陌讯skills聚合平台

npm-updater

📁 verebelyin/skills 📅 4 days ago
4
总安装量
4
周安装量
#49655
全站排名
安装命令
npx skills add https://github.com/verebelyin/skills --skill npm-updater

Agent 安装分布

opencode 4
gemini-cli 4
claude-code 4
github-copilot 4
codex 4
kimi-cli 4

Skill 文档

NPM Updater

Structured workflow for updating all dependencies in a single package.json.

Step 0: Detect Package Manager

Determine package manager from lockfiles and package.json config:

Lockfile package.json field Manager
yarn.lock packageManager: "yarn@" yarn
pnpm-lock.yaml packageManager: "pnpm@" pnpm
bun.lockb or bun.lock — bun
package-lock.json — npm

Use Glob to check for lockfiles in the project root. If ambiguous, ask the user.

Install commands: npm=npm install, yarn=yarn install, pnpm=pnpm install, bun=bun install

Step 1: Discover Verification Commands

Read package.json scripts. Identify which exist:

  • Type check: type-check, typecheck, tsc
  • Lint: lint
  • Build: build
  • Test: test

Store for use in Step 7.

Step 2: Snapshot Current State

Read package.json. Record all devDependencies and dependencies with current version ranges. Group into:

  1. devDependencies (update first)
  2. dependencies (update second)

Step 3: Check Latest Versions

For each dependency, fetch latest version from the npm registry:

WebFetch: https://registry.npmjs.org/{exact-package-name}/latest
Prompt: "Return the version number and the repository URL (from repository.url or homepage)"

SECURITY — Package identity verification:

  • Use the exact package name from package.json. Never guess or autocomplete names.
  • Only use https://registry.npmjs.org/ — no other registries.
  • Extract repository.url from the registry response for GitHub lookups. Never construct GitHub URLs by guessing org/repo names.
  • If package name looks suspicious or metadata is unexpected, alert the user immediately.

Classify each dependency:

  • Patch/minor: e.g., 2.1.0 → 2.3.1
  • Major: e.g., 2.x → 3.x
  • Already latest: skip

Step 4: Batch Minor/Patch Updates

4a: devDependencies (minor/patch)

Update all devDependency version ranges with minor/patch bumps in package.json. Run install. Run verification (Step 7).

If verification fails, bisect: revert and update half at a time to isolate the breaking dep.

4b: dependencies (minor/patch)

Same process for production dependencies.

Step 5: Major Updates — Changelog Analysis

For each major version bump, before updating:

5a: Fetch Changelog

Try these sources in order, using the repository.url obtained in Step 3:

  1. GitHub releases: WebFetch the releases page from the verified repo URL. Prompt: “List breaking changes between v{current} and v{latest}”.

  2. CHANGELOG.md: WebFetch the raw CHANGELOG.md from the verified repo. Prompt: “List breaking changes between v{current} and v{latest}”.

  3. Context7 MCP: resolve-library-id then query-docs with “migration breaking changes version {latest}”.

5b: Assess Impact

For each major bump determine:

  • Breaking API changes that affect this project?
  • Code migration needed?
  • Is this a “big upgrade” needing a migration guide? (→ Step 6)

If breaking changes are trivial (renamed export, dropped old Node support, etc.), update directly. Apply necessary code changes, run verification.

Step 6: Major Updates — Migration Guide (User Approval Required)

Applies when:

  • Package is a framework or core tool (Next.js, React, Prisma, TypeScript, ESLint, Emotion, Tailwind, etc.)
  • Changelog references a migration guide
  • Breaking changes are substantial

6a: Find Migration Guide

  1. Repo docs: Check verified repository.url for migration/upgrade docs.

  2. Official docs: WebSearch for "{package-name} migration guide v{current} to v{latest}".

  3. Context7 MCP: Query "{package-name} migration guide version {latest}".

  4. Codemods/CLI tools: Search for automated migration tools (e.g., npx @next/codemod, npx prisma migrate). Mention these explicitly.

  5. Agent-based migration prompts: Many migration guides now include dedicated prompts or instructions for AI coding agents (e.g., LLM prompts, .cursor rules, agent migration scripts). When a migration guide is found, search within it and the surrounding repo/docs for:

    • Agent-specific migration prompts (often in markdown files, .cursor/, or labeled “AI prompt”, “LLM prompt”, “agent instructions”)
    • Automated agent-driven migration workflows or CLI flags (e.g., --agent, --ai)
    • WebSearch for "{package-name} v{latest} migration AI agent prompt" or "{package-name} v{latest} cursor migration"

    If any agent-based migration prompt or tool is found, always surface it to the user in Step 6b — these are the highest-quality migration paths and should be preferred over manual guide-following.

6b: Present to User for Approval

MANDATORY — before following any migration guide:

AskUserQuestion:
"Found migration guide for {package} v{current} → v{latest}:
{link-to-guide}

Key breaking changes:
- {change 1}
- {change 2}

Approach: {describe how you'll follow the guide, mention codemods if available}

Proceed with this migration?"
Options: ["Yes, follow the guide", "Skip this upgrade", "Let me review first"]

6c: Execute Migration

Only after user approval:

  1. Follow migration guide step by step
  2. Run codemods if available
  3. Update package.json, run install
  4. Run verification (Step 7)

Step 7: Verification

Run discovered commands from Step 1 sequentially, stop on first failure:

  1. {manager} install
  2. Type check (if available): {manager} run {type-check-script}
  3. Lint (if available): {manager} run lint
  4. Build (if available): {manager} run build

On failure:

  • Read error output, attempt fix (type errors, renamed imports, etc.)
  • Re-run verification
  • If stuck after 2 attempts, report failure with error details to user

Step 8: Summary

Present completion table:

| Package        | From    | To      | Type  | Source Changes | Notes           |
|----------------|---------|---------|-------|----------------|-----------------|
| typescript     | 5.3.0   | 5.7.0   | minor | none           | batched         |
| next           | 15.1.0  | 16.0.0  | major | 12 files       | migration guide |
| eslint         | 8.x     | 9.x     | major | 3 files        | flat config     |
| @types/node    | 20.x    | 22.x    | major | none           | types only      |
  • Source Changes: List count of files modified due to the upgrade (excluding package.json/lockfile). If files were changed, briefly list the key files affected.
  • Include skipped packages with reasons.

Security Reminders

  • Never install packages by guessing names. Use exact name from existing package.json.
  • Verify GitHub URLs from npm registry repository.url, not manual construction.
  • Never run {manager} add {pkg}@latest without confirming package name and version from registry first. Prevents typosquatting.
  • If anything looks suspicious, alert the user immediately.
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。