deps
Use when managing dependencies — auditing for vulnerabilities, updating packages safely, or adding new dependencies with rollback on failure. Also use when npm audit reports issues or packages are outdated.
| Model | Source | Category |
|---|---|---|
| sonnet | core | Other |
Context: fork
Full Reference
Safe dependency management with audit, changelog review, test, and automatic rollback on failure.
Mandatory Announcement — FIRST OUTPUT before anything else:
┏━ 🔧 deps ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓┃ [one-line description of what you're updating] ┃┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛Commands
Section titled “Commands”Check current dependency health:
npm audit # Security vulnerabilitiesnpm outdated # Available updatesReports: critical/high vulnerabilities, patch/minor/major updates available, inactive packages.
Update
Section titled “Update”Plan and execute safe updates:
Step 1: Categorize by risk
| Level | Risk | Action |
|---|---|---|
| Patch (x.x.PATCH) | Low | Auto-apply |
| Minor (x.MINOR.x) | Medium | Review changelog, apply if safe |
| Major (MAJOR.x.x) | High | Requires manual approval |
Step 2: For each update
- Check changelog for breaking changes (use WebSearch)
- Apply the update
- Run full verification:
npm run check && npm run build && npm test - If fails → rollback immediately
Step 3: Report results
▪ [N] updates applied successfully▪ [N] updates skipped (breaking changes)▪ [N] updates failed (rolled back)Safely add a new dependency:
- Audit package — check weekly downloads, last publish date, maintainer count
- Check bundle size — warn if >100KB (frontend bundle impact)
- Install and verify —
npm install <package> && npm run check && npm run build - Rollback if issues —
npm uninstall <package> && git checkout package.json package-lock.json
Quick Reference
Section titled “Quick Reference”| Action | Command |
|---|---|
| Audit health | deps audit |
| Safe update | deps update |
| Add package | deps add <package> |
| Remove package | npm uninstall <package> |
Safety Rules
Section titled “Safety Rules”- Never force-update packages with known breaking changes
- Always run full build + tests after updates
- Keep lock file committed (package-lock.json / yarn.lock / pnpm-lock.yaml)
- Rollback immediately on test/build failure
- Warn if package is >100KB (frontend bundle impact)
- Never update all major versions at once — one at a time
Common Mistakes
Section titled “Common Mistakes”| Mistake | Fix |
|---|---|
| Updating all packages at once | Update one risk level at a time: patch → minor → major |
| Skipping changelog review for minor bumps | Minor versions can have subtle behavior changes — always check |
| Not running build after update | Type errors and build failures only surface with full verify |
| Force-resolving audit warnings | Fix the vulnerability, don’t suppress the warning |
| Ignoring peer dependency warnings | Peer dep mismatches cause runtime errors — resolve them |