composer-dependencies
Installation
SKILL.md
Composer Dependencies Update
Dependency updates are maintenance, not features. Do them regularly in small batches rather than rarely in large ones. Every update follows the same cycle: audit, update, verify, commit.
Core Principles
| Principle | Meaning |
|---|---|
| Changelog first | Before any major dependency update, search the web for the package's changelog/UPGRADE file or ask the user to provide it - never guess what changed |
| Security first | Run composer audit before and after every update - vulnerabilities take priority over everything |
| Small batches | Update one package or one logical group at a time - never update everything at once |
| Lock file is truth | Always commit composer.lock - production uses composer install, never composer update |
| Verify before merging | Every update must pass the full test suite and static analysis before merging |
| Caret by default | Use ^ constraints for most dependencies - it balances stability with receiving fixes |