Dependency Updater

# Dependency Updater Smart dependency management for any language with automatic detection and safe updates. --- ## Quick Start ``` update my dependencies ``` The skill auto-detects your project type and handles the rest. --- ## Triggers | Trigger | Example | |---------|---------| | Update dependencies | "update dependencies", "update deps" | | Check outdated | "check for outdated packages" | | Fix dependency issues | "fix my dependency problems" | | Security audit | "audit dependencies for vulnerabilities" | | Diagnose deps | "diagnose dependency issues" | --- ## Supported Languages | Language | Package File | Update Tool | Audit Tool | |----------|--------------|-------------|------------| | **Node.js** | package.json | `taze` | `npm audit` | | **Python** | requirements.txt, pyproject.toml | `pip-review` | `safety`, `pip-audit` | | **Go** | go.mod | `go get -u` | `govulncheck` | | **Rust** | Cargo.toml | `cargo update` | `cargo audit` | | **Ruby** | Gemfile | `bundle update` | `bundle audit` | | **Java** | pom.xml, build.gradle | `mvn versions:*` | `mvn dependency:*` | | **.NET** | *.csproj | `dotnet outdated` | `dotnet list package --vulnerable` | --- ## Quick Reference | Update Type | Version Change | Action | |-------------|----------------|--------| | **Fixed** | No `^` or `~` | Skip (intentionally pinned) | | **PATCH** | `x.y.z` → `x.y.Z` | Auto-apply | | **MINOR** | `x.y.z` → `x.Y.0` | Auto-apply | | **MAJOR** | `x.y.z` → `X.0.0` | Prompt user individually | --- ## Workflow ``` User Request │ ▼ ┌─────────────────────────────────────────────────────┐ │ Step 1: DETECT PROJECT TYPE │ │ • Scan for package files (package.json, go.mod...) │ │ • Identify package manager │ ├─────────────────────────────────────────────────────┤ │ Step 2: CHECK PREREQUISITES │ │ • Verify required tools are installed │ │ • Suggest installation if missing │ ├─────────────────────────────────────────────────────┤ │ Step 3: SCAN FOR UPDATES │ │ • Run language-specific outdated check │ │ • Categorize: MAJOR / MINOR / PATCH / Fixed │ ├─────────────────────────────────────────────────────┤ │ Step 4: AUTO-APPLY SAFE UPDATES │ │ • Apply MINOR and PATCH automatically │ │ • Report what was updated │ ├─────────────────────────────────────────────────────┤ │ Step 5: PROMPT FOR MAJOR UPDATES │ │ • AskUserQuestion for each MAJOR update │ │ • Show current → new version │ ├─────────────────────────────────────────────────────┤ │ Step 6: APPLY APPROVED MAJORS │ │ • Update only approved packages │ ├─────────────────────────────────────────────────────┤ │ Step 7: FINALIZE │ │ • Run install command │ │ • Run security audit │ └─────────────────────────────────────────────────────┘ ``` --- ## Commands by Language ### Node.js (npm/yarn/pnpm) ```bash # Check prerequisites scripts/check-tool.sh taze "npm install -g taze" # Scan for updates taze # Apply minor/patch taze minor --write # Apply specific majors taze major --write --include pkg1,pkg2 # Monorepo support taze -r # recursive # Security npm audit npm audit fix ``` ### Python ```bash # Check outdated pip list --outdated # Update all (careful!) pip-review --auto # Update specific pip install --upgrade package-name # Security pip-audit safety check ``` ### Go ```bash # Check outdated go list -m -u all # Update all go get -u ./... # Tidy up go mod tidy # Security govulncheck ./... ``` ### Rust ```bash # Check outdated cargo outdated # Update within semver cargo update # Security cargo audit ``` ### Ruby ```bash # Check outdated bundle outdated # Update all bundle update # Update specific bundle update --conservative gem-name # Security bundle audit ``` ### Java (Maven) ```bash # Check outdated mvn versions:display-dependency-updates # Update to latest mvn versions:use-latest-releases # Security mvn dependency:tree mvn dependency-check:check ``` ### .NET ```bash # Check outdated dotnet list package --outdated # Update specific dotnet add package PackageName # Security dotnet list package --vulnerable ``` --- ## Diagnosis Mode When dependencies are broken, run diagnosis: ### Common Issues & Fixes | Issue | Symptoms | Fix | |-------|----------|-----| | **Version Conflict** | "Cannot resolve dependency tree" | Clean install, use overrides/resolutions | | **Peer Dependency** | "Peer dependency not satisfied" | Install required peer version | | **Security Vuln** | `npm audit` shows issues | `npm audit fix` or manual update | | **Unused Deps** | Bloated bundle | Run `depcheck` (Node) or equivalent | | **Duplicate Deps** | Multiple versions installed | Run `npm dedupe` or equivalent | ### Emergency Fixes ```bash # Node.js - Nuclear reset rm -rf node_modules package-lock.json npm cache clean --force npm install # Python - Clean virtualenv rm -rf venv python -m venv venv source venv/bin/activate pip install -r requirements.txt # Go - Reset modules rm go.sum go mod tidy ``` --- ## Security Audit Run security checks for any project: ```bash # Node.js npm audit npm audit --json | jq '.metadata.vulnerabilities' # Python pip-audit safety check # Go govulncheck ./... # Rust cargo audit # Ruby bundle audit # .NET dotnet list package --vulnerable ``` ### Severity Response | Severity | Action | |----------|--------| | **Critical** | Fix immediately | | **High** | Fix within 24h | | **Moderate** | Fix within 1 week | | **Low** | Fix in next release | --- ## Anti-Patterns | Avoid | Why | Instead | |-------|-----|---------| | Update fixed versions | Intentionally pinned | Skip them | | Auto-apply MAJOR | Breaking changes | Prompt user | | Batch MAJOR prompts | Loses context | Prompt individually | | Skip lock file | Irreproducible builds | Always commit lock files | | Ignore security alerts | Vulnerabilities | Address by severity | --- ## Verification Checklist After updates: - [ ] Updates scanned without errors - [ ] MINOR/PATCH auto-applied - [ ] MAJOR updates prompted individually - [ ] Fixed versions untouched - [ ] Lock file updated - [ ] Install command ran - [ ] Security audit passed (or issues noted) ---

Deep Dive: Project Detection

The skill auto-detects project type by scanning for package files: | File Found | Language | Package Manager | |------------|----------|-----------------| | `package.json` | Node.js | npm/yarn/pnpm | | `requirements.txt` | Python | pip | | `pyproject.toml` | Python | pip/poetry | | `Pipfile` | Python | pipenv | | `go.mod` | Go | go modules | | `Cargo.toml` | Rust | cargo | | `Gemfile` | Ruby | bundler | | `pom.xml` | Java | Maven | | `build.gradle` | Java/Kotlin | Gradle | | `*.csproj` | .NET | dotnet | **Detection order matters for monorepos:** 1. Check current directory first 2. Then check for workspace/monorepo patterns 3. Offer to run recursively if applicable

Deep Dive: Node.js with taze

### Prerequisites ```bash # Install taze globally (recommended) npm install -g taze # Or use npx npx taze ``` ### Smart Update Flow ```bash # 1. Scan all updates taze # 2. Apply safe updates (minor + patch) taze minor --write # 3. For each major, prompt user: # "Update @types/node from ^20.0.0 to ^22.0.0?" # If yes, add to approved list # 4. Apply approved majors taze major --write --include approved-pkg1,approved-pkg2 # 5. Install npm install # or pnpm install / yarn ``` ### Auto-Approve List Some packages have frequent major bumps but are backward-compatible: | Package | Reason | |---------|--------| | `lucide-react` | Icon library, majors are additive | | `@types/*` | Type definitions, usually safe |

Deep Dive: Version Strategies

### Semantic Versioning ``` MAJOR.MINOR.PATCH (e.g., 2.3.1) MAJOR: Breaking changes - requires code changes MINOR: New features - backward compatible PATCH: Bug fixes - backward compatible ``` ### Range Specifiers | Specifier | Meaning | Example | |-----------|---------|---------| | `^1.2.3` | Minor + Patch OK | `>=1.2.3 =1.2.3 =1.2.3` | At least | Any `>=1.2.3` | | `*` | Any | Latest (dangerous) | ### Recommended Strategy ```json { "dependencies": { "critical-lib": "1.2.3", // Exact for critical "stable-lib": "~1.2.3", // Patch only for stable "modern-lib": "^1.2.3" // Minor OK for active } } ```

Deep Dive: Conflict Resolution

### Node.js Conflicts **Diagnosis:** ```bash npm ls package-name # See dependency tree npm explain package-name # Why installed yarn why package-name # Yarn equivalent ``` **Resolution with overrides:** ```json // package.json { "overrides": { "lodash": "^4.18.0" } } ``` **Resolution with resolutions (Yarn):** ```json { "resolutions": { "lodash": "^4.18.0" } } ``` ### Python Conflicts **Diagnosis:** ```bash pip check pipdeptree -p package-name ``` **Resolution:** ```bash # Use virtual environment python -m venv venv source venv/bin/activate pip install -r requirements.txt # Or use constraints pip install -c constraints.txt -r requirements.txt ```

--- ## Script Reference | Script | Purpose | |--------|---------| | `scripts/check-tool.sh` | Verify tool is installed | | `scripts/run-taze.sh` | Run taze with proper flags | --- ## Related Tools | Tool | Language | Purpose | |------|----------|---------| | [taze](https://github.com/antfu-collective/taze) | Node.js | Smart dependency updates | | [npm-check-updates](https://github.com/raineorshine/npm-check-updates) | Node.js | Alternative to taze | | [pip-review](https://github.com/jgonggrijp/pip-review) | Python | Interactive pip updates | | [cargo-edit](https://github.com/killercup/cargo-edit) | Rust | Cargo dependency management | | [bundler-audit](https://github.com/rubysec/bundler-audit) | Ruby | Security auditing |