Review Dependencies

Detect package managers and discover outdated or vulnerable dependencies. Analysis only. Does not upgrade.

Step 1: Detect Package Managers

Identify which package managers are in use by searching for config files:

Config file	Package manager	Lockfile	Ecosystem
package.json	npm / yarn / pnpm	package-lock.json / yarn.lock / pnpm-lock.yaml	Node.js
Package.swift, *.xcodeproj	Swift Package Manager	Package.resolved	Swift
pyproject.toml, requirements.txt, setup.py	pip / poetry / uv	poetry.lock, uv.lock	Python
Cargo.toml	cargo	Cargo.lock	Rust
go.mod	Go modules	go.sum	Go
Gemfile	Bundler	Gemfile.lock	Ruby
pom.xml	Maven	—	Java
build.gradle, build.gradle.kts	Gradle	gradle.lockfile	Java/Kotlin

Swift dependencies can live in Package.swift or be configured directly in the Xcode project file (.xcodeproj/.xcworkspace). For Xcode-managed dependencies, inspect the project's package references.

Detection steps:

1. Search for config files in the project root and subdirectories (exclude vendored directories)
2. If a lockfile exists, use the corresponding package manager variant (e.g., yarn.lock → yarn, pnpm-lock.yaml → pnpm)
3. If multiple instances of the same package manager found (e.g., monorepo with several package.json files): use AskUserQuestion to let the user choose which to review (multiSelect allowed)
4. If multiple package managers found: use AskUserQuestion to let the user choose which to review
5. If none found: inform user and stop

Step 2: Discovery

Run the appropriate discovery command to find available updates:

Package manager	Discovery command	Notes
npm	ncu --format group	Requires npm-check-updates. Suggest npm install -g npm-check-updates if missing.
yarn	ncu --format group or yarn upgrade-interactive
pnpm	ncu --format group or pnpm outdated
Swift PM	Check resolved versions in Package.resolved against latest releases via WebSearch	No built-in outdated command. Read Package.swift or inspect the Xcode project to identify dependencies and their current version constraints.
pip	pip list --outdated
poetry	poetry show --outdated
uv	uv pip list --outdated
cargo	cargo outdated	Requires cargo-outdated. Fall back to comparing Cargo.toml versions via WebSearch.
Go modules	go list -m -u all
Bundler	bundle outdated
Maven	mvn versions:display-dependency-updates
Gradle	gradle dependencyUpdates	Requires com.github.ben-manes.versions plugin.

Categorize updates:

• Major (breaking changes) — requires migration research
• Minor (new features, backward compatible)
• Patch (bug fixes)

Step 3: Report Findings

If the discovery tool is not installed, suggest the installation command (see Step 2 notes column). If no tool exists for the ecosystem, fall back to manual version checking via WebSearch.

If no updates are available, report that dependencies are up to date.

Output Format

Return findings as a numbered list. For each finding:

### [P<N>] <title (imperative, <=80 chars)>

**Package:** `<name>` <current> -> <latest>
**Manager:** <npm/pip/cargo/etc.>

<one paragraph: why this matters, known vulnerabilities if any, major version gap>

After all findings, add:

## Overall Verdict

**Dependencies:** <up to date | updates available>

<summary with counts: N major, N minor, N patch>

Priority Levels

• P0 — Known security vulnerability (CVE) in the current version
• P1 — Multiple major versions behind (e.g., React 17 → 19)
• P2 — One major version behind or significantly outdated minor versions
• P3 — Minor or patch updates available