npx claudepluginhub boshu2/agentops --plugin agentopsThis skill uses the workspace's default tool permissions.
> Quick Ref: `/deps audit` | `/deps update [--major|--minor|--patch]` | `/deps vuln` | `/deps license`
Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Quick Ref:
/deps audit|/deps update [--major|--minor|--patch]|/deps vuln|/deps license
YOU MUST EXECUTE THIS WORKFLOW. Do not just describe it.
| Mode | Command | Purpose |
|---|---|---|
| Audit | /deps audit | Full dependency health check: vulnerabilities, outdated, licenses |
| Update | /deps update [--major|--minor|--patch] | Update dependencies with test verification |
| Vuln | /deps vuln | Focused vulnerability scan and remediation |
| License | /deps license | License compliance audit |
Default (bare /deps): runs audit mode.
Scan the working directory for manifest files. Multiple ecosystems may coexist.
| Manifest | Ecosystem | Lock File |
|---|---|---|
go.mod | Go | go.sum |
package.json | Node | package-lock.json / yarn.lock / pnpm-lock.yaml |
pyproject.toml / requirements.txt | Python | requirements.txt / poetry.lock |
Cargo.toml | Rust | Cargo.lock |
Gemfile | Ruby | Gemfile.lock |
# Detect all ecosystems present
for f in go.mod package.json pyproject.toml requirements.txt Cargo.toml Gemfile; do
[[ -f "$f" ]] && echo "FOUND: $f"
done
If no manifest is found, stop and report: "No supported dependency manifest detected."
Run the ecosystem-appropriate commands. Capture all output for classification.
go list -m -u all # List all modules, flag available updates
govulncheck ./... # Vulnerability scan against Go vuln DB
go mod tidy # Clean up unused deps (dry-run first)
npm audit # Known vulnerabilities
npm outdated # Available updates (current vs wanted vs latest)
npx license-checker-webpack-plugin --out /dev/stdout 2>/dev/null || npx license-checker --json
pip-audit # Vulnerability scan (install: pip install pip-audit)
pip list --outdated # Available updates
pip-licenses 2>/dev/null || echo "pip-licenses not installed"
cargo audit # Vulnerability scan (install: cargo install cargo-audit)
cargo outdated # Available updates (install: cargo install cargo-outdated)
cargo license 2>/dev/null || echo "cargo-license not installed"
bundle audit check # Vulnerability scan (install: gem install bundler-audit)
bundle outdated # Available updates
Sort every finding into exactly one severity tier.
| Severity | Criteria | Action |
|---|---|---|
| Critical | Known CVE with active exploitation, CVSS >= 9.0 | Update immediately, block release |
| High | Security advisory without known exploit, CVSS 7.0-8.9, major version behind with security implications | Update within current session |
| Medium | Minor versions behind, deprecated packages, stale transitive deps | Schedule update, batch if possible |
| Low | Patch-level updates, cosmetic version bumps, informational advisories | Update opportunistically |
Output a summary table:
SEVERITY PACKAGE CURRENT AVAILABLE REASON
Critical example-lib 1.2.3 1.2.8 CVE-2025-XXXXX (RCE)
High some-framework 3.1.0 4.2.0 Security advisory SA-2025-YYY
Medium helper-pkg 2.0.1 2.3.0 3 minor versions behind
Low util-lib 1.0.0 1.0.1 Patch release
Choose strategy based on the update scope requested (or default to the classification).
--patch or Low severity)chore(deps): batch patch updates.--minor or Medium severity)chore(deps): update <pkg> to <version>.--major or High/Critical severity)chore(deps): update <pkg> to <version>
Breaking: <brief description of what changed>
| Flag | Patch | Minor | Major |
|---|---|---|---|
--patch | Yes | No | No |
--minor | Yes | Yes | No |
--major | Yes | Yes | Yes |
| (default) | Yes | Yes | No |
For each dependency to update, follow this loop strictly:
1. Record current state (version, lock file hash)
2. Update the dependency
3. Run tests: `go test ./...` / `npm test` / `pytest` / `cargo test`
4. If PASS:
- Stage changed manifest + lock file
- Commit: chore(deps): update <pkg> from <old> to <new>
5. If FAIL:
- Revert: restore manifest + lock file to pre-update state
- Document the incompatibility in the report
- Continue to next dependency
| Ecosystem | Patch/Minor | Major |
|---|---|---|
| Go | go get <pkg>@latest | go get <pkg>@v<major> |
| Node | npm update <pkg> | npm install <pkg>@latest |
| Python | pip install --upgrade <pkg> | pip install <pkg>~=<version> |
| Rust | cargo update -p <pkg> | Edit Cargo.toml, then cargo update |
| Ruby | bundle update <pkg> | Edit Gemfile, then bundle install |
Write the report to .agents/deps/. Create the directory if needed.
mkdir -p .agents/deps
File name format: YYYY-MM-DD-deps-<mode>.md
# Dependency Report - <mode> - <date>
## Ecosystem: <detected>
## Summary
- Total dependencies: <N>
- Outdated: <N>
- Vulnerable: <N>
- License issues: <N>
## Findings
### Critical
<table or "None">
### High
<table or "None">
### Medium
<table or "None">
### Low
<table or "None">
## Updates Applied
<list of commits or "Audit only - no updates applied">
## Failed Updates
<list with reasons or "None">
## License Compliance
<summary or "Not checked - use /deps license">
| License | Proprietary OK | Copyleft | Distribution Obligations |
|---|---|---|---|
| MIT | Yes | No | Include license text |
| Apache-2.0 | Yes | No | Include license + NOTICE file |
| BSD-2-Clause | Yes | No | Include license text |
| BSD-3-Clause | Yes | No | Include license text, no endorsement |
| ISC | Yes | No | Include license text |
| MPL-2.0 | Yes (file-level) | Weak | Modified MPL files must stay MPL |
| LGPL-2.1 | Conditional | Weak | Dynamic linking OK, static requires disclosure |
| GPL-2.0 | No | Strong | Entire derivative work must be GPL |
| GPL-3.0 | No | Strong | Entire derivative work must be GPL |
| AGPL-3.0 | No | Strong | Network use triggers disclosure |
| SSPL | No | Strong | Service provider must open-source entire stack |
| Unlicense | Yes | No | No obligations |
LICENSE contains GPL/AGPL: project is copyleft, all licenses are compatible.LICENSE contains MIT/Apache/BSD or is proprietary: flag copyleft dependencies.LICENSE file exists: warn that project license is undefined.| Situation | Action |
|---|---|
Tool not installed (govulncheck, pip-audit, etc.) | Report which tool is missing, provide install command, continue with available tools |
| Network unavailable | Use cached vulnerability DB if available, note staleness |
| Test suite does not exist | Warn loudly, skip test verification, note in report |
| Manifest parse error | Report the error, skip that ecosystem |
skills/standards/SKILL.md -- Language-specific conventionsskills/security/SKILL.md -- Broader security scanningskills/vibe/SKILL.md -- Code quality validation