melodic-software/upgrade-nuget-packages
plugins/dotnet/skills/upgrade-nuget-packages/SKILL.md
Interactive NuGet package upgrade with vulnerability detection and breaking change warnings
$ install --global
skillsauthnpx skillsauth add melodic-software/claude-code-plugins upgrade-nuget-packagesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 8:37 AM5.8s1 file scanned
SKILL.md
- name:
- upgrade-nuget-packages
- description:
- Interactive NuGet package upgrade with vulnerability detection and breaking change warnings
- argument-hint:
- [--vulnerable] [--major] [--dry-run] [--auto] [--project <name>]
- allowed-tools:
- Bash, Read, Edit, Glob, Grep, AskUserQuestion, mcp__perplexity__search
/dotnet:upgrade-nuget-packages
Interactive NuGet package upgrade command with intelligence about vulnerabilities, breaking changes, and compatibility.
Arguments
Parse arguments from $ARGUMENTS:
| Flag | Description | Default |
|------|-------------|---------|
| --outdated | Show only outdated packages | true |
| --vulnerable | Show only packages with known CVEs | false |
| --major | Include major version upgrades | false |
| --preview | Include preview/prerelease versions | false |
| --dry-run | Show what would change without applying | false |
| --project <path> | Target specific project (fuzzy matching) | All projects |
| --interactive | Use AskUserQuestion for each upgrade decision | true |
| --auto | Upgrade all without prompting (opposite of --interactive) | false |
Workflow
Step 1: Gather Package Information
Run the appropriate dotnet command:
# For outdated packages
dotnet list package --outdated [--include-prerelease]
# For vulnerable packages
dotnet list package --vulnerable
# For specific project
dotnet list "<project>" package --outdated
Parse the output to extract:
- Project name
- Package name
- Current version (Requested)
- Resolved version
- Latest version available
Step 2: Analyze Upgrades
For each outdated package, categorize:
Version Change Type:
- Patch (1.0.0 -> 1.0.1): Bug fixes, safe to auto-upgrade
- Minor (1.0.0 -> 1.1.0): New features, backward compatible
- Major (1.0.0 -> 2.0.0): Breaking changes possible
Risk Assessment:
- Check if package has known breaking changes (use perplexity for major versions)
- Check if package is deprecated
- Check if newer version supports current TFM
Step 3: Present Upgrades
Group packages by project and present summary:
Package Upgrades Available
Project: src/MyApp/MyApp.csproj
Package Current Latest Change
Newtonsoft.Json 13.0.1 13.0.3 Patch
Microsoft.Extensions.DI 8.0.0 10.0.0 Major (!)
Serilog 3.1.0 4.0.0 Major (!)
Project: tests/MyApp.Tests/MyApp.Tests.csproj
Package Current Latest Change
xunit 2.6.0 2.9.0 Minor
Moq 4.18.0 4.20.0 Minor
Legend: (!) = Major version, may have breaking changes
Step 4: Interactive Upgrade (if --interactive)
For each package (or group), use AskUserQuestion:
For Patch/Minor versions:
Upgrade Newtonsoft.Json from 13.0.1 to 13.0.3 (patch)?
Options:
- Yes, upgrade
- Skip this package
- Upgrade all patches automatically
For Major versions: First, research breaking changes:
Use mcp__perplexity__search:
query: "<package> <old version> to <new version> breaking changes migration"
Then present with context:
Upgrade Microsoft.Extensions.DependencyInjection from 8.0.0 to 10.0.0?
Breaking Changes Found:
- IServiceCollection.AddXxx methods now return IServiceCollection
- Some obsolete APIs removed
Options:
- Yes, upgrade (will need code changes)
- Skip this package
- Show more details
Step 5: Apply Upgrades
For each approved upgrade:
If using Central Package Management (Directory.Packages.props):
# Update version in Directory.Packages.props
# Use Edit tool to modify the file
If using per-project references:
dotnet add <project> package <package> --version <version>
Step 6: Validate
After all upgrades:
dotnet restore
dotnet build
If build fails:
- Report which packages may have caused issues
- Suggest running
/dotnet:build --fixto auto-resolve
Output Format
Dry Run:
[DRY RUN] Would upgrade the following packages:
Project: src/MyApp/MyApp.csproj
Newtonsoft.Json: 13.0.1 -> 13.0.3 (patch)
Serilog: 3.1.0 -> 4.0.0 (major)
Project: tests/MyApp.Tests/MyApp.Tests.csproj
xunit: 2.6.0 -> 2.9.0 (minor)
Total: 3 packages across 2 projects
Run without --dry-run to apply upgrades.
After Upgrade:
Package Upgrade Complete
Upgraded:
- Newtonsoft.Json: 13.0.1 -> 13.0.3
- Serilog: 3.1.0 -> 4.0.0
- xunit: 2.6.0 -> 2.9.0
Skipped:
- Microsoft.Extensions.DI (user skipped)
Validation:
- dotnet restore: Success
- dotnet build: Success
All packages upgraded successfully.
With Build Errors:
Package Upgrade Complete (with issues)
Upgraded:
- Serilog: 3.1.0 -> 4.0.0
Build Errors Detected:
CS0619: 'Log.Logger' is obsolete in Serilog 4.0
Recommendations:
1. Run /dotnet:build --fix to attempt auto-resolution
2. Or revert with: dotnet add package Serilog --version 3.1.0
Vulnerability Mode
When --vulnerable is specified:
dotnet list package --vulnerable
Output focuses on security:
Vulnerable Packages Found
CRITICAL:
- System.Text.Json 6.0.0 - CVE-2024-XXXXX (RCE)
Fixed in: 6.0.10, 8.0.5
HIGH:
- Newtonsoft.Json 12.0.0 - CVE-2024-YYYYY (DoS)
Fixed in: 13.0.1
Recommendation: Upgrade vulnerable packages immediately.
Proceed with upgrade? [Y/n]
Central Package Management Support
Detects and respects Directory.Packages.props:
- Check for
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally> - If found, modify Directory.Packages.props instead of individual .csproj files
- Report which file was modified
Examples
# Show and interactively upgrade outdated packages
/dotnet:upgrade-nuget-packages
# Show vulnerable packages only
/dotnet:upgrade-nuget-packages --vulnerable
# Include major version upgrades
/dotnet:upgrade-nuget-packages --major
# Preview without applying
/dotnet:upgrade-nuget-packages --dry-run
# Upgrade all without prompting
/dotnet:upgrade-nuget-packages --auto
# Upgrade specific project
/dotnet:upgrade-nuget-packages --project MyApp.Api
Related Skills
melodic-software/milan-jovanovic-blog
development
VerifiedTrustedCommunity
Search Milan Jovanovic's .NET blog for Clean Architecture, DDD, CQRS, EF Core, and ASP.NET Core patterns. Use for finding applicable patterns, code examples, and architecture guidance. Invoke when working with .NET projects that could benefit from proven architectural patterns.
47SKILL.mdUpdated Apr 7, 2026
melodic-software/setup-dab
tools
VerifiedTrustedCommunity
Install and configure Data API Builder (DAB) for production SQL Server MCP access with RBAC
47SKILL.mdUpdated Apr 7, 2026
melodic-software/mssql
tools
VerifiedTrustedCommunity
Manage MssqlMcp servers - status, rebuild, and upstream updates
47SKILL.mdUpdated Apr 7, 2026
melodic-software/onboarding
tools
VerifiedTrustedCommunity
Developer environment setup guides for Windows, macOS, Linux, and WSL. Use when setting up development machines, installing tools, configuring environments, or following platform-specific setup guides. Covers package management, shell/terminal, code editors, AI tooling, containerization, databases, and more.
47SKILL.mdUpdated Apr 7, 2026