From fortify
Performs dependency upgrade impact assessment, code fixes, and migration across npm, Maven, Gradle, pip, Go modules, Cargo, Bundler, Composer, NuGet, C++, iOS/macOS, and Scala ecosystems. Use for CVE/GHSA remediation, breaking change migration, and compile/test failure resolution.
How this skill is triggered — by the user, by Claude, or both
Slash command
/fortify:fortify-dependency-upgradeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Dependency upgrades often break more than the manifest line. Follow the workflow below completely before reporting migration complete.
Dependency upgrades often break more than the manifest line. Follow the workflow below completely before reporting migration complete.
Analysis workflow: references/dependency-analysis.md
Ecosystem command references:
| Ecosystem | Reference |
|---|---|
| .NET / NuGet | references/dotnet.md |
| Node.js | references/nodejs.md |
| Python / pip/poetry | references/python.md |
| JVM / Maven | references/maven.md |
| JVM / Gradle | references/gradle.md |
| Go | references/go.md |
| Rust / Cargo | references/rust.md |
| Ruby / Bundler | references/ruby.md |
| PHP / Composer | references/php.md |
| C++ / CMake/Conan/vcpkg | references/cpp.md |
| iOS / macOS | references/ios-macos.md |
| Scala / sbt/Mill | references/scala.md |
Complete each step before proceeding. Do not skip steps.
Read: your ecosystem reference from the Resources table above, references/dependency-analysis.md §1-2
reports/{package}-{old}-to-{new}-dependency-analysis.md with §1-2Deliver: Baseline test results (including pre-existing failures reported to user) + affected test scope (or explicit statement that scope is empty) + dependency tree documented STOP: Do not proceed until baseline documented and any pre-existing failures reported to the user. If tests cannot run, document why.
Read: your ecosystem reference from the Resources table above, references/dependency-analysis.md §3
Dependency graph resolution is independent of compilation. Run the dependency tree command even if the build is currently broken.
Deliver: Proposed dependency graph for ALL projects STOP: Do not proceed until graph documented. A broken build does not exempt you from completing this step — do not substitute external research (Step 4) for the dependency graph comparison (Steps 2–3).
Read: your ecosystem reference from the Resources table above, references/dependency-analysis.md §4-5
Deliver: Compatibility matrix with conflicts resolved STOP: Do not proceed with unresolved conflicts.
Before researching breaking changes, fetch and record all relevant data from official external sources into a dedicated report file that every subsequent step will reference.
Collect the following for the target package (official sources only — URLs required):
Fortify SCA integration: If this upgrade was triggered by Fortify SCA / open source findings, use the
fortify-fodorfortify-sscskill (whichever platform applies) before populating the Security Fixes section to query the open source issues for the affected component. Retrieve the complete set of CVE identifiers, affected version ranges, and minimum safe version recommendations from the Fortify issue data. Record that output here under Security Fixes — do not rely solely on external advisory sites when Fortify issue data is available.
Create reports/{package}-{old}-to-{new}-external-research.md using this template:
# External Research Report: {Package} {OldVersion} → {NewVersion}
**Date:** {Current Date}
**Package Manager / Registry:** {PyPI / npm / Maven Central / etc.}
## Sources Consulted
| # | Resource | URL | Accessed |
|---|----------|-----|----------|
| 1 | Official Changelog / Release Notes | {URL} | {Date} |
| 2 | Migration Guide | {URL} | {Date} |
| 3 | GitHub Releases page | {URL} | {Date} |
| 4 | Security advisories | {URL or "None"} | {Date} |
## Breaking Changes & Removals
> Items confirmed to affect this codebase are flagged ⚠️.
| # | Type | Description | Affected Versions | Source (row #) |
|---|------|-------------|-------------------|----------------|
| 1 | API removed | `OldClass.method()` removed | ≥ {NewVersion} | #1 |
| 2 | Import path changed | `from old.path import X` → `from new.path import X` | ≥ {NewVersion} | #2 |
| 3 | Config key renamed | `OLD_SETTING` → `NEW_SETTING` | ≥ {NewVersion} | #1 |
## Deprecations (not yet removed)
| # | Symbol / Feature | Replacement | Deprecated Since | Source |
|---|-----------------|-------------|-----------------|--------|
## Security Fixes
| CVE / Advisory | Severity | Description | Fixed In | Source |
|---------------|----------|-------------|----------|--------|
## Migration Checklist
- [ ] {action item derived from above}
## Raw Notes / Excerpts
> {Paste relevant changelog or migration guide sections verbatim}
All subsequent steps (5–8) must cite this file rather than re-fetching external URLs.
Deliver: reports/{package}-{old}-to-{new}-external-research.md with all external data captured and URL-cited
STOP: Do not proceed to Step 5 without this file. All external research must be recorded here first.
Read: reports/{package}-{old}-to-{new}-external-research.md (Step 4)
Deliver: Breaking change table with source URL for each item
Read: your ecosystem reference from the Resources table above, references/dependency-analysis.md §6, reports/{package}-{old}-to-{new}-external-research.md
reports/{package}-{old}-to-{new}-snapshot.md (include link to external research report)Deliver: Updated code + successful build STOP: If build fails, fix before proceeding.
Read: your ecosystem reference from the Resources table above — use the Run Tests section
Report:
Deliver: Test results ≥ baseline STOP: Migration NOT complete if tests fail/skipped.
Read: references/dependency-analysis.md §7
reports/{package}-{old}-to-{new}.md with:
reports/{package}-{old}-to-{new}-external-research.md (Step 4 research report)Status:
DO NOT report "complete" if tests not run or failed.
Fortify SCA integration: If this upgrade was triggered by Fortify SCA / open source findings, use the
fortify-fodorfortify-sscskill after this step to confirm the open source issues are resolved (e.g., re-scan or re-query the component) and to handle any required audit/closure actions in FoD or SSC.
Create during Step 5, include in reports/{package}-{old}-to-{new}-snapshot.md in Step 6 step 1:
| # | Path | From | To | Old | New | Source |
|---|---|---|---|---|---|---|
| 1 | src/Foo.java:12 | 1.x | 2.0 | OldClass (removed) | NewClass | https://... |
Include in final report:
npx claudepluginhub fortify/skills --plugin fortify-skillsPlans and executes safe, incremental dependency upgrades with risk assessment, migration guides, test strategies, rollback plans, and monitoring.
Plans and executes safe, incremental dependency upgrades with risk assessment, migration guides, and rollback strategies.
Enforces a structured process for updating, migrating, and auditing project dependencies with incremental verification. Handles security vulnerabilities, breaking changes, and major version upgrades.