论文审查
- 作者仓库星标 95
- 许可证 MIT
- 作者更新于 实时读取
- 作者仓库 mui-file-input
- 领域
- 工程开发
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 94 / 100 · 已通过审计
- 作者 / 版本 / 许可
- @viclafouch · MIT
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- macOS · Linux · Windows
- 底层运行要求
- Node.js · Bun
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: update-deps
description: Audit all outdated dependencies with detailed research on changelogs, breaking changes, bug fixe…
category: 工程开发
runtime: Node.js / Bun
---
# update-deps 输出预览
## PART A: 任务判断
- 适用问题:代码实现、重构、调试或代码审查。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Pre-loaded data / Arguments / Step 1 — Parse and categorize”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于代码实现、重构、调试或代码审查,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Pre-loaded data / Arguments / Step 1 — Parse and categorize”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文出现了 `/update-deps` 这类斜杠命令;如果你的 Agent 支持命令触发,优先用命令开场,再补充目标和边界。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件。
先用一个小任务确认它会围绕“Pre-loaded data / Arguments / Step 1 — Parse and categorize”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: update-deps
description: Audit all outdated dependencies with detailed research on changelogs, breaking changes, bug fixe…
category: 工程开发
source: viclafouch/mui-file-input
---
# update-deps
## 什么时候使用
- 用于审阅代码、文档或方案并给出可执行反馈 适合处理工程开发场景下的代码实现、调试、重构、测试或代码审查,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步骤;通常…
- 面向代码实现、重构、调试或代码审查,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Pre-loaded data / Arguments / Step 1 — Parse and categorize」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "update-deps" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Pre-loaded data / Arguments / Step 1 — Parse and categorize
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> Node.js / Bun | 读取文件、写入/修改文件 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Dependency Update Audit
Pre-loaded data
!PM="npm"; if [ -f bun.lockb ] || [ -f bun.lock ]; then PM="bun"; elif [ -f pnpm-lock.yaml ]; then PM="pnpm"; elif [ -f yarn.lock ]; then PM="yarn"; fi; echo "=== PACKAGE_MANAGER ==="; echo "$PM"; echo "=== DATE ==="; date +%Y-%m-%d; echo "=== OUTDATED ==="; if [ "$PM" = "pnpm" ]; then pnpm outdated --json 2>/dev/null || true; elif [ "$PM" = "bun" ]; then bun outdated 2>/dev/null || true; elif [ "$PM" = "yarn" ]; then yarn outdated --json 2>/dev/null || true; else npm outdated --json 2>/dev/null || true; fi; echo "=== AUDIT ==="; if [ "$PM" = "pnpm" ]; then pnpm audit --json 2>/dev/null || true; elif [ "$PM" = "npm" ]; then npm audit --json 2>/dev/null || true; elif [ "$PM" = "yarn" ]; then yarn audit --json 2>/dev/null || true; fi; echo "=== OVERRIDES ==="; node -e "const p=require('./package.json'); console.log(JSON.stringify({overrides:p.overrides,pnpmOverrides:p.pnpm?.overrides,resolutions:p.resolutions}||{}))" 2>/dev/null || echo "{}"; echo "=== DEV_DEPS ==="; node -e "console.log(JSON.stringify(Object.keys(require('./package.json').devDependencies||{})))" 2>/dev/null || echo "[]"; echo "=== PINNED ==="; node -e "const p=require('./package.json'); const all={...p.dependencies,...p.devDependencies}; const pinned=Object.entries(all).filter(([,v])=>!v.startsWith('^')&&!v.startsWith('~')&&!v.startsWith('>')).map(([k,v])=>k+': '+v); console.log(JSON.stringify(pinned))" 2>/dev/null || echo "[]"; echo "=== ENGINES ==="; node -e "const p=require('./package.json'); console.log(JSON.stringify({node:p.engines?.node,typescript:p.devDependencies?.typescript,packageManager:p.packageManager}))" 2>/dev/null || echo "{}"; echo "=== NODE_VERSION ==="; node --version 2>/dev/null || echo "unknown"
Arguments
If arguments were passed (e.g., /update-deps react, /update-deps major):
- If the argument is
major,minor, orpatch— filter to only that update type - Otherwise, treat it as a package name filter — only audit packages whose name contains the argument
- If no arguments, audit all outdated packages
Arguments: $ARGUMENTS
Step 1 — Parse and categorize
From the pre-loaded data above, build a list of every outdated package with:
- Package name
- Current version → Wanted version (within semver range) → Latest version
- In-range: yes if
wanted > current(updatable without changingpackage.json), no if requires range bump dependencyordevDependency(use DEV_DEPS list)- Update type: major, minor, or patch (compare current → latest)
- Deprecated: check
isDeprecatedfield in pnpm JSON output. Flag prominently. - Pinned: check PINNED list. Note if the package has no
^/~prefix (intentionally locked). - Has override: check OVERRIDES data. Flag if the package appears in overrides/resolutions.
- Security advisory: cross-reference with AUDIT data. Flag packages with known CVEs.
- Engine constraints: note the project's Node.js version (from ENGINES + NODE_VERSION) and TypeScript version. Agents must check if new package versions require a newer Node.js or TypeScript.
Apply argument filters if provided. If no packages are outdated (after filtering), inform the user and stop.
Note on bun: bun outdated outputs a human-readable table, not JSON. Parse accordingly.
Note on Yarn Berry: Yarn v2+ may not support yarn outdated. If the command failed, run yarn npm info <pkg> per package or fall back to npm outdated --json.
Scale guard: If there are more than 40 outdated packages after filtering, inform the user of the count and suggest narrowing scope (e.g., /update-deps major or /update-deps react). Proceed only with user confirmation, or automatically limit to major + minor updates only (skip patches).
Step 2 — Research + impact analysis (single pass, parallel agents)
Launch parallel Agent calls. Each agent researches the changelog AND checks codebase impact in one pass.
Grouping strategy (target: max 10-12 agents total):
- One agent per package for major updates with breaking changes expected
- Group by ecosystem for minor updates: all
@tanstack/*together, all@radix-ui/*together, all@sentry/*together, alleslint-related together, etc. One agent per group. - One single agent for all
@types/*packages (these are routine, lightweight treatment) - One single agent for all patch-only updates (lightweight: just check for security fixes and notable bugs)
Agent prompt template
Each agent MUST receive and follow these instructions:
Part A — Research (for each package assigned):
Find changelog info by trying these sources in order — stop as soon as you get meaningful results:
- npm registry metadata: run
npm view [package-name] repository.url homepagevia Bash to get the repo URL and homepage - GitHub Releases page: if repo is on GitHub,
WebFetchonhttps://github.com/[org]/[repo]/releases— this is where most projects document breaking changes and migration guides - CHANGELOG.md in repo:
WebFetchonhttps://raw.githubusercontent.com/[org]/[repo]/main/CHANGELOG.md(trymasterbranch too ifmain404s). Many libraries (Radix, Prisma, TanStack, etc.) maintain aCHANGELOG.mdinstead of or alongside GitHub Releases. Important: CHANGELOGs can be very large — only extract entries between the current and latest version, skip everything older - Migration guide: for major updates,
WebFetchonhttps://github.com/[org]/[repo]/blob/main/MIGRATION.mdorUPGRADING.md— some libraries ship dedicated migration docs - context7 MCP: for major updates only, use
resolve-library-idthenquery-docsto get up-to-date docs. Skip for minor/patch. - WebSearch as fallback: search
"[package-name] v[latest] changelog","[package-name] v[latest] breaking changes","[package-name] v[latest] migration guide"
If none of these sources yield meaningful info, say so honestly — do not fabricate.
Part B — Codebase impact (for each package assigned):
Grepfor imports:from ['"][package-name]andrequire\(['"][package-name]- Count files and list key usage locations
- For each breaking change found: check if the deprecated/removed API is used in the codebase
- For each notable new feature: note if it could replace existing patterns
- For each deprecation: search for the deprecated API name in
src/ - Check peer dependency compatibility with current
package.json
Return format (already in final plan markdown — no reformatting needed):
### [package-name] (`current` → `latest`) — dependency/devDependency
**Update type**: major/minor/patch | **In-range**: yes/no | **Pinned**: yes/no
#### Changes
- **Bug fixes**: [version]: [concrete description of what was fixed]
- **New features**: [version]: [what the feature does, not just its name]
- **Breaking changes**: [description + migration steps]
- **Deprecations**: [what was deprecated + replacement]
- **Security**: [CVE if any, severity]
- **Peer deps**: [new or changed requirements]
- **License**: [only if changed between versions — e.g., MIT → GPL. Skip if unchanged]
- **Engine requirements**: [if minimum Node.js or TypeScript version changed, compare with project's versions from ENGINES data]
- **Notable**: [perf improvements, bundle size changes, other]
#### Impact on project
- **Files using this package**: X files (`src/...`, ...)
- **Bug fixes relevant to us**: yes/no — [details]
- **New features we could use**: yes/no — [details]
- **Deprecations affecting us**: yes/no — [files using deprecated API]
- **Breaking changes requiring migration**: yes/no — [files to modify]
- **Peer dependency conflicts**: yes/no — [details]
- **Override conflicts**: yes/no — [if package is in overrides, note whether override still needed]
#### Recommendation
🟢 Update now / 🟡 Update with migration / 🔴 Blocked (reason) / ⚪ Skip (reason)
#### Migration steps (if 🟡 or 🔴)
1. ...
For patch-only packages and @types/*, use a lighter format:
| Package | Current | Latest | In-range | Security | Notable |
|---------|---------|--------|----------|----------|---------|
| name | x.y.z | x.y.w | yes/no | none/CVE | brief |
Step 3 — Create the plan file
After ALL agents complete, write plan-update-deps-DATE.md (one single write, using today's date from pre-loaded data). Place it in whichever plan directory the project uses (check for .claude/plans/, docs/, or project root — prefer an existing directory; create .claude/plans/ as default if none exists).
Structure:
# Dependency Update Audit — [DATE]
## Summary
- **Package manager**: [detected PM]
- **X** packages outdated (Y major, Z minor, W patch)
- **Dependencies**: [count] | **Dev dependencies**: [count]
- **Security advisories**: [count] packages with known CVEs
- **Deprecated packages**: [count]
---
## Major updates
[Agent output for each major package, using the template above]
---
## Minor updates
[Agent output for each minor package/group, using the template above]
---
## Patch updates
[Lightweight table from agent output]
---
## Action plan
### 🟢 Safe to update now
- [package]: [one-line reason]
### 🟡 Update with migration needed
- [package]: [what needs to change]
### 🔴 Blocked
- [package]: [blocking reason — peer deps, breaking change too invasive, etc.]
### ⚪ Skip (no benefit / too risky)
- [package]: [reason]
Rules
- This is an audit only. NEVER run install, update, add, or any command that modifies
package.json, lockfiles, or source code. Nonpm install,pnpm update,yarn add,bun add, etc. - If changelog/release info is unavailable, say so honestly — do not fabricate
- For packages with dozens of patch releases, focus on the most impactful changes (security, major bugs), not every single patch
- The plan file is temporary — the user will delete it after applying updates manually
- Linting is NOT needed (no code changes)
- Do NOT update any existing plan files — this audit is standalone
- Use the detected package manager consistently — never switch to a different one
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核