dependency-updater
✓Verified·Scanned 2/12/2026
Smart dependency management for any language. Auto-detects project type, applies safe updates automatically, prompts for major versions, diagnoses and fixes dependency issues.
Scanned from main at 62b5df5 · Transparency log ↗
$ vett add softaworks/agent-toolkit/dependency-updater
Dependency Updater
Smart dependency management for any programming language with automatic detection and safe updates.
Purpose
The Dependency Updater skill provides intelligent, language-agnostic dependency management that:
- Auto-detects your project type by scanning for package files (package.json, go.mod, Cargo.toml, etc.)
- Applies safe updates automatically (minor and patch versions)
- Prompts for major updates individually to prevent breaking changes
- Respects intentionally pinned versions by skipping fixed dependencies
- Runs security audits to identify vulnerabilities
- Diagnoses and fixes common dependency issues
This skill eliminates the manual work of checking for outdated packages across different ecosystems while maintaining safety through semantic versioning awareness.
When to Use
Use this skill when you want to:
| Scenario | Trigger Phrases |
|---|---|
| Update dependencies | "update dependencies", "update deps", "update my packages" |
| Check for outdated packages | "check for outdated packages", "what packages need updating" |
| Fix dependency problems | "fix my dependency problems", "resolve dependency conflicts" |
| Security audit | "audit dependencies for vulnerabilities", "check for security issues" |
| Diagnose issues | "diagnose dependency issues", "why won't my dependencies install" |
Quick Start:
update my dependencies
The skill will auto-detect your project type and handle everything.
Supported Languages
| Language | Package File | Update Tool | Audit Tool |
|---|---|---|---|
| Node.js | package.json | taze | npm audit |
| Python | requirements.txt, pyproject.toml, Pipfile | pip-review | safety, pip-audit |
| Go | go.mod | go get -u | govulncheck |
| Rust | Cargo.toml | cargo update | cargo audit |
| Ruby | Gemfile | bundle update | bundle audit |
| Java | pom.xml, build.gradle | mvn versions:* | mvn dependency-check:check |
| .NET | *.csproj | dotnet outdated | dotnet list package --vulnerable |
How It Works
The skill follows a systematic 7-step workflow:
1. DETECT PROJECT TYPE
Scan for package files and identify the package manager
2. CHECK PREREQUISITES
Verify required tools are installed, suggest installation if missing
3. SCAN FOR UPDATES
Run language-specific outdated checks and categorize updates
4. AUTO-APPLY SAFE UPDATES
Automatically apply MINOR and PATCH updates
5. PROMPT FOR MAJOR UPDATES
Ask user about each MAJOR update individually (breaking changes)
6. APPLY APPROVED MAJORS
Update only the packages the user approved
7. FINALIZE
Run install command and security audit
Update Classification
| Update Type | Version Change | Action |
|---|---|---|
| Fixed | No ^ or ~ prefix | Skip (intentionally pinned) |
| PATCH | 1.2.3 to 1.2.4 | Auto-apply |
| MINOR | 1.2.3 to 1.3.0 | Auto-apply |
| MAJOR | 1.2.3 to 2.0.0 | Prompt user individually |
Key Features
Language-Agnostic Detection
The skill automatically identifies your project by scanning for common package files:
package.json- Node.js (npm/yarn/pnpm)requirements.txt/pyproject.toml/Pipfile- Pythongo.mod- GoCargo.toml- RustGemfile- Rubypom.xml/build.gradle- Java/Kotlin*.csproj- .NET
Safe-by-Default Updates
- Minor and patch updates are applied automatically (backward compatible)
- Major updates require explicit approval (may contain breaking changes)
- Fixed/pinned versions are never modified
Security Auditing
Built-in security vulnerability scanning for each ecosystem:
- Identifies vulnerabilities by severity (Critical, High, Moderate, Low)
- Recommends appropriate response times based on severity
- Integrates with ecosystem-specific audit tools
Dependency Diagnosis
Troubleshoots common issues:
- Version conflicts
- Peer dependency problems
- Security vulnerabilities
- Unused dependencies
- Duplicate packages
Usage Examples
Basic Update
update my dependencies
The skill will scan your project, apply safe updates, and prompt for major versions.
Security-Focused Audit
audit my dependencies for security issues
Runs security scanners and reports vulnerabilities by severity.
Diagnose Problems
my npm install keeps failing, diagnose the issue
Analyzes dependency tree, identifies conflicts, and suggests fixes.
Node.js Specific
# Check prerequisites
scripts/check-tool.sh taze "npm install -g taze"
# Run taze directly
scripts/run-taze.sh
# Run in monorepo mode
scripts/run-taze.sh -r
Prerequisites
General Requirements
Each language ecosystem requires its standard package manager:
- Node.js: npm, yarn, or pnpm
- Python: pip
- Go: go modules
- Rust: cargo
- Ruby: bundler
- Java: Maven or Gradle
- .NET: dotnet CLI
Recommended Tools
For the best experience, install these optional but recommended tools:
| Language | Tool | Install Command |
|---|---|---|
| Node.js | taze | npm install -g taze |
| Python | pip-review | pip install pip-review |
| Python | pip-audit | pip install pip-audit |
| Go | govulncheck | go install golang.org/x/vuln/cmd/govulncheck@latest |
| Rust | cargo-audit | cargo install cargo-audit |
| Ruby | bundler-audit | gem install bundler-audit |
Output
Update Summary
After running, you will see:
- List of auto-applied minor/patch updates
- Prompts for each major update decision
- Final package count and versions
- Security audit results
Security Audit Results
Vulnerabilities are reported with severity levels:
| Severity | Recommended Response |
|---|---|
| Critical | Fix immediately |
| High | Fix within 24 hours |
| Moderate | Fix within 1 week |
| Low | Fix in next release |
Best Practices
Do
- Commit lock files - Always commit package-lock.json, yarn.lock, go.sum, etc.
- Review major updates - Check changelogs before approving major version bumps
- Run tests after updates - Verify your application still works
- Address security issues promptly - Prioritize by severity level
- Use version ranges appropriately -
^for active libraries,~for stable ones, exact for critical dependencies
Avoid
- Don't auto-approve all majors - Breaking changes require code modifications
- Don't ignore security alerts - Vulnerabilities can be exploited
- Don't update fixed versions - They were pinned for a reason
- Don't skip the lock file - It ensures reproducible builds
Version Range Strategy
{
"dependencies": {
"critical-lib": "1.2.3", // Exact for critical dependencies
"stable-lib": "~1.2.3", // Patch only for stable libraries
"modern-lib": "^1.2.3" // Minor OK for actively maintained
}
}
Emergency Fixes
When dependencies are completely broken:
Node.js - Nuclear Reset
rm -rf node_modules package-lock.json
npm cache clean --force
npm install
Python - Clean Virtual Environment
rm -rf venv
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
Go - Reset Modules
rm go.sum
go mod tidy
Verification Checklist
After running updates, verify:
- Updates scanned without errors
- Minor/patch updates auto-applied
- Major updates prompted individually
- Fixed versions remained untouched
- Lock file updated
- Install command succeeded
- Security audit passed (or issues noted)
- Tests pass
- Application runs correctly
Related Tools
| Tool | Language | Purpose | Link |
|---|---|---|---|
| taze | Node.js | Smart dependency updates | GitHub |
| npm-check-updates | Node.js | Alternative to taze | GitHub |
| pip-review | Python | Interactive pip updates | GitHub |
| cargo-edit | Rust | Cargo dependency management | GitHub |
| bundler-audit | Ruby | Security auditing | GitHub |
License
MIT