Enforces a structured process for updating, migrating, and auditing project dependencies with incremental verification. Handles security vulnerabilities, breaking changes, and major version upgrades.
How this skill is triggered — by the user, by Claude, or both
Slash command
/superpowers-optimized:dependency-managementThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Update one thing at a time. Verify after each. Never batch major upgrades.
Update one thing at a time. Verify after each. Never batch major upgrades.
Dependency updates look simple — bump a version number, run install, done. In practice, they're one of the most common sources of hard-to-diagnose breakage: silent API changes, peer dependency conflicts, transitive dependency resolution shifts, and build tool incompatibilities. This skill enforces a structured approach that catches breakage at the smallest possible blast radius.
Before changing any versions, understand what needs updating and why.
List outdated dependencies:
npm outdated or yarn outdatedpip list --outdated or pip-auditgo list -m -u allcargo outdatedCategorize each update by urgency:
Prioritize: Security > Breaking (if blocking other work) > Feature. Don't update everything at once — pick the highest-priority items first.
For each dependency to update (especially major versions):
Read the changelog/migration guide. Look for:
Search the codebase for usage of changed APIs. For each renamed/removed API, run separate searches for:
obj["methodName"])Do not assume a single search caught everything — a function name may appear as a type annotation, a string key, or in a mock, each of which requires a separate pattern.
Check peer dependency compatibility: Will this update conflict with other installed packages? The package manager usually warns, but check proactively for frameworks with tight coupling (React + React DOM, Angular packages, etc.).
Classify the risk level:
One dependency at a time. Verify after each.
Update the dependency:
npm install package@version / pip install package==versionnpm install / pip install -r requirements.txtRun the full test suite. If tests fail:
Run the build. Type errors, import resolution failures, and build tool incompatibilities often surface here, not in tests.
Smoke test at runtime if the dependency affects runtime behavior (not just types/build). Start the app, hit the affected codepath, verify it works.
Stage the changes. When the user asks for a commit, use a message that names the package and version: chore(deps): upgrade lodash 4.17.20 → 4.17.21 (CVE-2021-23337). Do not auto-commit unless explicitly asked.
Repeat for the next dependency.
After all planned updates are applied:
When a CVE or security advisory requires urgent action:
known-issues.md with the CVE, affected dependency, workaround (if any), and date to re-check.Lockfile conflicts are common when dependency updates happen on parallel branches. Never hand-edit a lockfile to resolve conflicts — the resolution process is:
npm install, yarn install, pip install -r requirements.txt) to regenerate the lockfile with the correct resolution.^, ~) are acceptable when the lockfile is committed.typescript + @types/*).systematic-debugging — when an update causes unexpected failurestest-driven-development — when the update requires new tests for changed behaviorerror-recovery — to document recurring dependency issues in known-issues.mdnpx claudepluginhub repozy/superpowers-optimizedScans JS, Python, Go, Rust, Java package files for outdated dependencies, summarizes changelogs, detects breaking changes and vulnerabilities, generates prioritized update reports.
Reviews project dependencies for outdated versions, CVEs, end-of-life status in Node/npm, Python/pip, Rust/Cargo projects, and proposes safe updates with risk evaluation and breaking change checks.
Coordinates safe dependency upgrades across multiple package managers (npm, pip, cargo, maven, gradle), handling lockfiles, version conflicts, vulnerability patches, and migration risk.