NPM Updater
Structured workflow for updating all dependencies in a single package.json.
Step 0: Detect Package Manager
Determine package manager from lockfiles and package.json config:
| Lockfile | package.json field | Manager |
|---|---|---|
yarn.lock | packageManager: "yarn@" | yarn |
pnpm-lock.yaml | packageManager: "pnpm@" | pnpm |
bun.lockb or bun.lock | — | bun |
package-lock.json | — | npm |
Use Glob to check for lockfiles in the project root. If ambiguous, ask the user.
Install commands: npm=npm install, yarn=yarn install, pnpm=pnpm install, bun=bun install
Step 1: Discover Verification Commands
Read package.json scripts. Identify which exist:
- Type check:
type-check,typecheck,tsc - Lint:
lint - Build:
build - Test:
test
Store for use in Step 7.
Step 2: Snapshot Current State
Read package.json. Record all devDependencies and dependencies with current version ranges. Group into:
devDependencies(update first)dependencies(update second)
Step 3: Check Latest Versions
For each dependency, fetch latest version from the npm registry:
WebFetch: https://registry.npmjs.org/{exact-package-name}/latest
Prompt: "Return the version number and the repository URL (from repository.url or homepage)"
SECURITY — Package identity verification:
- Use the exact package name from
package.json. Never guess or autocomplete names. - Only use
https://registry.npmjs.org/— no other registries. - Extract
repository.urlfrom the registry response for GitHub lookups. Never construct GitHub URLs by guessing org/repo names. - If package name looks suspicious or metadata is unexpected, alert the user immediately.
Classify each dependency:
- Patch/minor: e.g.,
2.1.0→2.3.1 - Major: e.g.,
2.x→3.x - Already latest: skip
Step 4: Batch Minor/Patch Updates
4a: devDependencies (minor/patch)
Update all devDependency version ranges with minor/patch bumps in package.json. Run install. Run verification (Step 7).
If verification fails, bisect: revert and update half at a time to isolate the breaking dep.
4b: dependencies (minor/patch)
Same process for production dependencies.
Step 5: Major Updates — Changelog Analysis
For each major version bump, before updating:
5a: Fetch Changelog
Try these sources in order, using the repository.url obtained in Step 3:
-
GitHub releases:
WebFetchthe releases page from the verified repo URL. Prompt: "List breaking changes between v{current} and v{latest}". -
CHANGELOG.md:
WebFetchthe raw CHANGELOG.md from the verified repo. Prompt: "List breaking changes between v{current} and v{latest}". -
Context7 MCP:
resolve-library-idthenquery-docswith "migration breaking changes version {latest}".
5b: Assess Impact
For each major bump determine:
- Breaking API changes that affect this project?
- Code migration needed?
- Is this a "big upgrade" needing a migration guide? (→ Step 6)
If breaking changes are trivial (renamed export, dropped old Node support, etc.), update directly. Apply necessary code changes, run verification.
Step 6: Major Updates — Migration Guide (User Approval Required)
Applies when:
- Package is a framework or core tool (Next.js, React, Prisma, TypeScript, ESLint, Emotion, Tailwind, etc.)
- Changelog references a migration guide
- Breaking changes are substantial
6a: Find Migration Guide
-
Repo docs: Check verified
repository.urlfor migration/upgrade docs. -
Official docs:
WebSearchfor"{package-name} migration guide v{current} to v{latest}". -
Context7 MCP: Query
"{package-name} migration guide version {latest}". -
Codemods/CLI tools: Search for automated migration tools (e.g.,
npx @next/codemod,npx prisma migrate). Mention these explicitly. -
Agent-based migration prompts: Many migration guides now include dedicated prompts or instructions for AI coding agents (e.g., LLM prompts,
.cursorrules, agent migration scripts). When a migration guide is found, search within it and the surrounding repo/docs for:- Agent-specific migration prompts (often in markdown files,
.cursor/, or labeled "AI prompt", "LLM prompt", "agent instructions") - Automated agent-driven migration workflows or CLI flags (e.g.,
--agent,--ai) WebSearchfor"{package-name} v{latest} migration AI agent prompt"or"{package-name} v{latest} cursor migration"
If any agent-based migration prompt or tool is found, always surface it to the user in Step 6b — these are the highest-quality migration paths and should be preferred over manual guide-following.
- Agent-specific migration prompts (often in markdown files,
6b: Present to User for Approval
MANDATORY — before following any migration guide:
AskUserQuestion:
"Found migration guide for {package} v{current} → v{latest}:
{link-to-guide}
Key breaking changes:
- {change 1}
- {change 2}
Approach: {describe how you'll follow the guide, mention codemods if available}
Proceed with this migration?"
Options: ["Yes, follow the guide", "Skip this upgrade", "Let me review first"]
6c: Execute Migration
Only after user approval:
- Follow migration guide step by step
- Run codemods if available
- Update
package.json, run install - Run verification (Step 7)
Step 7: Verification
Run discovered commands from Step 1 sequentially, stop on first failure:
{manager} install- Type check (if available):
{manager} run {type-check-script} - Lint (if available):
{manager} run lint - Build (if available):
{manager} run build
On failure:
- Read error output, attempt fix (type errors, renamed imports, etc.)
- Re-run verification
- If stuck after 2 attempts, report failure with error details to user
Step 8: Summary
Present completion table:
| Package | From | To | Type | Source Changes | Notes |
|----------------|---------|---------|-------|----------------|-----------------|
| typescript | 5.3.0 | 5.7.0 | minor | none | batched |
| next | 15.1.0 | 16.0.0 | major | 12 files | migration guide |
| eslint | 8.x | 9.x | major | 3 files | flat config |
| @types/node | 20.x | 22.x | major | none | types only |
- Source Changes: List count of files modified due to the upgrade (excluding package.json/lockfile). If files were changed, briefly list the key files affected.
- Include skipped packages with reasons.
Security Reminders
- Never install packages by guessing names. Use exact name from existing
package.json. - Verify GitHub URLs from npm registry
repository.url, not manual construction. - Never run
{manager} add {pkg}@latestwithout confirming package name and version from registry first. Prevents typosquatting. - If anything looks suspicious, alert the user immediately.