dependency-updater

Name: dependency-updater
Author: Softaworks

dependency managementpackage updatessecurity auditdevopsautomationcode qualitysoftware maintenancevulnerability scanning

⭐ 2.0k📄 MIT🕒 2026-03-05Source ↗

Install this skill

npx skills add softaworks/agent-toolkit

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

The dependency-updater skill automates the maintenance of external code libraries across multi-language development environments. It identifies the project language by scanning for configuration files like package.json, go.mod, or Cargo.toml, then executes native package manager tools to assess version status. The system applies patches and minor version updates autonomously while isolating major version changes for manual approval. It performs security checks using industry-standard tools such as npm audit or cargo audit, ensuring codebases remain current and protected against known vulnerabilities. By standardizing the update process through a single interface, it removes the manual labor of tracking version histories across diverse tech stacks while preventing accidental breaking changes caused by major version upgrades.

When to Use This Skill

•Reducing technical debt in legacy projects by batch-updating minor versions
•Auditing project dependencies for security vulnerabilities during development
•Standardizing dependency management processes across monorepo projects
•Quickly reconciling dependency conflicts using native diagnostic tools

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

“update my project dependencies
“check if my packages are outdated
“run a security audit on my dependencies
“diagnose why my dependency tree is broken
“fix any available dependency issues

Pro Tips

💡Combine 'update dependencies' with a specific branch checkout command in your workflow to ensure updates are applied to dedicated feature branches first.
💡Utilize the 'security audit' trigger regularly in pre-commit hooks or CI pipelines to catch vulnerabilities early.
💡For major version upgrades, always review the change logs provided by the package maintainers before confirming the update to prevent breaking changes.

What this skill does

•Automatic detection of package manager and language ecosystem
•Categorization of updates into major, minor, and patch levels
•Automated application of low-risk semantic versioning updates
•Integration with security audit tools for vulnerability scanning
•Interactive prompts for user verification on breaking major updates

When not to use it

✕Projects with strictly locked dependency hashes where any update requires manual regression testing
✕Environments without internet access or private artifact repositories requiring manual auth configuration

Example workflow

The agent scans the workspace to identify the primary language and dependency manager.
It queries the package manager to pull the latest version metadata.
The tool automatically patches minor and maintenance versions.
It prompts you to approve or reject suggested major version changes.
The agent executes a security audit to confirm the final state is safe.

Prerequisites

–Node.js, Python, Go, Rust, Ruby, Java, or .NET environment
–Properly formatted dependency configuration files in the root or module directory
–Required CLI tools like taze, pip-audit, or bundle installed on the system

Pitfalls & limitations

!Major version updates may introduce breaking API changes not captured by simple versioning
!Automated updates might fail if peer dependency requirements are strict
!False positives can occur in security audits depending on the project context

FAQ

Will this tool break my application with major updates?

No, the tool isolates major updates and requires your manual approval for each one to prevent accidental breaking changes.

Which languages are supported?

The tool supports Node.js, Python, Go, Rust, Ruby, Java, and .NET projects out of the box.

How does it handle pinned versions?

If a version is explicitly pinned without caret or tilde operators, the tool skips that dependency to respect your configuration.

Can it fix security vulnerabilities automatically?

It can run fix commands for known vulnerabilities, but it will ask for input if the remediation requires a major version upgrade.

How it compares

Unlike manual updates which require repetitive CLI commands per language, this skill abstracts the syntax into a unified prompt-based interface and enforces a safety-first workflow for major upgrades.

Source & trust

⭐ 2.0k stars📄 MIT🕒 Updated 2026-03-05

View original skill on GitHub →

📄 Full skill instructions — original source: softaworks/agent-toolkit

# Dependency Updater

Smart dependency management for any language with automatic detection and safe updates.

---

## Quick Start

update my dependencies

The skill auto-detects your project type and handles the rest.

---

## Triggers

| Trigger | Example |
|---------|---------|
| Update dependencies | "update dependencies", "update deps" |
| Check outdated | "check for outdated packages" |
| Fix dependency issues | "fix my dependency problems" |
| Security audit | "audit dependencies for vulnerabilities" |
| Diagnose deps | "diagnose dependency issues" |

---

## Supported Languages

| Language | Package File | Update Tool | Audit Tool |
|----------|--------------|-------------|------------|
| **Node.js** | package.json | taze | npm audit |
| **Python** | requirements.txt, pyproject.toml | pip-review | safety, pip-audit |
| **Go** | go.mod | go get -u | govulncheck |
| **Rust** | Cargo.toml | cargo update | cargo audit |
| **Ruby** | Gemfile | bundle update | bundle audit |
| **Java** | pom.xml, build.gradle | mvn versions:* | mvn dependency:* |
| **.NET** | *.csproj | dotnet outdated | dotnet list package --vulnerable |

---

## Quick Reference

| Update Type | Version Change | Action |
|-------------|----------------|--------|
| **Fixed** | No ^ or ~ | Skip (intentionally pinned) |
| **PATCH** | x.y.z → x.y.Z | Auto-apply |
| **MINOR** | x.y.z → x.Y.0 | Auto-apply |
| **MAJOR** | x.y.z → X.0.0 | Prompt user individually |

---

## Workflow

User Request
    │
    ▼
┌─────────────────────────────────────────────────────┐
│ Step 1: DETECT PROJECT TYPE                         │
│ • Scan for package files (package.json, go.mod...) │
│ • Identify package manager                          │
├─────────────────────────────────────────────────────┤
│ Step 2: CHECK PREREQUISITES                         │
│ • Verify required tools are installed               │
│ • Suggest installation if missing                   │
├─────────────────────────────────────────────────────┤
│ Step 3: SCAN FOR UPDATES                            │
│ • Run language-specific outdated check              │
│ • Categorize: MAJOR / MINOR / PATCH / Fixed         │
├─────────────────────────────────────────────────────┤
│ Step 4: AUTO-APPLY SAFE UPDATES                     │
│ • Apply MINOR and PATCH automatically               │
│ • Report what was updated                           │
├─────────────────────────────────────────────────────┤
│ Step 5: PROMPT FOR MAJOR UPDATES                    │
│ • AskUserQuestion for each MAJOR update             │
│ • Show current → new version                        │
├─────────────────────────────────────────────────────┤
│ Step 6: APPLY APPROVED MAJORS                       │
│ • Update only approved packages                     │
├─────────────────────────────────────────────────────┤
│ Step 7: FINALIZE                                    │
│ • Run install command                               │
│ • Run security audit                                │
└─────────────────────────────────────────────────────┘

---

## Commands by Language

### Node.js (npm/yarn/pnpm)

# Check prerequisites
scripts/check-tool.sh taze "npm install -g taze"

# Scan for updates
taze

# Apply minor/patch
taze minor --write

# Apply specific majors
taze major --write --include pkg1,pkg2

# Monorepo support
taze -r  # recursive

# Security
npm audit
npm audit fix

### Python

# Check outdated
pip list --outdated

# Update all (careful!)
pip-review --auto

# Update specific
pip install --upgrade package-name

# Security
pip-audit
safety check

### Go

# Check outdated
go list -m -u all

# Update all
go get -u ./...

# Tidy up
go mod tidy

# Security
govulncheck ./...

### Rust

# Check outdated
cargo outdated

# Update within semver
cargo update

# Security
cargo audit

### Ruby

# Check outdated
bundle outdated

# Update all
bundle update

# Update specific
bundle update --conservative gem-name

# Security
bundle audit

### Java (Maven)

# Check outdated
mvn versions:display-dependency-updates

# Update to latest
mvn versions:use-latest-releases

# Security
mvn dependency:tree
mvn dependency-check:check

### .NET

# Check outdated
dotnet list package --outdated

# Update specific
dotnet add package PackageName

# Security
dotnet list package --vulnerable

---

## Diagnosis Mode

When dependencies are broken, run diagnosis:

### Common Issues & Fixes

| Issue | Symptoms | Fix |
|-------|----------|-----|
| **Version Conflict** | "Cannot resolve dependency tree" | Clean install, use overrides/resolutions |
| **Peer Dependency** | "Peer dependency not satisfied" | Install required peer version |
| **Security Vuln** | npm audit shows issues | npm audit fix or manual update |
| **Unused Deps** | Bloated bundle | Run depcheck (Node) or equivalent |
| **Duplicate Deps** | Multiple versions installed | Run npm dedupe or equivalent |

### Emergency Fixes

# Node.js - Nuclear reset
rm -rf node_modules package-lock.json
npm cache clean --force
npm install

# Python - Clean virtualenv
rm -rf venv
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# Go - Reset modules
rm go.sum
go mod tidy

---

## Security Audit

Run security checks for any project:

# Node.js
npm audit
npm audit --json | jq '.metadata.vulnerabilities'

# Python
pip-audit
safety check

# Go
govulncheck ./...

# Rust
cargo audit

# Ruby
bundle audit

# .NET
dotnet list package --vulnerable

### Severity Response

| Severity | Action |
|----------|--------|
| **Critical** | Fix immediately |
| **High** | Fix within 24h |
| **Moderate** | Fix within 1 week |
| **Low** | Fix in next release |

---

## Anti-Patterns

| Avoid | Why | Instead |
|-------|-----|---------|
| Update fixed versions | Intentionally pinned | Skip them |
| Auto-apply MAJOR | Breaking changes | Prompt user |
| Batch MAJOR prompts | Loses context | Prompt individually |
| Skip lock file | Irreproducible builds | Always commit lock files |
| Ignore security alerts | Vulnerabilities | Address by severity |

---

## Verification Checklist

After updates:

- [ ] Updates scanned without errors
- [ ] MINOR/PATCH auto-applied
- [ ] MAJOR updates prompted individually
- [ ] Fixed versions untouched
- [ ] Lock file updated
- [ ] Install command ran
- [ ] Security audit passed (or issues noted)

---

<details>
<summary>Deep Dive: Project Detection</summary>

The skill auto-detects project type by scanning for package files:

| File Found | Language | Package Manager |
|------------|----------|-----------------|
| package.json | Node.js | npm/yarn/pnpm |
| requirements.txt | Python | pip |
| pyproject.toml | Python | pip/poetry |
| Pipfile | Python | pipenv |
| go.mod | Go | go modules |
| Cargo.toml | Rust | cargo |
| Gemfile | Ruby | bundler |
| pom.xml | Java | Maven |
| build.gradle | Java/Kotlin | Gradle |
| *.csproj | .NET | dotnet |

**Detection order matters for monorepos:**
1. Check current directory first
2. Then check for workspace/monorepo patterns
3. Offer to run recursively if applicable

</details>

<details>
<summary>Deep Dive: Node.js with taze</summary>

### Prerequisites

# Install taze globally (recommended)
npm install -g taze

# Or use npx
npx taze

### Smart Update Flow

# 1. Scan all updates
taze

# 2. Apply safe updates (minor + patch)
taze minor --write

# 3. For each major, prompt user:
#    "Update @types/node from ^20.0.0 to ^22.0.0?"
#    If yes, add to approved list

# 4. Apply approved majors
taze major --write --include approved-pkg1,approved-pkg2

# 5. Install
npm install  # or pnpm install / yarn

### Auto-Approve List

Some packages have frequent major bumps but are backward-compatible:

| Package | Reason |
|---------|--------|
| lucide-react | Icon library, majors are additive |
| @types/* | Type definitions, usually safe |

</details>

<details>
<summary>Deep Dive: Version Strategies</summary>

### Semantic Versioning

MAJOR.MINOR.PATCH (e.g., 2.3.1)

MAJOR: Breaking changes - requires code changes
MINOR: New features - backward compatible
PATCH: Bug fixes - backward compatible

### Range Specifiers

| Specifier | Meaning | Example |
|-----------|---------|---------|
| ^1.2.3 | Minor + Patch OK | >=1.2.3 <2.0.0 |
| ~1.2.3 | Patch only | >=1.2.3 <1.3.0 |
| 1.2.3 | Exact (fixed) | Only 1.2.3 |
| >=1.2.3 | At least | Any >=1.2.3 |
| * | Any | Latest (dangerous) |

### Recommended Strategy

{
  "dependencies": {
    "critical-lib": "1.2.3",      // Exact for critical
    "stable-lib": "~1.2.3",       // Patch only for stable
    "modern-lib": "^1.2.3"        // Minor OK for active
  }
}

</details>

<details>
<summary>Deep Dive: Conflict Resolution</summary>

### Node.js Conflicts

**Diagnosis:**

npm ls package-name      # See dependency tree
npm explain package-name # Why installed
yarn why package-name    # Yarn equivalent

**Resolution with overrides:**

// package.json
{
  "overrides": {
    "lodash": "^4.18.0"
  }
}

**Resolution with resolutions (Yarn):**

{
  "resolutions": {
    "lodash": "^4.18.0"
  }
}

### Python Conflicts

**Diagnosis:**

pip check
pipdeptree -p package-name

**Resolution:**

# Use virtual environment
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# Or use constraints
pip install -c constraints.txt -r requirements.txt

</details>

---

## Script Reference

| Script | Purpose |
|--------|---------|
| scripts/check-tool.sh | Verify tool is installed |
| scripts/run-taze.sh | Run taze with proper flags |

---

## Related Tools

| Tool | Language | Purpose |
|------|----------|---------|
| [taze](https://github.com/antfu-collective/taze) | Node.js | Smart dependency updates |
| [npm-check-updates](https://github.com/raineorshine/npm-check-updates) | Node.js | Alternative to taze |
| [pip-review](https://github.com/jgonggrijp/pip-review) | Python | Interactive pip updates |
| [cargo-edit](https://github.com/killercup/cargo-edit) | Rust | Cargo dependency management |
| [bundler-audit](https://github.com/rubysec/bundler-audit) | Ruby | Security auditing |

By Softaworks

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

Click "Download" above
In your project, create the directory: .agent/skills/dependency-updater/
Save the file as SKILL.md
The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

Claude Code: ~/.claude/skills/softaworks/agent-toolkit/dependency-updater/SKILL.md
Cursor: ~/.cursor/skills/softaworks/agent-toolkit/dependency-updater/SKILL.md
Antigravity: ~/.gemini/antigravity/skills/softaworks/agent-toolkit/dependency-updater/SKILL.md

🚀 Install with CLI:
npx skills add softaworks/agent-toolkit

Read the Master Guide: Mastering Agent Skills →

Recommended Rules

View more rules →

Recommended Workflows

View more workflows →

Setup Vercel Cron Jobs

VercelCronAutomation

--- description: Create and test scheduled tasks in Next.js --- 1. **Create Cron Config**: - Add `crons` to `vercel.json`. ```json { "c...

Check SSL Certificates

SecurityDevOpsSSL

--- description: Verify SSL certificate validity and expiration --- 1. **Check Expiry**: - Use openssl to check a domain. Replace `google.com` wit...

Setup Semantic Versioning

VersioningReleasesGit

--- description: Automate version bumps and changelog generation --- 1. **Install semantic-release**: - Automate versioning based on commit messag...

Recommended MCP Servers

View more MCP servers →

DevOps AI Toolkit

Community

AI-powered development productivity platform that enhances software development workflows through intelligent automation and AI-driven assistance.

MCP-OpenStack-Ops

Community

Professional OpenStack operations automation via MCP server. Specialized tools for cluster monitoring, instance management, volume control & network analysis. FastMCP + OpenStack SDK + Bearer auth. Claude Desktop ready. Perfect for DevOps & cloud automation.

AltTester®

Official

Use AltTester® capabilities to connect and test your Unity or Unreal game. Write game test automation faster and smarter, using [AltTester](https://alttester.com) and the AltTester® MCP server.

Take It Further

Maximize your productivity with these powerful resources

📋

Define Your Standards

Set up coding standards to ensure this workflow produces consistent, high-quality results.

Browse Rules Library

📖

Master Workflows

Learn how to create custom workflows, use Turbo Mode, and build your automation library.

Complete Guide