HelpBlogCommunity🍌 PromptsNEWRulesWorkflowsAgent SkillsMCPsAdvertise
ENEnglishESEspaΓ±olZHδΈ­ζ–‡JAζ—₯本θͺžDEDeutschPTPortuguΓͺsRUРусский
Back to DevOps & CI/CD

dependency-upgrade

dependenciesupgradesversioningnpmyarnsecuritymaintenancedevops
⭐ 36.8kπŸ“„ MITπŸ•’ 2026-06-16Source β†—

Install this skill

npx skills add wshobson/agents

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

The dependency-upgrade skill manages the lifecycle of third-party libraries within Node.js ecosystems. It provides a structured approach to identifying outdated packages, evaluating compatibility, and executing phased migrations. Instead of updating all modules at once, which often introduces hidden regressions, this skill implements systematic verification steps. It handles version discrepancies through dependency tree auditing, utilizes codemods to automate syntax transitions for major breaking changes, and enforces validation through test suites. By centering operations on semantic versioning rules and compatibility matrices, the agent ensures that security patches and feature updates remain stable within complex codebases. It is intended for maintenance workflows where dependency bloat or outdated runtimes pose technical debt or security risks, ensuring that infrastructure remains aligned with modern framework requirements.

When to Use This Skill

  • β€’Migrating a legacy React application to a newer major version
  • β€’Auditing project dependencies for known security vulnerabilities
  • β€’Resolving transitive dependency conflicts within large package trees
  • β€’Standardizing testing libraries across a modular architecture

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

  • β€œUpdate all my npm dependencies while checking for breaking changes
  • β€œAnalyze why my project has duplicate React versions
  • β€œCreate an upgrade path for my TypeScript project to version 5
  • β€œApply codemods to fix deprecated lifecycle methods in my codebase
  • β€œCheck if my current library versions are compatible with React 18

Pro Tips

  • πŸ’‘Always start major upgrades in a dedicated branch and integrate continuous integration (CI) tests early to catch regressions.
  • πŸ’‘Leverage community resources and migration guides provided by the library maintainers, as they often contain critical steps and common pitfalls.
  • πŸ’‘Consider using tools like Dependabot or Renovate for automated minor/patch updates, reserving this skill for strategic major version shifts.

What this skill does

  • β€’Identifies stale packages using audit and outdated commands
  • β€’Maps package versions against compatibility matrices
  • β€’Automates source code refactoring via specialized codemods
  • β€’Generates structured migration roadmaps to minimize downtime
  • β€’Validates version alignment through integration and visual snapshot testing

When not to use it

  • βœ•Minor patches that do not require verification or dependency locking
  • βœ•Rapid prototyping where dependency stability is secondary to speed
  • βœ•Projects using package managers other than npm or yarn without adapter support

Example workflow

  1. Run dependency audit to list outdated and vulnerable packages
  2. Compare current versions against known compatibility requirements
  3. Define an upgrade sequence in a migration plan document
  4. Execute one dependency update at a time followed by a test suite run
  5. Apply automated codemods to resolve breaking API changes
  6. Validate stability using integration and visual regression tests

Prerequisites

  • –Access to the project's source code
  • –Existing test coverage (unit or integration)
  • –Clean git working directory for easy rollback

Pitfalls & limitations

  • !Batch-updating dependencies often causes difficult-to-trace runtime errors
  • !Codemods may fail on complex or non-standard file structures
  • !Ignoring peer dependency warnings during manual installations

FAQ

Should I update all dependencies at once using a wildcard?
No. Incremental updates allow you to pinpoint the specific package causing a failure, which is impossible if multiple major versions are upgraded simultaneously.
How do I know if a version update is a breaking change?
Consult the SemVer rules; any change to the Major version indicates a breaking change. You should also check the package's CHANGELOG.md or migration guide.
What is the role of a codemod in this process?
A codemod is a script that programmatically refactors your source code to match new API requirements, reducing manual effort for repetitive migrations like renaming lifecycle methods.
What happens if a test fails after an upgrade?
Revert the change immediately using your version control system, inspect the error logs, and determine if the issue is a genuine incompatibility or a code migration error.

How it compares

Unlike generic update commands, this skill enforces a strict dependency-by-dependency verification loop that integrates directly with your project's testing suite to ensure functional parity.

Source & trust

⭐ 37k starsπŸ“„ MITπŸ•’ Updated 2026-06-16
πŸ“„ Full skill instructions β€” original source: wshobson/agents
# Dependency Upgrade

Master major dependency version upgrades, compatibility analysis, staged upgrade strategies, and comprehensive testing approaches.

## When to Use This Skill

- Upgrading major framework versions
- Updating security-vulnerable dependencies
- Modernizing legacy dependencies
- Resolving dependency conflicts
- Planning incremental upgrade paths
- Testing compatibility matrices
- Automating dependency updates

## Semantic Versioning Review

MAJOR.MINOR.PATCH (e.g., 2.3.1)

MAJOR: Breaking changes
MINOR: New features, backward compatible
PATCH: Bug fixes, backward compatible

^2.3.1 = >=2.3.1 <3.0.0 (minor updates)
~2.3.1 = >=2.3.1 <2.4.0 (patch updates)
2.3.1 = exact version


## Dependency Analysis

### Audit Dependencies

# npm
npm outdated
npm audit
npm audit fix

# yarn
yarn outdated
yarn audit

# Check for major updates
npx npm-check-updates
npx npm-check-updates -u  # Update package.json


### Analyze Dependency Tree

# See why a package is installed
npm ls package-name
yarn why package-name

# Find duplicate packages
npm dedupe
yarn dedupe

# Visualize dependencies
npx madge --image graph.png src/


## Compatibility Matrix

// compatibility-matrix.js
const compatibilityMatrix = {
  react: {
    "16.x": {
      "react-dom": "^16.0.0",
      "react-router-dom": "^5.0.0",
      "@testing-library/react": "^11.0.0",
    },
    "17.x": {
      "react-dom": "^17.0.0",
      "react-router-dom": "^5.0.0 || ^6.0.0",
      "@testing-library/react": "^12.0.0",
    },
    "18.x": {
      "react-dom": "^18.0.0",
      "react-router-dom": "^6.0.0",
      "@testing-library/react": "^13.0.0",
    },
  },
};

function checkCompatibility(packages) {
  // Validate package versions against matrix
}


## Staged Upgrade Strategy

### Phase 1: Planning

# 1. Identify current versions
npm list --depth=0

# 2. Check for breaking changes
# Read CHANGELOG.md and MIGRATION.md

# 3. Create upgrade plan
echo "Upgrade order:
1. TypeScript
2. React
3. React Router
4. Testing libraries
5. Build tools" > UPGRADE_PLAN.md


### Phase 2: Incremental Updates

# Don't upgrade everything at once!

# Step 1: Update TypeScript
npm install typescript@latest

# Test
npm run test
npm run build

# Step 2: Update React (one major version at a time)
npm install react@17 react-dom@17

# Test again
npm run test

# Step 3: Continue with other packages
npm install react-router-dom@6

# And so on...


### Phase 3: Validation

// tests/compatibility.test.js
describe("Dependency Compatibility", () => {
  it("should have compatible React versions", () => {
    const reactVersion = require("react/package.json").version;
    const reactDomVersion = require("react-dom/package.json").version;

    expect(reactVersion).toBe(reactDomVersion);
  });

  it("should not have peer dependency warnings", () => {
    // Run npm ls and check for warnings
  });
});


## Breaking Change Handling

### Identifying Breaking Changes

# Use changelog parsers
npx changelog-parser react 16.0.0 17.0.0

# Or manually check
curl https://raw.githubusercontent.com/facebook/react/main/CHANGELOG.md


### Codemod for Automated Fixes

# React upgrade codemods
npx react-codeshift <transform> <path>

# Example: Update lifecycle methods
npx react-codeshift \
  --parser tsx \
  --transform react-codeshift/transforms/rename-unsafe-lifecycles.js \
  src/


### Custom Migration Script

// migration-script.js
const fs = require("fs");
const glob = require("glob");

glob("src/**/*.tsx", (err, files) => {
  files.forEach((file) => {
    let content = fs.readFileSync(file, "utf8");

    // Replace old API with new API
    content = content.replace(
      /componentWillMount/g,
      "UNSAFE_componentWillMount",
    );

    // Update imports
    content = content.replace(
      /import { Component } from 'react'/g,
      "import React, { Component } from 'react'",
    );

    fs.writeFileSync(file, content);
  });
});


## Testing Strategy

### Unit Tests

// Ensure tests pass before and after upgrade
npm run test

// Update test utilities if needed
npm install @testing-library/react@latest


### Integration Tests

// tests/integration/app.test.js
describe("App Integration", () => {
  it("should render without crashing", () => {
    render(<App />);
  });

  it("should handle navigation", () => {
    const { getByText } = render(<App />);
    fireEvent.click(getByText("Navigate"));
    expect(screen.getByText("New Page")).toBeInTheDocument();
  });
});


### Visual Regression Tests

// visual-regression.test.js
describe("Visual Regression", () => {
  it("should match snapshot", () => {
    const { container } = render(<App />);
    expect(container.firstChild).toMatchSnapshot();
  });
});


### E2E Tests

// cypress/e2e/app.cy.js
describe("E2E Tests", () => {
  it("should complete user flow", () => {
    cy.visit("/");
    cy.get('[data-testid="login"]').click();
    cy.get('input[name="email"]').type("[email protected]");
    cy.get('button[type="submit"]').click();
    cy.url().should("include", "/dashboard");
  });
});


## Automated Dependency Updates

### Renovate Configuration

// renovate.json
{
  "extends": ["config:base"],
  "packageRules": [
    {
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true
    },
    {
      "matchUpdateTypes": ["major"],
      "automerge": false,
      "labels": ["major-update"]
    }
  ],
  "schedule": ["before 3am on Monday"],
  "timezone": "America/New_York"
}


### Dependabot Configuration

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 5
    reviewers:
      - "team-leads"
    commit-message:
      prefix: "chore"
      include: "scope"


## Rollback Plan

// rollback.sh
#!/bin/bash

# Save current state
git stash
git checkout -b upgrade-branch

# Attempt upgrade
npm install package@latest

# Run tests
if npm run test; then
  echo "Upgrade successful"
  git add package.json package-lock.json
  git commit -m "chore: upgrade package"
else
  echo "Upgrade failed, rolling back"
  git checkout main
  git branch -D upgrade-branch
  npm install  # Restore from package-lock.json
fi


## Common Upgrade Patterns

### Lock File Management

# npm
npm install --package-lock-only  # Update lock file only
npm ci  # Clean install from lock file

# yarn
yarn install --frozen-lockfile  # CI mode
yarn upgrade-interactive  # Interactive upgrades


### Peer Dependency Resolution

# npm 7+: strict peer dependencies
npm install --legacy-peer-deps  # Ignore peer deps

# npm 8+: override peer dependencies
npm install --force


### Workspace Upgrades

# Update all workspace packages
npm install --workspaces

# Update specific workspace
npm install package@latest --workspace=packages/app


## Resources

- **references/semver.md**: Semantic versioning guide
- **references/compatibility-matrix.md**: Common compatibility issues
- **references/staged-upgrades.md**: Incremental upgrade strategies
- **references/testing-strategy.md**: Comprehensive testing approaches
- **assets/upgrade-checklist.md**: Step-by-step checklist
- **assets/compatibility-matrix.csv**: Version compatibility table
- **scripts/audit-dependencies.sh**: Dependency audit script

## Best Practices

1. **Read Changelogs**: Understand what changed
2. **Upgrade Incrementally**: One major version at a time
3. **Test Thoroughly**: Unit, integration, E2E tests
4. **Check Peer Dependencies**: Resolve conflicts early
5. **Use Lock Files**: Ensure reproducible installs
6. **Automate Updates**: Use Renovate or Dependabot
7. **Monitor**: Watch for runtime errors post-upgrade
8. **Document**: Keep upgrade notes

## Upgrade Checklist

Pre-Upgrade:

- [ ] Review current dependency versions
- [ ] Read changelogs for breaking changes
- [ ] Create feature branch
- [ ] Backup current state (git tag)
- [ ] Run full test suite (baseline)

During Upgrade:

- [ ] Upgrade one dependency at a time
- [ ] Update peer dependencies
- [ ] Fix TypeScript errors
- [ ] Update tests if needed
- [ ] Run test suite after each upgrade
- [ ] Check bundle size impact

Post-Upgrade:

- [ ] Full regression testing
- [ ] Performance testing
- [ ] Update documentation
- [ ] Deploy to staging
- [ ] Monitor for errors
- [ ] Deploy to production


## Common Pitfalls

- Upgrading all dependencies at once
- Not testing after each upgrade
- Ignoring peer dependency warnings
- Forgetting to update lock file
- Not reading breaking change notes
- Skipping major versions
- Not having rollback plan

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

  1. Click "Download" above
  2. In your project, create the directory: .agent/skills/dependency-upgrade/
  3. Save the file as SKILL.md
  4. The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

  • Claude Code: ~/.claude/skills/wshobson/agents/dependency-upgrade/SKILL.md
  • Cursor: ~/.cursor/skills/wshobson/agents/dependency-upgrade/SKILL.md
  • Antigravity: ~/.gemini/antigravity/skills/wshobson/agents/dependency-upgrade/SKILL.md

πŸš€ Install with CLI:
npx skills add wshobson/agents

Read the Master Guide: Mastering Agent Skills β†’

Recommended Rules

View more rules β†’

Security & Compliance in DevOps

DevSecOpsSecurityCompliance
You are an expert in DevSecOps, security automation, and compliance. Key Principles: - Shift security left (start early) - Security as Code - Automat...

πŸ”’ Security Audit Agent - Vulnerability Detection

Agentic AISecurityVulnerability
You are an expert security audit agent specialized in identifying vulnerabilities and security risks. Apply systematic reasoning following OWASP guide...

πŸš€ DevOps & CI/CD Agent - Pipeline Expert

Agentic AIDevOpsCI/CD
You are an expert DevOps and CI/CD agent specialized in designing and implementing robust deployment pipelines and infrastructure. Apply systematic re...

Recommended Workflows

View more workflows β†’

Check SSL Certificates

SecurityDevOpsSSL
--- description: Verify SSL certificate validity and expiration --- 1. **Check Expiry**: - Use openssl to check a domain. Replace `google.com` wit...

Update All Dependencies

npmMaintenanceUpdates
--- description: Interactively check and update outdated packages --- 1. **Check for Updates**: - Use `npm-check-updates` to see what's new. //...

Nuke & Reinstall

npmTroubleshootingDependencies
--- description: The nuclear option for when dependencies are completely broken --- 1. **Remove node_modules**: - Delete the existing `node_module...

Recommended MCP Servers

View more MCP servers β†’
BoostSecurity

BoostSecurity

Official

Powered by [BoostSecurity](https://boostsecurity.io/), the MCP guardrails coding agents against introducing dependencies with vulnerabilities, malware or typosquatting.

N

NPM Plus

Community

AI-powered JavaScript package management with security scanning, bundle analysis, and intelligent dependency management for MCP-compatible editors.

v

vulnicheck

Community

Real-time Python package vulnerability scanner that checks dependencies against OSV and NVD databases, providing comprehensive security analysis with CVE details, lock file support, and actionable upgrade recommendations.

Take It Further

Maximize your productivity with these powerful resources

πŸ“‹

Define Your Standards

Set up coding standards to ensure this workflow produces consistent, high-quality results.

Browse Rules Library
πŸ“–

Master Workflows

Learn how to create custom workflows, use Turbo Mode, and build your automation library.

Complete Guide

How to use this Skill in Claude Code & Cursor

For Claude Code (CLI)

To use this skill in Claude Code, copy the rule content into your project's custom instructions or follow our Add-Skill CLI guide. This ensures Claude follows your standards during every code generation.

For Cursor & Windsurf

For Cursor or Windsurf, individual skills are best used in the "Rules for AI" section. This specific unit helps the agent avoid devops & ci/cd issues, leading to cleaner, more efficient code.

Why the skill format matters: the standardized Agent Skills format lets your AI agent load detailed instructions only when they are relevant, keeping your prompt clean while improving results.

Source & attribution

This skill is categorized under DevOps & CI/CD and is published by W. Shobson, maintained in wshobson/agents.

← Browse All Agent Skills
Sponsored AI assistant. Recommendations may be paid.