKILL.mdUpdated Apr 6, 2026
steipete/skill-creator
testing
VerifiedTrustedCommunity
Create, edit, improve, or audit AgentSkills. Use when creating a new skill from scratch or when asked to improve, review, audit, tidy up, or clean up an existing skill or SKILL.md file. Also use when editing or restructuring a skill directory (moving files to references/ or scripts/, removing stale content, validating against the AgentSkills spec). Triggers on phrases like "create a skill", "author a skill", "tidy up a skill", "improve this skill", "review the skill", "clean up the skill", "audit the skill".
356,423SKILL.mdUpdated Apr 13, 2026
steipete/healthcheck
testing
VerifiedTrustedCommunity
Host security hardening and risk-tolerance configuration for OpenClaw deployments. Use when a user asks for security audits, firewall/SSH/update hardening, risk posture, exposure review, OpenClaw cron scheduling for periodic checks, or version status checks on a machine running OpenClaw (laptop, workstation, Pi, VPS).
356,423SKILL.mdUpdated Apr 13, 2026
openclaw/skill-creator
testing
VerifiedTrustedCommunity
Create, edit, improve, or audit AgentSkills. Use when creating a new skill from scratch or when asked to improve, review, audit, tidy up, or clean up an existing skill or SKILL.md file. Also use when editing or restructuring a skill directory (moving files to references/ or scripts/, removing stale content, validating against the AgentSkills spec). Triggers on phrases like "create a skill", "author a skill", "tidy up a skill", "improve this skill", "review the skill", "clean up the skill", "audit the skill".
353,662SKILL.mdUpdated Apr 10, 2026