{"id":"70780d76-402d-4ed9-ac3c-87e5aeeefea6","shortId":"jWfXZw","kind":"skill","title":"review-dependencies","tagline":"Detect package managers and discover outdated or vulnerable dependencies. Returns structured findings without upgrading. Use when the user asks to \"review dependencies\", \"check for outdated packages\", \"check dependencies\", \"scan dependencies\", or \"dependency review\".","description":"# Review Dependencies\n\nDetect package managers and discover outdated or vulnerable dependencies. Analysis only. Does not upgrade.\n\n## Step 1: Detect Package Managers\n\nIdentify which package managers are in use by searching for config files:\n\n| Config file | Package manager | Lockfile | Ecosystem |\n|---|---|---|---|\n| `package.json` | npm / yarn / pnpm | `package-lock.json` / `yarn.lock` / `pnpm-lock.yaml` | Node.js |\n| `Package.swift`, `*.xcodeproj` | Swift Package Manager | `Package.resolved` | Swift |\n| `pyproject.toml`, `requirements.txt`, `setup.py` | pip / poetry / uv | `poetry.lock`, `uv.lock` | Python |\n| `Cargo.toml` | cargo | `Cargo.lock` | Rust |\n| `go.mod` | Go modules | `go.sum` | Go |\n| `Gemfile` | Bundler | `Gemfile.lock` | Ruby |\n| `pom.xml` | Maven | — | Java |\n| `build.gradle`, `build.gradle.kts` | Gradle | `gradle.lockfile` | Java/Kotlin |\n\nSwift dependencies can live in `Package.swift` or be configured directly in the Xcode project file (`.xcodeproj`/`.xcworkspace`). For Xcode-managed dependencies, inspect the project's package references.\n\nDetection steps:\n\n1. Search for config files in the project root and subdirectories (exclude vendored directories)\n2. If a lockfile exists, use the corresponding package manager variant (e.g., `yarn.lock` → yarn, `pnpm-lock.yaml` → pnpm)\n3. If **multiple instances of the same package manager** found (e.g., monorepo with several `package.json` files): use `AskUserQuestion` to let the user choose which to review (multiSelect allowed)\n4. If **multiple package managers** found: use `AskUserQuestion` to let the user choose which to review\n5. If **none** found: inform user and stop\n\n## Step 2: Discovery\n\nRun the appropriate discovery command to find available updates:\n\n| Package manager | Discovery command | Notes |\n|---|---|---|\n| npm | `ncu --format group` | Requires `npm-check-updates`. Suggest `npm install -g npm-check-updates` if missing. |\n| yarn | `ncu --format group` or `yarn upgrade-interactive` | |\n| pnpm | `ncu --format group` or `pnpm outdated` | |\n| Swift PM | Check resolved versions in `Package.resolved` against latest releases via WebSearch | No built-in outdated command. Read `Package.swift` or inspect the Xcode project to identify dependencies and their current version constraints. |\n| pip | `pip list --outdated` | |\n| poetry | `poetry show --outdated` | |\n| uv | `uv pip list --outdated` | |\n| cargo | `cargo outdated` | Requires `cargo-outdated`. Fall back to comparing `Cargo.toml` versions via WebSearch. |\n| Go modules | `go list -m -u all` | |\n| Bundler | `bundle outdated` | |\n| Maven | `mvn versions:display-dependency-updates` | |\n| Gradle | `gradle dependencyUpdates` | Requires `com.github.ben-manes.versions` plugin. |\n\nCategorize updates:\n- **Major** (breaking changes) — requires migration research\n- **Minor** (new features, backward compatible)\n- **Patch** (bug fixes)\n\n## Step 3: Report Findings\n\nIf the discovery tool is not installed, suggest the installation command (see Step 2 notes column). If no tool exists for the ecosystem, fall back to manual version checking via WebSearch.\n\nIf no updates are available, report that dependencies are up to date.\n\n## Output Format\n\nReturn findings as a numbered list. For each finding:\n\n```\n### [P<N>] <title (imperative, <=80 chars)>\n\n**Package:** `<name>` <current> -> <latest>\n**Manager:** <npm/pip/cargo/etc.>\n\n<one paragraph: why this matters, known vulnerabilities if any, major version gap>\n```\n\nAfter all findings, add:\n\n```\n## Overall Verdict\n\n**Dependencies:** <up to date | updates available>\n\n<summary with counts: N major, N minor, N patch>\n```\n\n## Priority Levels\n\n- **P0** — Known security vulnerability (CVE) in the current version\n- **P1** — Multiple major versions behind (e.g., React 17 → 19)\n- **P2** — One major version behind or significantly outdated minor versions\n- **P3** — Minor or patch updates available","tags":["review","dependencies","turbo","tobihagemann","agent-skills","claude-code","claude-skills","developer-tools","skills"],"capabilities":["skill","source-tobihagemann","skill-review-dependencies","topic-agent-skills","topic-claude-code","topic-claude-skills","topic-developer-tools","topic-skills"],"categories":["turbo"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/tobihagemann/turbo/review-dependencies","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add tobihagemann/turbo","source_repo":"https://github.com/tobihagemann/turbo","install_from":"skills.sh"}},"qualityScore":"0.590","qualityRationale":"deterministic score 0.59 from registry signals: · indexed on github topic:agent-skills · 280 github stars · SKILL.md body (3,900 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:54:11.783Z","embedding":null,"createdAt":"2026-04-18T22:04:03.090Z","updatedAt":"2026-04-22T00:54:11.783Z","lastSeenAt":"2026-04-22T00:54:11.783Z","tsv":"'1':54,151 '17':502 '19':503 '2':165,234,402 '3':181,386 '4':209 '5':225 '80':446 'add':466 'allow':208 'analysi':48 'appropri':238 'ask':22 'askuserquest':198,216 'avail':243,424,474,519 'back':339,413 'backward':380 'behind':499,508 'break':372 'bug':383 'build.gradle':116 'build.gradle.kts':117 'built':299 'built-in':298 'bundl':354 'bundler':110,353 'cargo':101,331,332,336 'cargo-outd':335 'cargo.lock':102 'cargo.toml':100,342 'categor':369 'chang':373 'char':447 'check':26,30,257,265,287,417 'choos':203,221 'column':404 'com.github.ben-manes.versions':367 'command':240,248,302,399 'compar':341 'compat':381 'config':68,70,154 'configur':129 'constraint':317 'correspond':172 'count':477 'current':315,493 'cve':490 'date':431,472 'depend':3,12,25,31,33,35,38,47,122,142,312,361,427,469 'dependencyupd':365 'detect':4,39,55,149 'direct':130 'directori':164 'discov':8,43 'discoveri':235,239,247,391 'display':360 'display-dependency-upd':359 'e.g':176,191,500 'ecosystem':75,411 'exclud':162 'exist':169,408 'fall':338,412 'featur':379 'file':69,71,135,155,196 'find':15,242,388,435,442,465 'fix':384 'format':252,271,280,433 'found':190,214,228 'g':262 'gap':462 'gemfil':109 'gemfile.lock':111 'go':105,108,346,348 'go.mod':104 'go.sum':107 'gradl':118,363,364 'gradle.lockfile':119 'group':253,272,281 'identifi':58,311 'imper':445 'inform':229 'inspect':143,306 'instal':261,395,398 'instanc':184 'interact':277 'java':115 'java/kotlin':120 'known':456,487 'latest':293 'let':200,218 'level':485 'list':320,329,349,439 'live':124 'lockfil':74,168 'm':350 'major':371,460,479,497,506 'manag':6,41,57,61,73,88,141,174,189,213,246,449 'manual':415 'matter':455 'maven':114,356 'migrat':375 'minor':377,481,512,515 'miss':268 'modul':106,347 'monorepo':192 'multipl':183,211,496 'multiselect':207 'mvn':357 'n':478,480,482 'ncu':251,270,279 'new':378 'node.js':83 'none':227 'note':249,403 'npm':77,250,256,260,264 'npm-check-upd':255,263 'npm/pip/cargo/etc':450 'number':438 'one':451,505 'outdat':9,28,44,284,301,321,325,330,333,337,355,511 'output':432 'overal':467 'p':443 'p0':486 'p1':495 'p2':504 'p3':514 'packag':5,29,40,56,60,72,87,147,173,188,212,245,448 'package-lock.json':80 'package.json':76,195 'package.resolved':89,291 'package.swift':84,126,304 'paragraph':452 'patch':382,483,517 'pip':94,318,319,328 'plugin':368 'pm':286 'pnpm':79,180,278,283 'pnpm-lock.yaml':82,179 'poetri':95,322,323 'poetry.lock':97 'pom.xml':113 'prioriti':484 'project':134,145,158,309 'pyproject.toml':91 'python':99 'react':501 'read':303 'refer':148 'releas':294 'report':387,425 'requir':254,334,366,374 'requirements.txt':92 'research':376 'resolv':288 'return':13,434 'review':2,24,36,37,206,224 'review-depend':1 'root':159 'rubi':112 'run':236 'rust':103 'scan':32 'search':66,152 'secur':488 'see':400 'setup.py':93 'sever':194 'show':324 'signific':510 'skill' 'skill-review-dependencies' 'source-tobihagemann' 'step':53,150,233,385,401 'stop':232 'structur':14 'subdirectori':161 'suggest':259,396 'summari':475 'swift':86,90,121,285 'titl':444 'tool':392,407 'topic-agent-skills' 'topic-claude-code' 'topic-claude-skills' 'topic-developer-tools' 'topic-skills' 'u':351 'updat':244,258,266,362,370,422,473,518 'upgrad':17,52,276 'upgrade-interact':275 'use':18,64,170,197,215 'user':21,202,220,230 'uv':96,326,327 'uv.lock':98 'variant':175 'vendor':163 'verdict':468 'version':289,316,343,358,416,461,494,498,507,513 'via':295,344,418 'vulner':11,46,457,489 'websearch':296,345,419 'without':16 'xcode':133,140,308 'xcode-manag':139 'xcodeproj':85,136 'xcworkspac':137 'yarn':78,178,269,274 'yarn.lock':81,177","prices":[{"id":"02c52507-596a-4d5f-86da-3acc7513d52e","listingId":"70780d76-402d-4ed9-ac3c-87e5aeeefea6","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"tobihagemann","category":"turbo","install_from":"skills.sh"},"createdAt":"2026-04-18T22:04:03.090Z"}],"sources":[{"listingId":"70780d76-402d-4ed9-ac3c-87e5aeeefea6","source":"github","sourceId":"tobihagemann/turbo/review-dependencies","sourceUrl":"https://github.com/tobihagemann/turbo/tree/main/skills/review-dependencies","isPrimary":false,"firstSeenAt":"2026-04-18T22:04:03.090Z","lastSeenAt":"2026-04-22T00:54:11.783Z"}],"details":{"listingId":"70780d76-402d-4ed9-ac3c-87e5aeeefea6","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"tobihagemann","slug":"review-dependencies","github":{"repo":"tobihagemann/turbo","stars":280,"topics":["agent-skills","claude-code","claude-skills","developer-tools","skills"],"license":"mit","html_url":"https://github.com/tobihagemann/turbo","pushed_at":"2026-04-21T12:22:12Z","description":"A composable dev process for Claude Code, packaged as modular skills.","skill_md_sha":"db392851eeb9c8b6771e72f866ad2cec28b971da","skill_md_path":"skills/review-dependencies/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/tobihagemann/turbo/tree/main/skills/review-dependencies"},"layout":"multi","source":"github","category":"turbo","frontmatter":{"name":"review-dependencies","description":"Detect package managers and discover outdated or vulnerable dependencies. Returns structured findings without upgrading. Use when the user asks to \"review dependencies\", \"check for outdated packages\", \"check dependencies\", \"scan dependencies\", or \"dependency review\"."},"skills_sh_url":"https://skills.sh/tobihagemann/turbo/review-dependencies"},"updatedAt":"2026-04-22T00:54:11.783Z"}}