From claude-resources
Bumps every @takazudo/* npm dependency to the newest version on its tracked channel (next, latest, or stable), preserving operator style and skipping workspace/file/link specs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/claude-resources:dev-bump-zudo-deps [package-name... | all (default)] [--dry-run][package-name... | all (default)] [--dry-run]The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Discover every `@takazudo/*` dependency that resolves to the npm registry across **all**
@takazudo/* deps to latestDiscover every @takazudo/* dependency that resolves to the npm registry across all
package.json files in the project, bump each to the newest version on the channel it already
tracks, install, and verify the project still builds.
The fragile part — finding the deps, classifying each spec's channel, and computing the target
with correct prerelease semver — is done deterministically by scripts/resolve-bumps.mjs, so
it never depends on the model recomputing version math by hand.
The dep's current spec decides the channel, and only deps pinned to a concrete version get rewritten — specs that float are reported but left alone, because rewriting them would silently turn a deliberate choice into a hard pin:
| Current spec | Resolved to | Action |
|---|---|---|
0.1.0-next.58 (a -next.* prerelease pin) | newest release on the next line | ✏ bump |
^1.2.0-beta.3 (any other prerelease line) | newest release on that line | ✏ bump |
1.2.3 / ^1.2.3 / ~1.2.3 (stable semver) | newest stable (dist-tags.latest) | ✏ bump |
next / latest / beta (a dist-tag string) | reported (what the tag points at now) | tag |
* / x / empty (floating) | — | skip |
workspace: / file: / link: / git / url | — | skip |
Write-back preserves what was there: an exact pin stays exact, ^/~ operators are kept, and a
prerelease-pinned dep stays on its own line. A dep declared via a dist-tag string (next,
latest, …) is intentionally not rewritten — it already floats to that tag on install, so the
script just reports what the tag currently resolves to (with a stale-tag/graduation note) and
leaves the pinning decision to you. Non-registry specs (workspace:*, file:, link:,
portal:, catalog:, npm: aliases, git/url) are left untouched — bumping a workspace:* dep
would break the monorepo.
next dist-tag can be staleFor prerelease lines, the npm next dist-tag sometimes points at an older version than what's
actually published (or than latest). "Newest next" means the highest published -next.*
version, not whatever the next tag literally says. The script already resolves this by scanning
the full version list and flags two cases in its report:
next dist-tag < newest published next version (script uses the newest).latest is higher than the newest next (the line may have moved to stable);
this is a human call, so surface it instead of silently switching channels.From the project root (running without --write is a dry-run):
node "$HOME/.claude/skills/dev-bump-zudo-deps/scripts/resolve-bumps.mjs"
It prints one row per @takazudo/* dep — bump / up-to-date / tag / skip / error — with
current → target and any stale-tag/graduation notes, plus a Scanned N package.json line. Pass
exact package names to limit scope (… resolve-bumps.mjs @takazudo/zfb @takazudo/zfb-runtime);
--json adds a machine-readable plan.
up-to-date (or only tag/skip rows remain), report "already on latest" and stop.error row can mean the package is genuinely unpublished or a registry/auth/offline
issue — if every lookup errored the script says so; confirm npm view @takazudo/<pkg> works from
this shell before concluding a package is missing.tag/skip rows are deliberately not rewritten — surface them so the user can pin or update
those manually if they want.Scanned N count against the project.Read the table before writing and act on any flagged note — a graduation warning means asking the user whether to follow the line to stable rather than silently staying on the prerelease channel.
node "$HOME/.claude/skills/dev-bump-zudo-deps/scripts/resolve-bumps.mjs" --write
--write does a minimal in-place string edit per dep (it preserves each file's formatting). The
same package appearing in several package.json files is moved to the same target everywhere;
the script warns (⚠ … multiple targets) if anything would diverge.
First-party families often pin each other. Before installing, confirm a bumped package's peers are satisfied by the other targets — bump coupled packages together so the install resolves:
npm view <bumped-pkg>@<target> peerDependencies
If a peer requires a version the plan didn't reach (common with exact-pinned prerelease lines
where ^x-next.40 does NOT satisfy next.41), re-run Step 1/2 including that peer so the whole
family lands on a mutually compatible set.
Use the project's package manager (check packageManager in package.json / the lockfile —
pnpm-lock.yaml → pnpm, package-lock.json → npm, yarn.lock → yarn). Prefer a project-provided
safe-install script if one exists (e.g. pnpm install:safe).
pnpm install # or: npm install / yarn install
Independent nested workspaces install separately. After --write, the script prints the
distinct directories it edited — install in each one that has its own lockfile (a nested workspace
with an independent lockfile is not covered by the root install), and commit every changed
lockfile:
pnpm install # root workspace
cd doc && pnpm install # any printed dir that has its own lockfile
Run the project's checks and build to prove the bump didn't break anything. Use whatever the project defines:
pnpm typecheck && pnpm build # or: pnpm check, pnpm test, per the project's scripts
For a monorepo, build each workspace the bump touched, not just the root. Read the output — a green typecheck/build is the bar. If a build breaks, the new version likely changed an API or a peer; report the failure with the offending package rather than forcing the bump through.
Summarize for the user:
pkg old → new (note next-channel vs stable)workspace:/non-registry)Leave committing to the user / /commits unless they asked otherwise.
The bump is the moment first-party problems show up — a stale/misleading dist-tag, a removed or
broken export, a regression in the new version, or a consumer-side fix that should have shipped as
a package change. File these on the source repo so they get fixed at the root instead of
worked around forever, via the /dev-upstream-report skill:
Skill tool: skill="dev-upstream-report" args="<concise description + evidence>"
Privacy guardrail — this skill runs in arbitrary repos, some of them private client work. When writing an upstream report (or any external artifact), describe the problem in terms of the public package (name + version + a minimal repro), and:
Takazudo/* or
zudolab/* (e.g. Takazudo/zudo-front-builder, zudolab/zudo-doc). If the upstream is not one
of those, do not assume a repo.npx claudepluginhub takazudo/claude-resources --plugin claude-resourcesUpdate Node.js dependencies using taze CLI with smart categorization: auto-apply MINOR/PATCH updates, prompt for MAJOR updates, skip fixed versions. Supports dry-run and monorepos.
Audits and updates Node.js dependencies using native package-manager commands (npm, pnpm, yarn, bun). Applies patches silently, asks before minor, confirms each major, and cross-checks changelogs and security advisories.
Upgrades JavaScript/TypeScript dependencies with safety rails and monorepo support. Use to review, filter, and perform version bumps using taze CLI.