dependency-upgrade

This skill is documentation and helper scripts for performing major dependency upgrades. Its capabilities align with the stated purpose: auditing, planning, staged upgrades, codemods, testing, and rollback. There are no direct indicators of intentional malicious behavior (no credential exfiltration, no reverse shells, no obfuscated payloads). The primary security concerns are supply-chain and accidental-destructive risks: running remote codemods via npx with transform URLs, unpinned installs (npm install @latest), and blind file-replacement migration scripts. These are legitimate techniques but carry moderate supply-chain risk if used without safeguards (pin remote transforms to specific commits/tags, review code before executing, pin dependency versions, run transforms in isolated environments/CI with backups). Overall malware probability is very low, but the supply-chain/security risk is non-negligible and warrants cautious operational controls.