CodeepCodeep
← back to marketplace

update-dependencies

v1.0.0

Safely bump project dependencies for any detected ecosystem (npm/pnpm/yarn/bun, pip, cargo, go, SwiftPM): update within semver-safe ranges or a single named package, reinstall, then run build and tests to verify nothing broke — reverting or flagging on failure and summarizing what changed plus breaking notes.

by VladoIvankovic · 0 installs · updated 6/16/2026

Install

/skills install VladoIvankovic/update-dependencies

Runs in any Codeep session (TUI, Zed, or VS Code extension). Writes to .codeep/skills/update-dependencies/SKILL.md in your project.

SKILL.md

---
name: update-dependencies
description: Safely bump project dependencies for any detected ecosystem (npm/pnpm/yarn/bun, pip, cargo, go, SwiftPM): update within semver-safe ranges or a single named package, reinstall, then run build and tests to verify nothing broke — reverting or flagging on failure and summarizing what changed plus breaking notes.
allowed-tools: [read_file, write_file, edit_file, list_files, search_code, execute_command]
triggers: ["update dependencies", "bump packages", "upgrade a package", "update lockfile", "are my deps outdated"]
version: 1.0.0
author: Codeep
---

Bump dependencies safely: update within existing semver ranges (or a single named package), reinstall, then prove the project still builds and passes tests. Never push a green-but-untested upgrade.

## Detect the ecosystem
List the repo root with `list_files`. Match lockfiles/manifests (first hit wins; a repo may have several):
- `bun.lockb`/`bun.lock` → bun · `pnpm-lock.yaml` → pnpm · `yarn.lock` → yarn · `package-lock.json`/`package.json` → npm
- `requirements.txt`/`pyproject.toml`/`poetry.lock` → pip/poetry · `Cargo.toml` → cargo · `go.mod` → go · `Package.swift` → SwiftPM

## Preflight
1. Run `git status --short`. If the tree is dirty, stop and ask before proceeding — you need a clean baseline to revert to.
2. `read_file` the manifest to record current versions and respect range operators (`^`, `~`, pinned).

## Update (within safe ranges, or a named package)
Pick the matching command. Default to a safe/minor update; only major-bump when the user names the package.
- npm: outdated → `npm outdated || true`; safe → `npm update`; named → `npm install <pkg>@latest`
- pnpm: `pnpm outdated || true` then `pnpm update` (named: `pnpm update <pkg> --latest`)
- yarn: `yarn upgrade` (named: `yarn upgrade <pkg>@latest`)
- bun: `bun update` (named: `bun update <pkg>`)
- pip: `pip install -U <pkg>` then `pip freeze > requirements.txt` (poetry: `poetry update [<pkg>]`)
- cargo: `cargo update [-p <pkg>]`
- go: `go get -u ./... && go mod tidy` (named: `go get <module>@latest`)
- SwiftPM: `swift package update [<pkg>]`

## Verify (required — do not skip)
Reinstall if needed, then build and test. For this Codeep repo (npm): `npm ci`, `npm run build`, `npm test`. Generic fallbacks: `cargo build && cargo test`, `go build ./... && go test ./...`, `swift build && swift test`, pytest/`python -m pytest`. If no test script exists, at minimum run the build/typecheck and say so in the summary.

## On failure
1. Read the error; identify the offending package (peer-dep conflict, removed API, type break).
2. If the user asked for a broad update, revert with `git checkout -- <manifest> <lockfile>` (or `git stash`) and re-run the verify step to confirm the baseline is green again.
3. If only one package broke, try pinning it to the last working version and re-verify the rest. Do not leave the tree in a broken state.

## Done when
Build and tests pass on the new versions (or you reverted to a green baseline). Then summarize: per-package old→new versions, anything held back, and breaking-change notes scanned from changelogs/release notes. Do not commit or push unless the user explicitly asks.

## Notes
- Keep manifest and lockfile changes together in one logical change.
- Use `read_file`/`edit_file` for manifest tweaks (e.g. pinning); use `execute_command` only for the package-manager and git commands above.
- Flag major version jumps and deprecations explicitly so the user can decide.