Upgrade dependencies with breaking change detection and migration planning. Use when asked to "upgrade dependencies", "update packages", "bump dependencies", "bump <package> to <version>", "update <package> to version <version>", "handle dependabot PR", "handle renovate PR", "check for breaking changes", "upgrade <package> to <version>", "check outdated dependencies", "scan for updates", or when reviewing dependency bot PRs (dependabot, renovate, GitHub Actions), or when addressing security alerts, CVE notices, or vulnerability patches. Also trigger when the user mentions outdated packages, version bumps, or package manager update commands. Boundary: for version bumps within the same library. Use deps-migrate when replacing one library with another.
From vp-deps-shiftnpx claudepluginhub vdustr/vp-claude-code-marketplace --plugin vp-deps-shiftThis skill uses the workspace's default tool permissions.
references/confidence-index.mdreferences/context7-integration.mdreferences/deps-bot-handling.mdreferences/package-managers.mdreferences/repo-conventions.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Upgrade dependencies with breaking change detection, test-first verification, and repo convention compliance.
Upgrade react to v19
Handle the dependabot PR #42
Check for outdated dependencies
Auto-resolve the renovate PR https://github.com/owner/repo/pull/99
Non-linear execution: Phases are numbered for reference, not strict order. If findings in any phase invalidate earlier assumptions, restart from the affected phase.
Three entry paths:
Determine update type:
| Type | Detection | Risk |
|---|---|---|
| Lockfile-only | New version within existing range | Low |
| Range update (minor) | Range change required, minor bump | Medium |
| Range update (major) | Range change required, major bump | High |
Consult all sources (use subagents for parallel lookup when possible, not a fallback chain):
resolve-library-id + query-docs for migration guides (see context7-integration.md)gh api repos/{owner}/{repo}/releasesCombine into a breaking changes report: High/Medium/Low impact, affected files (grep for deprecated APIs), migration action for each change. Conflict resolution: If sources disagree, use the most conservative (highest risk) conclusion and flag the discrepancy in the report.
Check for official/community migration tools before writing custom migrations:
| Source | What to look for | Example |
|---|---|---|
| Migration guide | Codemod CLI commands | npx react-codemod rename-unsafe-lifecycles |
| npm registry | *-codemod packages | @next/codemod, react-codemod |
| Target docs | Compat layer | es-toolkit/compat (lodash compatible) |
| Framework CLI | Auto-migration scripts | npx @angular/cli update |
Decision flow:
Detect packages that must be co-upgraded:
| Pattern | Detection | Example |
|---|---|---|
@types/ packages | Check devDeps for @types/<pkg> | react → @types/react |
Scoped @types/ | @scope/pkg → @types/scope__pkg | @babel/core → @types/babel__core |
| Peer dep ecosystem | Parse peerDependencies | react → react-dom |
| Peer dep types | For each peer dep found above, also check for @types/<peer> | react-dom → @types/react-dom |
| Framework integration | Known ecosystem groups | next requires compatible react |
| Workspace refs | workspace:* — skip (local) | — |
Present related packages to user and ask whether to include in upgrade plan.
Validate the migration approach before batch execution.
Quick feasibility check: If migration is config-only (e.g., ESLint flat config) or requires extensive project context, skip /tmp and go directly to subagent review.
If /tmp verification is feasible:
/tmp/deps-shift-verify-<package>-<timestamp>/
├── package.json # Minimal deps (target package only)
├── tsconfig.json # Copied from project, paths/aliases adjusted for /tmp
├── original/ # Copy of affected code snippets
├── migrated/ # Proposed migration applied
└── test-runner.sh # Must run tsc --noEmit at minimum, must NOT be just exit 0
package.json, install only the target package version fresh. Copy project's tsconfig.json; remove paths, baseUrl, and references fields that point to project-specific locations — /tmp resolves modules through its own node_modules only. Never mutate the project's actual node_modules.Fallback: When tests can't be written → subagent 3-pass review loop:
Present structured plan with confidence index:
Always get user confirmation before executing.
--legacy-peer-deps — last resort; warn user this bypasses peer validation and may cause runtime issuesDetect and follow project conventions (see repo-conventions.md):
gh pr checks| Error | Action |
|---|---|
| Package manager command fails | Check lockfile integrity, suggest rm -rf node_modules && install |
| Changelog/releases API 404 | Fall back to source code diff analysis |
| Codemod crashes partway | Report progress, show which files were transformed, suggest manual completion |
| Context7 MCP tool not found | Suggest installation, continue with changelog + releases + code analysis |
| Monorepo workspace resolution fails | Ask user to specify target package(s) |
| Tests still fail after 3 iterations | Present failure analysis, ask user how to proceed |
| /tmp write fails | Fall back to subagent review |
gh CLI (for bot PRs, releases API), package manager CLI/plugin marketplace add upstash/context7deps-migrate only when the primary intent is replacing one library with another.