bump-deps
Use for dependency updates: bump npm/pnpm/yarn/bun packages, check outdated, or run taze.
How do I install this agent skill?
npx skills add https://github.com/paulrberg/agent-skills --skill bump-depsIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill facilitates updating Node.js dependencies using the well-known 'taze' CLI. It correctly identifies version types (major, minor, patch), prompts the user for major updates, and supports monorepos and Bun catalogs. The tool uses a local script for dependency scanning but does not perform suspicious network or file system operations beyond its stated purpose.
- Socketpass
No alerts
- Snykwarn
Risk: MEDIUM · 1 issue
- Runlayerwarn
2/2 files flagged
- ZeroLeakspass
Score: 93/100 · 2 sections analyzed
What does this agent skill do?
Bump Dependencies
Use Taze to build one structured update plan, apply compatible ranged updates, and make major-version decisions as a batch.
Workflow
-
Resolve the skill directory and run the helper from the target repository:
bash <skill-dir>/scripts/run-taze.sh --plan [--include package-a,package-b]The JSON plan classifies every discovered update as
apply,review-major,review, orskip-fixed. The helper detects monorepos, includes locked versions during scans, and mirrors Bun minimum-release-age settings. If the repository uses package-manager age gates or Bun catalogs, read references/conditional-workflows.md for that active branch only. -
If
--dry-runwas requested, present the plan and counts, then stop without changing manifests or lockfiles. -
Select every ranged minor/patch update marked
apply. Never auto-approve a major package by name. Present allreview-majorand unknown updates in one decision batch with current version, target version, package role when discoverable, and relevant migration/release notes. Apply only the majors the user selects. -
If nothing is selected, report the no-op and stop. Otherwise write all selected updates in one command:
bash <skill-dir>/scripts/run-taze.sh --write --include package-a,package-b -
Update matching root Bun catalog entries when present, preserving their existing range prefixes. Then run
niso the repository's package manager updates its lockfile. -
Inspect the manifest and lockfile diff. Run the narrowest package-manager or repository checks that exercise updated dependencies, with extra attention to approved major migrations.
Invariants
- Fixed versions and non-semver protocols remain unchanged unless the user explicitly asks otherwise.
- Package arguments constrain both scan and write phases.
- The same maturity-period policy applies to scan and write.
- Do not infer compatibility from SemVer alone when repository evidence, peer ranges, or release notes indicate otherwise.
Completion requires a reviewed plan, one manifest write for the selected set, a regenerated lockfile, and validation evidence; dry-run completion requires the structured plan and zero writes.
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/paulrberg/agent-skills/bump-deps">View bump-deps on skillZs</a>