Dependency Upgrade
Plan and execute major npm/yarn dependency upgrades with semver-aware analysis, staged rollout, and regression testing so solo builders avoid surprise breakages in production.
Overview
dependency-upgrade is an agent skill most often used in Operate (also Ship, Build) that guides major dependency version upgrades with compatibility analysis, staged rollout, and comprehensive testing for solo builders ma
Install
npx skills add https://github.com/wshobson/agents --skill dependency-upgradeWhat is this skill?
- Semantic versioning cheat sheet (MAJOR.MINOR.PATCH) with caret, tilde, and pinned range semantics
- Audit and inventory workflow: npm/yarn outdated, audit, audit fix, and npm-check-updates for major bumps
- Dependency tree forensics via npm ls, yarn why, dedupe, and madge graph visualization
- Compatibility matrix mindset for framework majors, breaking API changes, and staged rollout planning
- Triggers cover security-vulnerable deps, legacy modernization, conflict resolution, and automation of updates
- Documents MAJOR.MINOR.PATCH semantic versioning with caret, tilde, and exact pin range rules
- Includes npm outdated, audit, audit fix, and npx npm-check-updates upgrade inventory commands
- Covers npm ls, yarn why, dedupe, and madge dependency graph visualization workflows
Adoption & trust: 7.1k installs on skills.sh; 36.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need to move a framework or library to a new major version but do not know what will break, what order to upgrade in, or how to test the blast radius before users hit production errors.
Who is it for?
Solo builders shipping Node or JavaScript apps who face npm audit noise, npm-check-updates major bumps, or legacy packages and want agent-guided analysis before touching package-lock or yarn.lock.
Skip if: Greenfield projects with no existing lockfile discipline, or teams that only need a one-line patch bump with zero regression testing when the skill’s staged testing workflow would be overhead.
When should I use this skill?
Manage major dependency version upgrades with compatibility analysis, staged rollout, and comprehensive testing when upgrading framework versions, updating major dependencies, managing breaking changes in libraries, secu
What do I get? / Deliverables
You get a semver-grounded upgrade plan with audited dependency inventory, conflict clarity, staged rollout steps, and a testing matrix so merges land with fewer surprises and safer rollback options.
- Dependency audit summary (outdated, audit, and major-update candidates)
- Compatibility and staged rollout plan with ordered upgrade steps
- Testing checklist covering breaking-change areas before merge
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Dependency upgrades are recurring production work—security patches, framework majors, and conflict resolution—best shelved under Operate where iteration and keeping stacks current is the default job. Iterate is the canonical subphase for modernizing dependencies, resolving conflicts, and incremental upgrade paths without treating every bump as a one-off greenfield build task.
Where it fits
Modernize a legacy Express or React major before adding features so new APIs align with the upgraded framework docs.
Run a compatibility matrix and regression plan after npm-check-updates rewrites package.json ahead of a release candidate.
Clear recurring npm audit criticals on a live SaaS without downtime by sequencing patch versus major upgrades.
Dedupe transitive duplicates found via madge before container image size or CI install time becomes a bottleneck.
How it compares
Use instead of ad-hoc “bump everything and fix CI” chat sessions when you need compatibility matrices and rollout structure, not a generic linter or single-package renovate bot config alone.
Common Questions / FAQ
Who is dependency-upgrade for?
It is for solo and indie developers maintaining SaaS, APIs, or CLIs who manage npm or yarn lockfiles and must handle major upgrades, security advisories, or dependency conflicts without a dedicated platform team.
When should I use dependency-upgrade?
Use it during Operate when iterating on production stacks, during Ship when pre-release testing must cover breaking changes, and during Build when modernizing frameworks or resolving conflicts before feature work continues.
Is dependency-upgrade safe to install?
Review the Security Audits panel on this Prism page for the ingested skills.sh signal; the skill instructs agents to run shell package managers and may modify lockfiles, so run upgrades on a branch and verify audits locally before merging.
SKILL.md
READMESKILL.md - Dependency Upgrade
# Dependency Upgrade Master major dependency version upgrades, compatibility analysis, staged upgrade strategies, and comprehensive testing approaches. ## When to Use This Skill - Upgrading major framework versions - Updating security-vulnerable dependencies - Modernizing legacy dependencies - Resolving dependency conflicts - Planning incremental upgrade paths - Testing compatibility matrices - Automating dependency updates ## Semantic Versioning Review ``` MAJOR.MINOR.PATCH (e.g., 2.3.1) MAJOR: Breaking changes MINOR: New features, backward compatible PATCH: Bug fixes, backward compatible ^2.3.1 = >=2.3.1 <3.0.0 (minor updates) ~2.3.1 = >=2.3.1 <2.4.0 (patch updates) 2.3.1 = exact version ``` ## Dependency Analysis ### Audit Dependencies ```bash # npm npm outdated npm audit npm audit fix # yarn yarn outdated yarn audit # Check for major updates npx npm-check-updates npx npm-check-updates -u # Update package.json ``` ### Analyze Dependency Tree ```bash # See why a package is installed npm ls package-name yarn why package-name # Find duplicate packages npm dedupe yarn dedupe # Visualize dependencies npx madge --image graph.png src/ ``` ## Compatibility Matrix ```javascript // compatibility-matrix.js const compatibilityMatrix = { react: { "16.x": { "react-dom": "^16.0.0", "react-router-dom": "^5.0.0", "@testing-library/react": "^11.0.0", }, "17.x": { "react-dom": "^17.0.0", "react-router-dom": "^5.0.0 || ^6.0.0", "@testing-library/react": "^12.0.0", }, "18.x": { "react-dom": "^18.0.0", "react-router-dom": "^6.0.0", "@testing-library/react": "^13.0.0", }, }, }; function checkCompatibility(packages) { // Validate package versions against matrix } ``` ## Staged Upgrade Strategy ### Phase 1: Planning ```bash # 1. Identify current versions npm list --depth=0 # 2. Check for breaking changes # Read CHANGELOG.md and MIGRATION.md # 3. Create upgrade plan echo "Upgrade order: 1. TypeScript 2. React 3. React Router 4. Testing libraries 5. Build tools" > UPGRADE_PLAN.md ``` ### Phase 2: Incremental Updates ```bash # Don't upgrade everything at once! # Step 1: Update TypeScript npm install typescript@latest # Test npm run test npm run build # Step 2: Update React (one major version at a time) npm install react@17 react-dom@17 # Test again npm run test # Step 3: Continue with other packages npm install react-router-dom@6 # And so on... ``` ### Phase 3: Validation ```javascript // tests/compatibility.test.js describe("Dependency Compatibility", () => { it("should have compatible React versions", () => { const reactVersion = require("react/package.json").version; const reactDomVersion = require("react-dom/package.json").version; expect(reactVersion).toBe(reactDomVersion); }); it("should not have peer dependency warnings", () => { // Run npm ls and check for warnings }); }); ``` ## Breaking Change Handling ### Identifying Breaking Changes ```bash # Check the changelog directly curl https://raw.githubusercontent.com/facebook/react/master/CHANGELOG.md ``` ### Codemod for Automated Fixes ```bash # Run jscodeshift with transform URL npx jscodeshift -t <transform-url> <path> # Example: Rename unsafe lifecycle methods npx jscodeshift -t https://raw.githubusercontent.com/reactjs/react-codemod/master/transforms/rename-unsafe-lifecycles.js src/ # For TypeScript files npx jscodeshift -t https://raw.githubusercontent.com/reactjs/react-codemod/master/transforms/rename-unsafe-lifecycles.js --parser=tsx src/ # Dry run to preview changes npx jscodeshift -t https://raw.githubusercontent.com/reactjs/react-codemod/master/transforms/rename-unsafe-l