Add experimental /update-deps Claude Code skill

[stevejalim]

Summary

• Adds a new Claude Code skill (/update-deps) that provides a structured, collaborative workflow for auditing and updating dependencies across Python (uv pip-compile), npm, and pre-commit ecosystems
• Includes cross-file version sync checking (ruff, eslint, prettier, stylelint, etc. across package.json, .pre-commit-config.yaml, and requirements/dev.in)
• Tracks denied updates in a persistent denied.md log so future runs can surface previously-rejected bumps with their reasons
• Updates .gitignore to track .claude/skills/ while keeping other .claude/ contents ignored

Details

This is an experimental skill — it won't affect any existing workflows or CI. The skill walks through 8 phases: audit → sync check → changelog research → check denied list → per-dependency approval → execute updates → verify → summary.

Pre-seeded denied.md with known pinned constraints, which we can relax manually:

• sass at 1.91.0 (Go all-in on CSS custom properties for themes, remove Sass variables mozilla/protocol#982)
• pytest at 7.4.4 (TypeError when upgrading to selenium 4.10 pytest-dev/pytest-selenium#315)
• selenium at 4.9.1 (TypeError when upgrading to selenium 4.10 pytest-dev/pytest-selenium#315)

Test plan

• Verify /update-deps loads in Claude Code's / autocomplete
• Run /update-deps sync-check to confirm the sync-check workflow works
• Run /update-deps all to exercise the full audit flow
• Confirm .claude/skills/ files are tracked by git but .claude/settings.local.json etc. are not

[Copilot]

Pull request overview

This PR adds an experimental Claude Code skill (/update-deps) that provides a structured workflow for auditing and updating dependencies across Python (uv/pip-compile), npm, and pre-commit ecosystems. The skill includes cross-file version synchronization checking, changelog research, a persistent denied-updates log, and an 8-phase interactive workflow from audit through summary.

Changes:

• Adds Claude Code skill files in .claude/skills/update-deps/ directory with workflow documentation and initial denied updates list
• Updates .gitignore to track .claude/skills/ while keeping other .claude/ contents ignored

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File	Description
.gitignore	Modified to track .claude/skills/ directory while keeping other .claude/ contents ignored
.claude/skills/update-deps/denied.md	Adds table of previously denied dependency updates with reasons and dates
.claude/skills/update-deps/SKILL.md	Comprehensive 8-phase workflow documentation for the update-deps skill including audit, sync checking, changelog research, approval, execution, verification, and summary phases

[Copilot]

The SKILL.md file mentions that postcss appears in both package.json and .pre-commit-config.yaml and should be synced. However, there's currently a version mismatch in the repository: package.json has postcss@^8.4.47 while .pre-commit-config.yaml has postcss@8.4.38 in both stylelint hook entries (lines 95 and 106). This existing mismatch should be noted in the Known Constraints section or fixed before this skill is used, as it will be flagged by the sync check.

[Copilot]

Similar to the postcss issue, there's currently a version mismatch for stylelint: package.json has stylelint@^16.26.1 while .pre-commit-config.yaml has stylelint@16.10.0 in both hook entries (lines 92 and 103). This existing mismatch should be noted in the Known Constraints section or fixed before this skill is used, as it will be flagged by the sync check phase.

[maureenlholland]

sync-check does indeed flag same issues copilot has flagged re: stylelint and postcss versions across package.json and pre-commit-config.yaml

  Issues Found

  1. stylelint — package.json is ahead of .pre-commit-config.yaml
  - package.json: ^16.26.1
  - .pre-commit-config.yaml: 16.10.0 (in both stylelint hook entries)
  - Both pre-commit hook entries need to be updated to 16.26.1

  2. postcss — package.json is ahead of .pre-commit-config.yaml
  - package.json: ^8.4.47
  - .pre-commit-config.yaml: 8.4.38 (in both stylelint hook entries)
  - Both pre-commit hook entries need to be updated to 8.4.47

  These two are sync-only updates (no package version is changing, just aligning the pre-commit pins to match what's
  already in package.json). Would you like me to apply these fixes?

[maureenlholland]

Output from update-deps all => not sure why the dry run flag wasn't available

⏺ Bash(pre-commit autoupdate --dry-run 2>&1)
  ⎿  Error: Exit code 2                                                                                                  
     usage: pre-commit [-h] [-V]                                                                                         
                       {autoupdate,clean,gc,hazmat,init-templatedir,install,install-hooks,migrate-config,run,sample-confi
     g,try-repo,uninstall,validate-config,validate-manifest,help,hook-impl}                                              
                       ...                                                                                               
     pre-commit: error: unrecognized arguments: --dry-run
                                                                                                                         
     usage: pre-commit [-h] [-V]
                       {autoupdate,clean,gc,hazmat,init-templatedir,install,install-hooks,migrate-config,run,sample-confi
     g,try-repo,uninstall,validate-config,validate-manifest,help,hook-impl}
                       ...
     pre-commit: error: unrecognized arguments: --dry-run

⏺ pre-commit autoupdate --dry-run isn't supported in this version. Falling back to manual tag checks.

[maureenlholland]

requested change is to resolve sync issues between package.json and pre-commit

not sure if the --dry-run issue is repeatable on your side, if so, that probably needs another look too

otherwise, this appears to be working as advertised and could help us stay more on top of dependency updates