SKILL.md
Dependency Updater
Smart dependency management for any language with automatic detection and safe updates.
Quick Start
update my dependenciesThe skill auto-detects your project type and handles the rest.
Triggers
Trigger
Example
Update dependencies
"update dependencies", "update deps"
Check outdated
"check for outdated packages"
Fix dependency issues
"fix my dependency problems"
Security audit
"audit dependencies for vulnerabilities"
Diagnose deps
"diagnose dependency issues"
Supported Languages
Language
Package File
Update Tool
Audit Tool
Node.js
package.json
taze
npm audit
Python
requirements.txt, pyproject.toml
pip-review
safety, pip-audit
Go
go.mod
go get -u
govulncheck
Rust
Cargo.toml
cargo update
cargo audit
Ruby
Gemfile
bundle update
bundle audit
Java
pom.xml, build.gradle
mvn versions:*
mvn dependency:*
.NET
*.csproj
dotnet outdated
dotnet list package --vulnerable
Quick Reference
Update Type
Version Change
Action
Fixed
No ^ or ~
Skip (intentionally pinned)
PATCH
x.y.z → x.y.Z
Auto-apply
MINOR
x.y.z → x.Y.0
Auto-apply
MAJOR
x.y.z → X.0.0
Prompt user individually
Workflow
User Request
│
▼
┌─────────────────────────────────────────────────────┐
│ Step 1: DETECT PROJECT TYPE │
│ • Scan for package files (package.json, go.mod...) │
│ • Identify package manager │
├─────────────────────────────────────────────────────┤
│ Step 2: CHECK PREREQUISITES │
│ • Verify required tools are installed │
│ • Suggest installation if missing │
├─────────────────────────────────────────────────────┤
│ Step 3: SCAN FOR UPDATES │
│ • Run language-specific outdated check │
│ • Categorize: MAJOR / MINOR / PATCH / Fixed │
├─────────────────────────────────────────────────────┤
│ Step 4: AUTO-APPLY SAFE UPDATES │
│ • Apply MINOR and PATCH automatically │
│ • Report what was updated │
├─────────────────────────────────────────────────────┤
│ Step 5: PROMPT FOR MAJOR UPDATES │
│ • AskUserQuestion for each MAJOR update │
│ • Show current → new version │
├─────────────────────────────────────────────────────┤
│ Step 6: APPLY APPROVED MAJORS │
│ • Update only approved packages │
├─────────────────────────────────────────────────────┤
│ Step 7: FINALIZE │
│ • Run install command │
│ • Run security audit │
└─────────────────────────────────────────────────────┘Commands by Language
Node.js (npm/yarn/pnpm)
# Check prerequisites
scripts/check-tool.sh taze "npm install -g taze"
# Scan for updates
taze
# Apply minor/patch
taze minor --write
# Apply specific majors
taze major --write --include pkg1,pkg2
# Monorepo support
taze -r # recursive
# Security
npm audit
npm audit fixPython
# Check outdated
pip list --outdated
# Update all (careful!)
pip-review --auto
# Update specific
pip install --upgrade package-name
# Security
pip-audit
safety checkGo
# Check outdated
go list -m -u all
# Update all
go get -u ./...
# Tidy up
go mod tidy
# Security
govulncheck ./...Rust
# Check outdated
cargo outdated
# Update within semver
cargo update
# Security
cargo auditRuby
# Check outdated
bundle outdated
# Update all
bundle update
# Update specific
bundle update --conservative gem-name
# Security
bundle auditJava (Maven)
# Check outdated
mvn versions:display-dependency-updates
# Update to latest
mvn versions:use-latest-releases
# Security
mvn dependency:tree
mvn dependency-check:check.NET
# Check outdated
dotnet list package --outdated
# Update specific
dotnet add package PackageName
# Security
dotnet list package --vulnerableDiagnosis Mode
When dependencies are broken, run diagnosis:
Common Issues & Fixes
Issue
Symptoms
Fix
Version Conflict
"Cannot resolve dependency tree"
Clean install, use overrides/resolutions
Peer Dependency
"Peer dependency not satisfied"
Install required peer version
Security Vuln
npm audit shows issues
npm audit fix or manual update
Unused Deps
Bloated bundle
Run depcheck (Node) or equivalent
Duplicate Deps
Multiple versions installed
Run npm dedupe or equivalent
Emergency Fixes
# Node.js - Nuclear reset
rm -rf node_modules package-lock.json
npm cache clean --force
npm install
# Python - Clean virtualenv
rm -rf venv
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Go - Reset modules
rm go.sum
go mod tidySecurity Audit
Run security checks for any project:
# Node.js
npm audit
npm audit --json | jq '.metadata.vulnerabilities'
# Python
pip-audit
safety check
# Go
govulncheck ./...
# Rust
cargo audit
# Ruby
bundle audit
# .NET
dotnet list package --vulnerableSeverity Response
Severity
Action
Critical
Fix immediately
High
Fix within 24h
Moderate
Fix within 1 week
Low
Fix in next release
Anti-Patterns
Avoid
Why
Instead
Update fixed versions
Intentionally pinned
Skip them
Auto-apply MAJOR
Breaking changes
Prompt user
Batch MAJOR prompts
Loses context
Prompt individually
Skip lock file
Irreproducible builds
Always commit lock files
Ignore security alerts
Vulnerabilities
Address by severity
Verification Checklist
After updates:
- Updates scanned without errors
- MINOR/PATCH auto-applied
- MAJOR updates prompted individually
- Fixed versions untouched
- Lock file updated
- Install command ran
- Security audit passed (or issues noted)
The skill auto-detects project type by scanning for package files:
File Found
Language
Package Manager
package.json
Node.js
npm/yarn/pnpm
requirements.txt
Python
pip
pyproject.toml
Python
pip/poetry
Pipfile
Python
pipenv
go.mod
Go
go modules
Cargo.toml
Rust
cargo
Gemfile
Ruby
bundler
pom.xml
Java
Maven
build.gradle
Java/Kotlin
Gradle
*.csproj
.NET
dotnet
Detection order matters for monorepos:
- Check current directory first
- Then check for workspace/monorepo patterns
- Offer to run recursively if applicable
Prerequisites
# Install taze globally (recommended)
npm install -g taze
# Or use npx
npx tazeSmart Update Flow
# 1. Scan all updates
taze
# 2. Apply safe updates (minor + patch)
taze minor --write
# 3. For each major, prompt user:
# "Update @types/node from ^20.0.0 to ^22.0.0?"
# If yes, add to approved list
# 4. Apply approved majors
taze major --write --include approved-pkg1,approved-pkg2
# 5. Install
npm install # or pnpm install / yarnAuto-Approve List
Some packages have frequent major bumps but are backward-compatible:
Package
Reason
lucide-react
Icon library, majors are additive
@types/*
Type definitions, usually safe
Semantic Versioning
MAJOR.MINOR.PATCH (e.g., 2.3.1)
MAJOR: Breaking changes - requires code changes
MINOR: New features - backward compatible
PATCH: Bug fixes - backward compatibleRange Specifiers
Specifier
Meaning
Example
^1.2.3
Minor + Patch OK
>=1.2.3 <2.0.0
~1.2.3
Patch only
>=1.2.3 <1.3.0
1.2.3
Exact (fixed)
Only 1.2.3
>=1.2.3
At least
Any >=1.2.3
*
Any
Latest (dangerous)
Recommended Strategy
{
"dependencies": {
"critical-lib": "1.2.3", // Exact for critical
"stable-lib": "~1.2.3", // Patch only for stable
"modern-lib": "^1.2.3" // Minor OK for active
}
}Node.js Conflicts
Diagnosis:
npm ls package-name # See dependency tree
npm explain package-name # Why installed
yarn why package-name # Yarn equivalentResolution with overrides:
// package.json
{
"overrides": {
"lodash": "^4.18.0"
}
}Resolution with resolutions (Yarn):
{
"resolutions": {
"lodash": "^4.18.0"
}
}Python Conflicts
Diagnosis:
pip check
pipdeptree -p package-nameResolution:
# Use virtual environment
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Or use constraints
pip install -c constraints.txt -r requirements.txtScript Reference
Script
Purpose
scripts/check-tool.sh
Verify tool is installed
scripts/run-taze.sh
Run taze with proper flags
Related Tools
Tool
Language
Purpose
Node.js
Smart dependency updates
Node.js
Alternative to taze
Python
Interactive pip updates
Rust
Cargo dependency management
Ruby
Security auditing