deps
// Audit outdated dependencies, check for vulnerabilities, and upgrade with test verification
Dependency Audit & Upgrade
Audit outdated dependencies, check for known vulnerabilities, and upgrade with automatic test verification. Rolls back any upgrade that breaks tests.
Arguments
$ARGUMENTS- Optional:audit(check only, no changes),upgrade(apply upgrades), or a specific package name to focus on
Context
- Project type: !
find . -maxdepth 1 \( -name go.mod -o -name Gemfile -o -name package.json -o -name Cargo.toml -o -name pyproject.toml \) 2>/dev/null | head -5 - Lockfiles: !
find . -maxdepth 1 \( -name go.sum -o -name Gemfile.lock -o -name package-lock.json -o -name yarn.lock -o -name pnpm-lock.yaml -o -name Cargo.lock -o -name poetry.lock -o -name uv.lock \) 2>/dev/null | head -5
Instructions
Step 1: Detect package manager
Based on the context above, identify the package manager:
| File | Package Manager | Outdated Command |
|---|---|---|
go.mod | Go modules | go list -m -u all |
Gemfile | Bundler | bundle outdated |
package.json | npm/yarn/pnpm | npm outdated or yarn outdated |
Cargo.toml | Cargo | cargo outdated (if installed) |
pyproject.toml | pip/poetry/uv | pip list --outdated or poetry show --outdated |
IF no recognized package manager is found, report "No supported package manager detected." and stop.
IF multiple are found, process each in order.
Step 2: Audit outdated dependencies
Run the appropriate outdated command. Parse the output into a table:
| Package | Current | Latest | Type |
|---------|---------|--------|------|
| foo | 1.2.3 | 2.0.0 | Major |
| bar | 1.0.0 | 1.1.0 | Minor |
| baz | 1.0.0 | 1.0.1 | Patch |
Classify each as Major, Minor, or Patch based on semver difference.
Step 3: Check for vulnerabilities
Run the appropriate audit command:
| Package Manager | Audit Command |
|---|---|
| Go | govulncheck ./... (if installed, otherwise skip) |
| Bundler | bundle audit check (if installed, otherwise skip) |
| npm | npm audit |
| Cargo | cargo audit (if installed, otherwise skip) |
| pip | pip-audit (if installed, otherwise skip) |
Report any known vulnerabilities with severity level.
Step 4: Report (audit mode)
IF $ARGUMENTS is audit or empty, present the combined report and stop:
## Dependency Report
### Outdated (<N> packages)
<table from Step 2>
### Vulnerabilities (<N> found)
<table of vulnerabilities with severity>
### Recommendation
- <N> critical/high vulnerabilities to fix immediately
- <N> major updates to evaluate
- <N> minor/patch updates safe to apply
Step 5: Upgrade (upgrade mode)
IF $ARGUMENTS is upgrade or a specific package name, proceed with upgrades.
Order of operations:
- Patch updates first — lowest risk
- Minor updates second — moderate risk
- Major updates last — highest risk, one at a time
For each upgrade:
-
Apply the upgrade using the appropriate command:
- Go:
go get <package>@latest - Bundler:
bundle update <gem> - npm:
npm install <package>@latest - Cargo: update version in
Cargo.toml, runcargo update -p <package> - pip:
pip install --upgrade <package>
- Go:
-
Run the test suite (detect framework same as
/testskill):- Go:
go test ./... - Ruby:
bundle exec rspec - Node:
npm test - Rust:
cargo test - Python:
pytest
- Go:
-
IF tests pass: keep the upgrade, move to next package.
-
IF tests fail: revert the change (
git checkout -- <lockfile> <manifest>), report the failure, and move to next package.
Step 6: Summary
## Upgrade Summary
| Package | From | To | Status |
|---------|------|----|--------|
| foo | 1.0.0 | 1.0.1 | Upgraded |
| bar | 1.0.0 | 2.0.0 | Failed (test: <brief reason>) |
| baz | 1.0.0 | 1.1.0 | Skipped (user declined) |
**Tests:** All passing after upgrades.