composer-upgrade
Composer Upgrade
Upgrade Workflow
Follow this sequence when upgrading a PHP project:
- Check for security issues →
composer audit— fixes here are highest priority - Identify what's outdated →
composer outdated --format=json - Prioritize — packages with CVEs AND outdated go first; see references/audit.md
- Diagnose blockers →
composer why-not vendor/package version— note any sub-packages blocking the update - Trace dependencies →
composer why vendor/package - Update packages →
composer update vendor/package— if blocked, include identified blockers:composer update vendor/package blocker/one blocker/two - Test
- Harden constraints →
composer bump(applications only) - Re-audit →
composer auditto confirm all advisories are resolved
See references/commands.md for full flag reference, including global flags for non-interactive use (--no-interaction --no-progress --no-ansi).
See references/upgrade-workflow.md for detailed strategies, including merge conflict resolution.
See references/audit.md for security audit details, severity tiers, and how to build a prioritized package list.
More from peterfox/agent-skills
rector-developer
Build Rector PHP rules that transform PHP code via AST. Use when asked to create, modify, or explain Rector rules for PHP code transformations. Rector rules use the PHP-Parser AST and PHPStan type analysis. Triggers on requests like "write a Rector rule to...", "create a Rector rule that...", "add a Rector rule for...", or when working in a rector-src or rector-based project and asked to implement code transformation logic.
16npm-upgrade
Guides Node.js project upgrades using npm, yarn, or pnpm. Use when helping users upgrade npm packages, check for security vulnerabilities with `npm audit`, prioritize which packages to upgrade first, understand dependency conflicts, interpret `npm outdated` output, use `npm explain` to trace who requires a package, plan safe upgrade paths, resolve package version conflicts in package.json, or resolve merge conflicts in package-lock.json / yarn.lock / pnpm-lock.yaml. Trigger this skill whenever the user mentions npm packages, Node.js dependencies, outdated packages, CVEs in JavaScript or TypeScript projects, yarn or pnpm upgrades, or security advisories in package.json.
15phpstan-developer
Build PHPStan rules, collectors, and extensions that analyze PHP code for custom errors. Use when asked to create, modify, or explain PHPStan rules, collectors, or type extensions. Triggers on requests like "write a PHPStan rule to...", "create a PHPStan rule that...", "add a PHPStan rule for...", "write a collector for...", or when working on a phpstan extension package.
10laravel-advanced-concepts
>
1