Weekly scan for outdated npm or pip packages. Fetches changelogs for each. Summarizes breaking changes with Gemini. Opens one PR per risk group.
npx "@opendirectory.dev/skills" install dependency-update-bot --target claudeWatch this quick video to see how it's done:
install-skill-on-claude-compress.mp4
- Copy the URL of this specific skill folder from your browser's address bar.
- Go to download-directory.github.io.
- Paste the URL and click Enter to download.
- Open your Claude desktop app.
- Go to the sidebar on the left side and click on the Customize section.
- Click on the Skills tab, then click on the + (plus) icon button to create a new skill.
- Choose the option to Upload a skill, and drag and drop the
.zipfile (or you can extract it and drop the folder, both work).
Note: For some skills (like
position-me), theSKILL.mdfile might be located inside a subfolder. Always make sure you are uploading the specific folder that contains theSKILL.mdfile!
- Runs
npm outdated --jsonorpip list --outdatedto find outdated packages - Classifies each update as patch (low risk), minor (medium risk), or major (high risk) using semver
- Fetches changelogs from GitHub Releases, CHANGELOG.md, or npm/PyPI registry as fallback
- Uses Gemini to summarize what changed between old and new versions, flagging breaking changes
- Creates a branch per risk group, updates the package file, and opens a PR with the changelog summary
- Opens one PR per major update (since each major bump needs individual review)
| Requirement | Purpose | How to Set Up |
|---|---|---|
| Gemini API key | Changelog summarization | aistudio.google.com, Get API key |
| GitHub CLI authenticated | PR creation | gh auth login |
| GitHub token (optional) | Higher rate limit for changelog fetching | github.com/settings/tokens, read-only scope |
cp .env.example .envFill in:
GEMINI_API_KEY(required)GITHUB_TOKEN(optional, increases GitHub API rate limit from 60 to 5,000 requests/hour)
Scan npm dependencies:
"Check for outdated packages"
"Update my dependencies and open PRs"
"Run the dependency update bot"
Scan pip dependencies:
"Check my Python packages for updates"
"Scan requirements.txt for outdated dependencies"
Specific risk level only:
"Only open PRs for patch updates today"
"Show me which packages have major version updates"
Each PR includes:
- Risk level label (patch / minor / major)
- For each package: version bump, changelog summary (3-5 bullets), breaking changes flagged with BREAKING prefix
- How to verify section
One PR per risk group for patch and minor updates. One PR per package for major updates (since each breaking change needs individual review).
| Level | Version Change | Example | Action |
|---|---|---|---|
| Patch | Z in X.Y.Z | 4.17.19 to 4.17.21 | Safe to merge after CI passes |
| Minor | Y in X.Y.Z | 4.17.x to 4.18.x | Review changelog before merging |
| Major | X in X.Y.Z | 4.x.x to 5.x.x | Read changelog carefully, test thoroughly |
If a patch or minor update's changelog contains BREAKING CHANGE keywords, the bot escalates it to major automatically.
The bot tries these sources in order for each package:
- GitHub Releases API (best)
- Raw CHANGELOG.md from the repo
- npm registry README (fallback)
- PyPI project description (last resort)
If no changelog is found, the PR still includes the version bump with a note to review manually.
dependency-update-bot/
├── SKILL.md
├── README.md
├── .env.example
├── evals/
│ └── evals.json
└── references/
└── changelog-patterns.md
MIT