ReddRadar
Agent skill
review-dependencies
Detect package managers and discover outdated or vulnerable dependencies. Returns structured findings without upgrading. Use when the user asks to "review dependencies", "check for outdated packages", "check dependencies", "scan dependencies", or "dependency review".
Install this agent skill to your Project
npx add-skill https://github.com/tobihagemann/turbo/tree/main/skills/review-dependencies
SKILL.md
Review Dependencies
Detect package managers and discover outdated or vulnerable dependencies. Analysis only. Does not upgrade.
Step 1: Detect Package Managers
Identify which package managers are in use by searching for config files:
| Config file | Package manager | Lockfile | Ecosystem |
|---|---|---|---|
package.json |
npm / yarn / pnpm | package-lock.json / yarn.lock / pnpm-lock.yaml |
Node.js |
Package.swift, *.xcodeproj |
Swift Package Manager | Package.resolved |
Swift |
pyproject.toml, requirements.txt, setup.py |
pip / poetry / uv | poetry.lock, uv.lock |
Python |
Cargo.toml |
cargo | Cargo.lock |
Rust |
go.mod |
Go modules | go.sum |
Go |
Gemfile |
Bundler | Gemfile.lock |
Ruby |
pom.xml |
Maven | — | Java |
build.gradle, build.gradle.kts |
Gradle | gradle.lockfile |
Java/Kotlin |
Swift dependencies can live in Package.swift or be configured directly in the Xcode project file (.xcodeproj/.xcworkspace). For Xcode-managed dependencies, inspect the project's package references.
Detection steps:
- Search for config files in the project root and subdirectories (exclude vendored directories)
- If a lockfile exists, use the corresponding package manager variant (e.g.,
yarn.lock→ yarn,pnpm-lock.yaml→ pnpm) - If multiple instances of the same package manager found (e.g., monorepo with several
package.jsonfiles): useAskUserQuestionto let the user choose which to review (multiSelect allowed) - If multiple package managers found: use
AskUserQuestionto let the user choose which to review - If none found: inform user and stop
Step 2: Discovery
Run the appropriate discovery command to find available updates:
| Package manager | Discovery command | Notes |
|---|---|---|
| npm | ncu --format group |
Requires npm-check-updates. Suggest npm install -g npm-check-updates if missing. |
| yarn | ncu --format group or yarn upgrade-interactive |
|
| pnpm | ncu --format group or pnpm outdated |
|
| Swift PM | Check resolved versions in Package.resolved against latest releases via WebSearch |
No built-in outdated command. Read Package.swift or inspect the Xcode project to identify dependencies and their current version constraints. |
| pip | pip list --outdated |
|
| poetry | poetry show --outdated |
|
| uv | uv pip list --outdated |
|
| cargo | cargo outdated |
Requires cargo-outdated. Fall back to comparing Cargo.toml versions via WebSearch. |
| Go modules | go list -m -u all |
|
| Bundler | bundle outdated |
|
| Maven | mvn versions:display-dependency-updates |
|
| Gradle | gradle dependencyUpdates |
Requires com.github.ben-manes.versions plugin. |
Categorize updates:
- Major (breaking changes) — requires migration research
- Minor (new features, backward compatible)
- Patch (bug fixes)
Step 3: Report Findings
If the discovery tool is not installed, suggest the installation command (see Step 2 notes column). If no tool exists for the ecosystem, fall back to manual version checking via WebSearch.
If no updates are available, report that dependencies are up to date.
Output Format
Return findings as a numbered list. For each finding:
### [P<N>] <title (imperative, <=80 chars)>
**Package:** `<name>` <current> -> <latest>
**Manager:** <npm/pip/cargo/etc.>
<one paragraph: why this matters, known vulnerabilities if any, major version gap>
After all findings, add:
## Overall Verdict
**Dependencies:** <up to date | updates available>
<summary with counts: N major, N minor, N patch>
Priority Levels
- P0 — Known security vulnerability (CVE) in the current version
- P1 — Multiple major versions behind (e.g., React 17 → 19)
- P2 — One major version behind or significantly outdated minor versions
- P3 — Minor or patch updates available
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
tobihagemann/turbo
review-api-usage
Check API, library, and framework usage in code against official documentation and installed skill knowledge. Flags deprecated APIs, incorrect method signatures, wrong parameter types, version-incompatible patterns, and best-practice violations. Use when the user asks to "review API usage", "check API usage", "verify against docs", "check library usage", "validate API calls", "check against documentation", or "check for deprecated APIs".
tobihagemann/turbo
resolve-pr-comments
Evaluate, fix, answer, and reply to GitHub pull request review comments. Handles both change requests (fix or skip) and reviewer questions (explain using reasoning recalled from past Claude Code transcripts). Use when the user asks to "resolve PR comments", "fix review comments", "address PR feedback", "handle review comments", "address review feedback", "respond to PR comments", "answer review questions", or "address code review".
tobihagemann/turbo
consult-codex
Multi-turn consultation with Codex CLI for second opinions, brainstorming, or collaborative problem-solving. Use when the user asks to "consult codex", "ask codex", "get codex's opinion", "brainstorm with codex", "discuss with codex", or "chat with codex".
tobihagemann/turbo
review-tooling
Detect what dev tooling infrastructure a project has and flag gaps across linters, formatters, pre-commit hooks, test runners, and CI/CD pipelines. Returns structured findings without applying changes. Use when the user asks to "review tooling", "check project tooling", "what tooling is missing", "review dev infrastructure", or "tooling audit".
tobihagemann/turbo
create-changelog
Create a CHANGELOG.md following keepachangelog.com conventions with version history backfilled from GitHub releases or git tags. Use when the user asks to "create a changelog", "add a changelog", "initialize changelog", "start a changelog", "set up changelog", "generate changelog", or "backfill changelog".
tobihagemann/turbo
update-changelog
Update the Unreleased section of CHANGELOG.md based on current changes. No-op if CHANGELOG.md does not exist. Use when the user asks to "update changelog", "add to changelog", "update the changelog", "changelog entry", "add changelog entry", or "log this change".
Didn't find tool you were looking for?