Automated dependency management for Python and Node.js projects. Detects outdated packages, assesses update risk, batches compatible updates, and generates automated update specs.
The Dependency Update Agent helps you maintain project dependencies safely and efficiently:
- Detects outdated dependencies for Python (pip/uv) and Node.js (npm) projects
- CVE vulnerability detection via pip-audit and npm audit
- Risk assessment for each update (breaking changes vs patch updates)
- Intelligent batching of compatible updates to minimize breakage
- Report generation in JSON and Markdown formats
- Spec generation for automated dependency updates via Auto Code
- Routine maintenance: Keep dependencies up-to-date with security patches
- Security audits: Identify and fix vulnerable dependencies
- Pre-release checks: Ensure no known vulnerabilities before deployment
- Automated updates: Generate specs for hands-off dependency updates
- Risk assessment: Understand which updates are safe vs risky
The agent requires the following tools to be installed:
For Python projects:
pip(Python package manager) - usually included with Pythonpip-auditfor security vulnerability scanning:pip install pip-audit
uv(optional, faster alternative to pip):pip install uv
For Node.js projects:
npm(Node Package Manager) - included with Node.js
Auto Code setup:
- Python 3.12+
- Auto Code backend configured (see CLI-USAGE.md)
The Dependency Update Agent is included with Auto Code. No additional installation required.
To verify it's working:
cd apps/backend
python runners/dependency_update_runner.py --helpScan the current project for outdated dependencies:
cd apps/backend
python runners/dependency_update_runner.py --project .This will:
- Scan for outdated Python and Node.js packages
- Check for security vulnerabilities (CVEs)
- Classify updates by risk level
- Generate update batches
- Create a markdown report at
.auto-claude/dependency-reports/dependency_report.md
Test the scanner without generating reports:
python runners/dependency_update_runner.py --project . --dry-runFocus only on vulnerable dependencies:
python runners/dependency_update_runner.py --project . --security-onlyScan only Python dependencies:
python runners/dependency_update_runner.py --project . --ecosystems pythonScan only Node.js dependencies:
python runners/dependency_update_runner.py --project . --ecosystems nodeGet machine-readable JSON output:
python runners/dependency_update_runner.py --project . --format jsonGenerate both JSON and Markdown reports:
python runners/dependency_update_runner.py --project . --format bothThe markdown report (.auto-claude/dependency-reports/dependency_report.md) includes:
- Summary: Total updates, security updates, ecosystems scanned
- Security Vulnerabilities: Grouped by severity (critical, high, medium, low)
- Update Batches: Recommended batched updates with risk levels
- All Available Updates: Detailed table with clickable package links
Example:
# Dependency Update Report
**Generated**: 2026-02-12 16:00:00 UTC
**Project**: `/my-project`
## Summary
- **Total Updates Available**: 27
- **Security Updates**: 3
- **Update Batches**: 3
- **Ecosystems Scanned**: python, node
## 🔒 Security Vulnerabilities
Found **3** package(s) with security vulnerabilities:
### 🚨 Critical
- **requests** (python)
- Current: `2.25.0` → Latest: `2.32.0`
- CVEs: CVE-2024-12345
### 🟢 Low
- **axios** (node)
- Current: `0.21.0` → Latest: `1.7.0`
- CVEs: CVE-2023-45678
## 📦 Recommended Update Batches
### Batch 1: `security-patch-1`
- **Risk Level**: 🟢 Low
- **Priority**: 20
- **Ecosystem**: python
- **Packages**: 3
- **Notes**: Security patch updates, apply immediatelyThe JSON report (.auto-claude/dependency-reports/dependency_report.json) includes structured data for automation:
{
"updates_available": [
{
"name": "requests",
"current_version": "2.25.0",
"latest_version": "2.32.0",
"update_type": "minor",
"ecosystem": "python",
"is_security": true,
"cve_ids": ["CVE-2024-12345"],
"severity": "critical",
"changelog_url": "https://pypi.org/project/requests/"
}
],
"batches": [
{
"batch_id": "security-patch-1",
"update_type": "patch",
"ecosystem": "python",
"packages": ["requests", "urllib3", "certifi"],
"risk_level": "low",
"is_security_batch": true,
"priority": 20,
"notes": "Security patch updates, apply immediately"
}
]
}The agent classifies updates into three risk levels:
- Version change:
1.2.3→1.2.4 - Typical impact: Bug fixes, security patches
- Breaking changes: Rare
- Recommended action: Update immediately, especially if security-related
Example:
requests: 2.32.0 → 2.32.3 (patch) - Low risk
- Version change:
1.2.3→1.3.0 - Typical impact: New features, deprecations
- Breaking changes: Possible but uncommon
- Recommended action: Review changelog, test before deploying
Example:
django: 4.2.0 → 4.3.0 (minor) - Medium risk
- Version change:
1.2.3→2.0.0 - Typical impact: API changes, breaking changes
- Breaking changes: Likely
- Recommended action: Careful testing, update code as needed
Example:
protobuf: 3.20.0 → 4.25.0 (major) - High risk
The agent groups compatible updates together to minimize risk:
Highest priority - Always applied first
- Contains security patches only
- Risk level: Low
- Priority: 20
- Example:
security-patch-python-1
Low risk - Safe to apply together
- Contains non-security patch updates
- Risk level: Low
- Priority: 15
- Example:
patch-python-2
Medium risk - Grouped by ecosystem
- Contains minor version updates
- Risk level: Medium
- Priority: 10
- Example:
minor-python-3
High risk - One package per batch
- Each major version gets its own batch
- Risk level: High
- Priority: 5
- Example:
major-python-protobuf-4
Apply batches in this order for smoothest updates:
- Security batches - Fix critical vulnerabilities first
- Patch batches - Low-risk bug fixes
- Minor batches - Test new features
- Major batches - Careful testing and code updates
The agent can generate Auto Code specs for automated dependency updates:
Create a spec for all available updates:
python runners/dependency_update_runner.py --project . --generate-specThis will:
- Run dependency scan
- Generate update batches
- Create an Auto Code spec at
.auto-claude/specs/XXX-dependency-updates/ - Provide instructions to start the automated update
Create a spec for only security updates:
python runners/dependency_update_runner.py --project . --generate-spec --security-onlyCreate a spec for a specific batch:
python runners/dependency_update_runner.py --project . --generate-spec --batch patch-python-2After generating a spec, run it with:
python run.py --spec XXX-dependency-updatesThe Auto Code agent will:
- Update the specified dependencies
- Run the test suite to verify no regressions
- Rollback if tests fail
- Document changes in the spec
--project PATH Project directory to scan (default: current directory)
--output PATH Output directory for reports
(default: project/.auto-claude/dependency-reports)
--ecosystems python,node
Comma-separated list of ecosystems to scan
(default: all ecosystems)
--security-only Only report dependencies with security vulnerabilities
--skip-dev Skip development dependencies
--format json|markdown|both
Output format for reports (default: markdown)
--dry-run Run scan without saving reports
--generate-spec Generate spec file for automated dependency updates
--batch ID Generate spec for specific batch ID
--model haiku|sonnet|opus
Model to use for AI analysis (default: sonnet)
--thinking-level none|low|medium|high|ultrathink
Thinking level for extended reasoning (default: medium)
Check for security vulnerabilities weekly:
cd apps/backend
python runners/dependency_update_runner.py \
--project /path/to/project \
--security-only \
--format markdownReview the report and address critical vulnerabilities immediately.
Before releasing, ensure no known vulnerabilities:
python runners/dependency_update_runner.py \
--project . \
--format both \
--dry-runGenerate spec for low-risk patch updates:
python runners/dependency_update_runner.py \
--project . \
--generate-specThen review and run the spec:
python run.py --spec XXX-dependency-updatesGenerate markdown report to plan major upgrades:
python runners/dependency_update_runner.py \
--project . \
--format markdownReview the major version batches and plan migration strategy.
Add to CI/CD pipeline to fail on critical vulnerabilities:
# Exit with error if critical vulnerabilities found
python runners/dependency_update_runner.py \
--project . \
--security-only \
--format json \
--dry-run
# Parse JSON for critical severity
# Exit 1 if any critical CVEs foundScan dependencies regularly (at least monthly):
# Add to cron or scheduled task
python runners/dependency_update_runner.py --project . --format markdownAlways address security updates first:
# Check security updates daily
python runners/dependency_update_runner.py --project . --security-onlyFor non-security updates:
- Generate spec:
--generate-spec - Review the spec changes
- Run in isolated worktree (Auto Code default)
- Test thoroughly
- Merge after verification
Let the agent batch compatible updates:
- Apply patch batches together (low risk)
- Test minor batches before merging
- Update major versions one at a time
After updating dependencies:
- Update documentation if APIs changed
- Add migration notes for major versions
- Communicate breaking changes to team
After automated updates:
- Run full test suite
- Check for deprecation warnings
- Monitor production for issues
- Have rollback plan ready
Problem: Python package manager not installed or not in PATH.
Solution:
- Ensure Python is installed:
python --version - Reinstall Python with "Add to PATH" option
- Or use full path:
C:\Python312\Scripts\pip.exe
Problem: Security scanner not installed.
Solution:
pip install pip-auditProblem: Node.js not installed or not in PATH.
Solution:
- Install Node.js from https://nodejs.org/
- Restart terminal after installation
- Verify:
npm --version
Problem: Cannot install packages due to permissions.
Solution:
# Use user install
pip install --user pip-audit
# Or use virtual environment
python -m venv .venv
source .venv/bin/activate # Linux/macOS
.venv\Scripts\activate # WindowsProblem: Cannot fetch package information.
Solution:
- Check internet connection
- Configure proxy if behind corporate firewall
- Use mirror:
pip install --index-url https://pypi.org/simple
Problem: All dependencies are up-to-date.
Solution: This is expected! All dependencies are current.
Problem: Package manager output format changed.
Solution:
- Update the package manager:
pip install --upgrade pip - Report the issue at https://github.com/OBenner/Auto-Coding/issues
The Dependency Update Agent integrates seamlessly with Auto Code's spec-based workflow:
python runners/dependency_update_runner.py --project . --format bothOpen .auto-claude/dependency-reports/dependency_report.md and review:
- Security vulnerabilities (address first)
- Update batches and risk levels
- Packages requiring code changes
For automated updates:
python runners/dependency_update_runner.py \
--project . \
--generate-spec \
--security-onlypython run.py --spec XXX-dependency-updatesThe agent will:
- Create isolated worktree (safe from main branch)
- Update dependencies
- Run tests
- Rollback on failure
- Wait for your review
After successful update:
# Review changes in worktree
cd .worktrees/auto-code/XXX-dependency-updates
git diff
# Merge to main if satisfied
cd apps/backend
python run.py --spec XXX-dependency-updates --merge
# Or discard if issues found
python run.py --spec XXX-dependency-updates --discard| Manual Updates | Dependency Update Agent |
|---|---|
pip list --outdated (Python only) |
Scans both Python and Node.js |
| No CVE detection | Automatic security vulnerability scanning |
| No risk assessment | Semver-based risk classification |
| Update one-by-one | Intelligent batching of compatible updates |
| Manual changelog research | Clickable links to package repositories |
| Manual testing | Automated spec generation with test verification |
| No rollback plan | Auto Code worktree isolation (safe rollback) |
A: No. The agent only scans and reports. To automate updates, use --generate-spec to create an Auto Code spec, then run the spec. This keeps you in control.
A:
- Security scans: Weekly or daily for critical projects
- Full scans: Monthly or before each release
- CI/CD: On every pull request or build
A: The agent uses pip list --outdated and npm outdated, which report the latest versions. If a version isn't showing:
- Check if it's a pre-release:
pip list --outdated --include-pre - Verify the package exists:
pip show package-name
A: The agent detects:
- Python:
requirements.txt,pyproject.toml,setup.py - Node.js:
package.json
If none found, the scan will skip that ecosystem.
A: Based on Semantic Versioning (SemVer):
- Patch (1.2.3 → 1.2.4): Low risk (bug fixes)
- Minor (1.2.3 → 1.3.0): Medium risk (new features)
- Major (1.2.3 → 2.0.0): High risk (breaking changes)
A: Not currently. Batches are auto-generated based on risk levels and security status. Feature request welcome!
A: Auto Code will:
- Stop the update process
- Keep the worktree isolated (your main branch is safe)
- Report the failure
- You can review and retry or discard
A: Yes! Scan each subproject separately:
python runners/dependency_update_runner.py --project packages/frontend
python runners/dependency_update_runner.py --project packages/backend- CLI-USAGE.md - General Auto Code CLI usage
- SPEC-CREATION-PIPELINE.md - How spec creation works
- TROUBLESHOOTING.md - Common issues and solutions
For issues, feature requests, or questions:
- GitHub: https://github.com/OBenner/Auto-Coding/issues
- Documentation: https://github.com/OBenner/Auto-Coding
- Initial release
- Python (pip/uv) and Node.js (npm) support
- CVE vulnerability detection
- Risk assessment and batching
- JSON and Markdown reports
- Spec generation for automated updates