deps-upgradelisted

Dependency-upgrade campaign — outdated scan, batch-by-severity, breaking-change remediation, lockfile audit. Use when CVEs require remediation, when a major upstream version lands, when stack compatibility forces a sweep, or on a scheduled (quarterly) hygiene cadence. CVE-driven bumps consume security audit findings as input.
OutlineDriven/odin-claude-plugin · ★ 27 · AI & Automation · score 82

Install: claude install-skill OutlineDriven/odin-claude-plugin

Dependencies are inherited code. Upgrades are inherited risk. Patch in batch, minor in batch with a smoke test, major one-at-a-time with a CHANGELOG read. ## When to Apply / NOT Apply: CVE remediation; major upstream release; compatibility forcing function; quarterly hygiene cadence; pre-release lockfile audit; deprecation warnings accumulating. NOT apply: active feature branch with high churn; pre-release freeze window; mid-incident; API-break-driven refactor. ## Anti-patterns - **Big-bang upgrade**: bumping every dep at once. - **Skipping the lockfile**: floating ranges create non-reproducible builds. - **Ignoring the CHANGELOG**: major bumps without reading upstream notes. - **Suppressing deprecations**: `--warning-as-error=off` defers cost. - **Bypassing audit signals**: `npm audit fix --force` without reading. - **No smoke test on minor**: minor versions can introduce behavior shifts. - **Forgetting transitives**: surface deps look fine; transitive CVE remains. - **Mixing concerns in one commit**: upgrade + refactor + feature — atomize per `<git>` policy. ## Workflow (language-neutral) 1. **Inventory** — enumerate manifests + lockfiles across ecosystems. Many canonical names are extensionless (`go.mod`, `Gemfile`, `pom.xml`); filtering by extension alone misses them. `fd` only takes one glob per call, so anchor on canonical filenames via a single regex: ```sh fd -t f '^(package(-lock)?\.json|pnpm-lock\.yaml|yarn\.lock|Cargo\.(toml|lock)|pyproject\.toml|poet