deps-upgrade
Installation
SKILL.md
Dependencies are inherited code. Upgrades are inherited risk. Patch in batch, minor in batch with a smoke test, major one-at-a-time with a CHANGELOG read.
When to Apply / NOT
Apply: CVE remediation; major upstream release; compatibility forcing function; quarterly hygiene cadence; pre-release lockfile audit; deprecation warnings accumulating.
NOT apply: active feature branch with high churn; pre-release freeze window; mid-incident; API-break-driven refactor.
Anti-patterns
- Big-bang upgrade: bumping every dep at once.
- Skipping the lockfile: floating ranges create non-reproducible builds.
- Ignoring the CHANGELOG: major bumps without reading upstream notes.
- Suppressing deprecations:
--warning-as-error=offdefers cost. - Bypassing audit signals:
npm audit fix --forcewithout reading. - No smoke test on minor: minor versions can introduce behavior shifts.
- Forgetting transitives: surface deps look fine; transitive CVE remains.
- Mixing concerns in one commit: upgrade + refactor + feature — atomize per
<git>policy.