dependency-upgrade
Installation
SKILL.md
Invocation points:
/gsd start dep-upgradeworkflow is running- Ad-hoc "bump the deps" request
- Security advisory response (CVE in a direct dep)
- Framework major-version update (React 18 → 19, Node LTS bump)
- Monthly hygiene pass
<core_principle>
BATCH BY RISK, NOT BY LAZINESS. npm update is a shortcut that blends safe and risky changes into one commit. When something breaks, you can't tell which dep caused it. Always separate: patches and dev-deps first, minors next, majors individually.
VERIFY BETWEEN BATCHES. Run the test suite after every batch. Don't stack five batches and hope. If a batch breaks something, you need to know which one.