// Investigate, adopt, and verify dependency updates. Captures what changed, understands why, cross-references against the codebase, and runs final checks. Supports two entry modes: run the full flow end-to-end, or review updates you already applied.
Exercise git tools, resources, and prompts against a live HTTP server via MCP JSON-RPC over curl. Starts the server, surfaces the catalog, runs real and adversarial inputs, and produces a tight report with concrete findings and numbered follow-up options. Use after adding or modifying definitions, or when the user asks to test, try out, or verify the MCP surface.
Finalize documentation and project metadata for a ship-ready release. Use after implementation is complete, tests pass, and devcheck is clean. Safe to run at any stage — each step checks current state and only acts on what still needs work.
Ship a release end-to-end across every registry this project targets (npm, MCP Registry). Runs the final verification gate, pushes commits and tags, then publishes to each applicable destination. Assumes git wrapup (version bumps, changelog, commit, annotated tag) is already complete — this skill is the post-wrapup publish workflow. Halts and alerts the user on the first failure.
File a bug or feature request against this repository (cyanheads/git-mcp-server) using the `gh` CLI. Use for tool logic bugs, git provider misbehavior, transport issues, auth/config problems, or new feature proposals.
| name | maintenance |
| description | Investigate, adopt, and verify dependency updates. Captures what changed, understands why, cross-references against the codebase, and runs final checks. Supports two entry modes: run the full flow end-to-end, or review updates you already applied. |
| metadata | {"author":"cyanheads","version":"1.0","type":"workflow"} |
bun update --latest yourself and wanting to review the impact (Mode B — typical)| Mode | Starting Point | First Step |
|---|---|---|
| A — Full flow | Lockfile is current; want to update | Step 1 |
| B — Post-update review | User already ran bun update --latest + bun run rebuild + bun test | Skip to Step 3 with the update output or git diff bun.lock |
Both modes converge at Step 3 and end at Step 6.
bun outdated
Note: bun update --latest crosses semver majors; bun update alone respects ranges. Use --latest unless a package is intentionally pinned.
bun update --latest
Capture the ↑ package old → new lines from stdout — these feed Step 3. Alternatively, git diff bun.lock surfaces version deltas after the fact.
For each updated package, fetch the release notes or CHANGELOG entries between old and new versions, then cross-reference changes against actual imports in src/. Output per package: what changed, impact on this project, action items.
Focus on packages this server directly depends on:
| Package | Impact Check |
|---|---|
@modelcontextprotocol/sdk | Protocol version bumps, breaking handler signatures, new capabilities |
hono / @hono/node-server / @hono/mcp | HTTP transport API changes, middleware signatures |
@opentelemetry/* | Instrumentation contract changes, exporter config |
tsyringe / reflect-metadata | DI container behavior, decorator semantics |
jose | JWT/JWKS verification API |
pino / pino-pretty | Logger API, transport config |
zod | Schema API (e.g., v3 → v4 refinement changes, .describe() behavior) |
typescript | New strict checks, lib changes affecting existing types |
vitest / @vitest/coverage-v8 | Test runner behavior, coverage provider changes |
eslint / typescript-eslint | New rules flagging existing code |
| Cross-spawn / execa | Child-process spawning semantics used by CliGitProvider |
Use WebFetch or Bash + curl (for full content) against the package's GitHub releases or CHANGELOG. Skim tag-to-tag diffs rather than scrolling the full file.
Apply findings from Step 3:
src/mcp-server/, src/services/, src/utils/, src/storage/, src/container/).env.example, src/config/index.ts Zod schema, and README.md if user-facingKeep diffs focused. Don't sweep refactors beyond the update's scope.
Common spots to re-check:
src/services/git/providers/cli/ if child-process libraries changedsrc/mcp-server/transports/http/ if Hono / MCP SDK changedsrc/utils/telemetry/ if OpenTelemetry SDK changedsrc/mcp-server/transports/auth/ if jose changedbun run rebuild
bun run devcheck
bun test
rebuild (clean + build) catches API surface and type-alignment issues that devcheck alone may miss — module resolution, path aliases, post-build processing. devcheck runs lint, format, typecheck, and security audit.
In Mode B, the user already ran rebuild + test before invoking this skill, but run them again here — Step 4 made code changes that need verification.
Fix anything that fails. Re-run until clean.
Present a concise numbered summary to the user:
bun update --latest) — Mode A, or already done by user — Mode Bbun run rebuild succeedsbun run devcheck passes (lint + format + typecheck + audit)bun test passes