dependency-update
Dependency Update Skill
Safe and systematic dependency updates with vulnerability management, license checking, and rollback planning.
When to Use
| Trigger | Priority | Description |
|---|---|---|
| Security Vulnerability | Critical | Known CVE in dependency |
| Monthly Maintenance | High | Regular update cycle |
| Major Version | Medium | New major version available |
| Pre-Release | High | Before production deployments |
| Breaking Bug | Critical | Bug in current dependency |
Update Strategy
Update Types
| Type | Risk | Frequency | Testing |
|---|---|---|---|
| Patch (x.x.1) | Low | Weekly/Auto | Basic |
| Minor (x.1.0) | Low-Medium | Monthly | Standard |
| Major (1.0.0) | High | Quarterly | Comprehensive |
Semantic Versioning
MAJOR.MINOR.PATCH
│ │ │
│ │ └── Bug fixes (backward compatible)
│ └──────── New features (backward compatible)
└────────────── Breaking changes
Prerequisites
Before starting:
- All tests passing
- Clean git working directory
- Recent backup/checkpoint
- Time for testing and potential rollback
- Access to changelogs/release notes
Update Process
Phase 1: Audit Dependencies
↓
Phase 2: Check Vulnerabilities
↓
Phase 3: Check License Compatibility
↓
Phase 4: Plan Updates
↓
Phase 5: Execute Updates
↓
Phase 6: Test & Validate
↓
Phase 7: Document & Deploy
Phase 1: Audit Dependencies
List outdated dependencies using ecosystem-specific tools:
# Node.js
npm outdated
# Python
pip list --outdated
# Go
go list -u -m all
# Rust
cargo outdated
# Ruby
bundle outdated
Create update inventory prioritizing direct dependencies over transitive ones.
Phase 2: Check Vulnerabilities
Run security audits:
# Node.js: npm audit
# Python: pip-audit or safety check
# Go: govulncheck ./...
# Rust: cargo audit
# Ruby: bundle audit check
Prioritize by severity: Critical (hours) → High (days) → Moderate (weeks) → Low (monthly).
Phase 3: Check License Compatibility
Check licenses before adding dependencies:
# Node.js: npx license-checker --summary
# Python: pip-licenses
Avoid: GPL-3.0, AGPL-3.0, SSPL, Unlicensed (require legal review). Safe: MIT, Apache-2.0, BSD, ISC.
Phase 4: Plan Updates
Priority: Security → Patches → Minor → Major
Update strategies:
- Individual: Major updates, risky dependencies
- Batched: Patches and minor updates together
- All at once: Only for fresh projects with comprehensive tests
Create update plan grouping by priority and risk level.
Phase 5: Execute Updates
Create branch: git checkout -b chore/dependency-updates-YYYY-MM
Update commands by ecosystem:
# Individual: npm install pkg@ver | pip install pkg==ver | go get pkg@ver
# Batch: npm update | pip install -U pkg1 pkg2 | go get -u ./... | cargo update
Verify lock files updated. Commit with descriptive messages following conventional commits.
Phase 6: Test & Validate
Run comprehensive validation:
# Tests: npm test | pytest | go test ./... | cargo test
# Types: npm run typecheck | mypy . | cargo check
# Lint: npm run lint | ruff check . | golangci-lint run | cargo clippy
# Build: npm run build | go build ./... | cargo build --release
For major updates, verify critical paths manually.
Phase 7: Document & Deploy
Create PR documenting:
- Security fixes with CVE numbers
- Package updates table
- Breaking changes addressed
- Testing checklist completed
- Rollback plan
Deploy: Dev → Staging → Production (with validation at each stage).
Rollback Procedures
If Tests Fail
# Reset to before updates
git checkout package.json package-lock.json
npm install
If Production Issues
# Revert the commit
git revert <update-commit-hash>
npm install
# Deploy revert
Pin Problematic Dependency
// package.json
{
"dependencies": {
"problematic-package": "1.2.3" // Pin to working version
},
"resolutions": {
"problematic-package": "1.2.3" // Force transitive deps
}
}
Quick Reference
Commands by Language
| Task | Node.js | Python | Go | Rust |
|---|---|---|---|---|
| List outdated | npm outdated |
pip list --outdated |
go list -u -m all |
cargo outdated |
| Security audit | npm audit |
pip-audit |
govulncheck ./... |
cargo audit |
| Update all | npm update |
pip install -U |
go get -u ./... |
cargo update |
| Update one | npm install pkg@ver |
pip install pkg==ver |
go get pkg@ver |
cargo update -p pkg |
Checklist
Pre-Update
- Tests passing
- Clean git state
- Outdated list generated
- Vulnerabilities checked
- Licenses checked
- Update plan created
During Update
- Branch created
- Updates applied
- Lock files updated
- Commits atomic and descriptive
Post-Update
- All tests pass
- Type checks pass
- Lint passes
- Build succeeds
- Manual testing done
- PR created
- Rollback plan ready
Related Workflows
- security-audit.md - Includes vulnerability scanning
- code-review.md - Review updated code
- troubleshooting.md - If updates cause issues
Extended Resources
For detailed per-ecosystem commands, verbose examples, and automation configuration, see:
- references/process.md - Comprehensive ecosystem-specific processes