Dependency Updater
Auto-detect your stack and safely bump outdated packages while flagging major upgrades and security issues.
Overview
Dependency Updater is an agent skill most often used in Operate (also Ship) that auto-detects your package ecosystem and applies semver-safe dependency updates plus vulnerability audits.
Install
npx skills add https://github.com/softaworks/agent-toolkit --skill dependency-updaterWhat is this skill?
- Auto-detects project type via package.json, go.mod, Cargo.toml, and similar manifests
- Applies safe minor and patch updates automatically; prompts per major version
- Skips intentionally pinned or fixed dependency versions
- Runs security audits and diagnoses install or conflict failures
- Trigger table: update deps, check outdated, fix conflicts, audit vulnerabilities
Adoption & trust: 3.7k installs on skills.sh; 2k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your packages are stale or conflicted across ecosystems and you do not have time to manually chase minors, majors, and security advisories.
Who is it for?
Solo maintainers juggling Node, Go, Rust, or other manifests who want one conversational update pass with guardrails.
Skip if: Repos with mandatory Renovate or corporate change boards where every bump needs ticket IDs and scheduled windows only.
When should I use this skill?
Update dependencies, check outdated packages, fix dependency problems, audit for vulnerabilities, or diagnose why dependencies will not install.
What do I get? / Deliverables
You get updated lockfiles or manifests where safe, explicit prompts for risky major bumps, and audit or diagnostic guidance for failing installs.
- Updated dependency manifests and lockfiles where applicable
- Security audit summary and major-upgrade prompts
- Diagnostics for conflict or install failures
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Operate/iterate is the canonical shelf for ongoing dependency hygiene after launch, though the same flows run pre-release in ship and security passes. Iterate covers recurring maintenance—outdated deps, audits, and conflict fixes—not greenfield feature work.
Where it fits
Refresh SDK versions after wiring a third-party API so examples match current docs.
Run a vulnerability audit and patch minors before tagging a release.
Monthly pass to bump patches and review prompted major upgrades.
Diagnose why CI install fails after a transitive dependency shift.
How it compares
Agent-guided semver maintenance skill, not an MCP registry browser or a one-off chat guess at latest versions.
Common Questions / FAQ
Who is dependency-updater for?
Indie developers and small teams who own the whole repo and need periodic, safer dependency refreshes without becoming a full-time release engineer.
When should I use dependency-updater?
Use while shipping (pre-release security and lockfile hygiene) and while operating (routine iterate passes, conflict recovery, and vulnerability checks).
Is dependency-updater safe to install?
Review the Security Audits panel on this Prism page; dependency changes can alter supply-chain risk—confirm manifests, diffs, and test results before merging.
SKILL.md
READMESKILL.md - Dependency Updater
# Dependency Updater Smart dependency management for any programming language with automatic detection and safe updates. ## Purpose The Dependency Updater skill provides intelligent, language-agnostic dependency management that: - **Auto-detects your project type** by scanning for package files (package.json, go.mod, Cargo.toml, etc.) - **Applies safe updates automatically** (minor and patch versions) - **Prompts for major updates individually** to prevent breaking changes - **Respects intentionally pinned versions** by skipping fixed dependencies - **Runs security audits** to identify vulnerabilities - **Diagnoses and fixes** common dependency issues This skill eliminates the manual work of checking for outdated packages across different ecosystems while maintaining safety through semantic versioning awareness. ## When to Use Use this skill when you want to: | Scenario | Trigger Phrases | |----------|-----------------| | Update dependencies | "update dependencies", "update deps", "update my packages" | | Check for outdated packages | "check for outdated packages", "what packages need updating" | | Fix dependency problems | "fix my dependency problems", "resolve dependency conflicts" | | Security audit | "audit dependencies for vulnerabilities", "check for security issues" | | Diagnose issues | "diagnose dependency issues", "why won't my dependencies install" | **Quick Start:** ``` update my dependencies ``` The skill will auto-detect your project type and handle everything. ## Supported Languages | Language | Package File | Update Tool | Audit Tool | |----------|--------------|-------------|------------| | Node.js | package.json | `taze` | `npm audit` | | Python | requirements.txt, pyproject.toml, Pipfile | `pip-review` | `safety`, `pip-audit` | | Go | go.mod | `go get -u` | `govulncheck` | | Rust | Cargo.toml | `cargo update` | `cargo audit` | | Ruby | Gemfile | `bundle update` | `bundle audit` | | Java | pom.xml, build.gradle | `mvn versions:*` | `mvn dependency-check:check` | | .NET | *.csproj | `dotnet outdated` | `dotnet list package --vulnerable` | ## How It Works The skill follows a systematic 7-step workflow: ``` 1. DETECT PROJECT TYPE Scan for package files and identify the package manager 2. CHECK PREREQUISITES Verify required tools are installed, suggest installation if missing 3. SCAN FOR UPDATES Run language-specific outdated checks and categorize updates 4. AUTO-APPLY SAFE UPDATES Automatically apply MINOR and PATCH updates 5. PROMPT FOR MAJOR UPDATES Ask user about each MAJOR update individually (breaking changes) 6. APPLY APPROVED MAJORS Update only the packages the user approved 7. FINALIZE Run install command and security audit ``` ### Update Classification | Update Type | Version Change | Action | |-------------|----------------|--------| | **Fixed** | No `^` or `~` prefix | Skip (intentionally pinned) | | **PATCH** | `1.2.3` to `1.2.4` | Auto-apply | | **MINOR** | `1.2.3` to `1.3.0` | Auto-apply | | **MAJOR** | `1.2.3` to `2.0.0` | Prompt user individually | ## Key Features ### Language-Agnostic Detection The skill automatically identifies your project by scanning for common package files: - `package.json` - Node.js (npm/yarn/pnpm) - `requirements.txt` / `pyproject.toml` / `Pipfile` - Python - `go.mod` - Go - `Cargo.toml` - Rust - `Gemfile` - Ruby - `pom.xml` / `build.gradle` - Java/Kotlin - `*.csproj` - .NET ### Safe-by-Default Updates - Minor and patch updates are applied automatically (backward compatible) - Major updates require explicit approval (may contain breaking changes) - Fixed/pinned versions are never modified ### Security Auditing Built-in security vulnerability scanning for each ecosystem: - Identifies vulnerabilities by severity (Critical, High, Moderate, Low) - Recommends appropriate response times based on severity - Integrates with ecosystem-specific audit tools ### Dependency Diagnosis Troubleshoots common issues: - Version conflicts