phxdeps-update

# Dependency Update (Freshness) Inventory → update → fix breaks → grouped PRs. This is the only MUTATING deps skill: it edits `mix.exs`, `mix.lock`, and source. Security scanning stays in `/phx:deps-audit`; the vet ledger stays in `/phx:deps-vet`. ## Usage ``` /phx:deps-update # inventory + interactive scope pick /phx:deps-update --scope patch # bundle all patch bumps, one PR /phx:deps-update --pkg phoenix_live_view # one package (+ coupled group) /phx:deps-update --dry-run # inventory only, no changes ``` ## Iron Laws 1. **NEVER cross a major version without an explicit `mix.exs` edit** — `mix deps.update` stays within requirements. Edit the constraint first; add `override: true` only when `mix hex.outdated <pkg>` shows a transitive consumer blocking. One major per PR 2. **ALWAYS snapshot the changelog delta BEFORE updating** — capture `deps/<pkg>/CHANGELOG.md`, then delta via `mix hex.package diff`. Never update blind 3. **NEVER claim an update is safe without verification** — run `/phx:verify` (compile --warnings-as-errors + test). "Compiles" ≠ "works" 4. **ALWAYS move coupled packages together** — Phoenix core, Ecto, Ash, Oban, telemetry families update in the SAME step/commit (see `${CLAUDE_SKILL_DIR}/references/coupled-groups.md`) 5. **NEVER commit a partial bump** — `mix.lock` + `mix.exs` edits + (for Phoenix-family) `assets/package-lock.json` in ONE commit 6. **HAND OFF security to `/phx:deps-...