// Bump or upgrade declared dependency versions in this pnpm workspace (root and packages/* package.json), with supply-chain checks before and after install. Use when the user asks to upgrade, bump, or refresh npm dependencies in manifests—not only the lockfile.
Check license compatibility, data privacy compliance, and AI ethics. Use when adding dependencies, handling user data, or reviewing regulatory requirements.
Deploy the application or manage infrastructure. Handles Docker builds, CI/CD, and deployment workflows.
Design a UI component with specifications for layout, states, interactions, and accessibility. Use when creating new Vue.js components or redesigning existing ones.
Implement a feature or fix a bug following the project's TypeScript patterns and conventions. Use when code changes are needed.
Create a structured implementation plan for a feature, refactoring, or multi-step task. Use as the first step in the pipeline before /orchestrate. Produces a plan that the orchestrator can turn into a delegation plan.
Review code changes for quality, security, and adherence to project conventions. Use after making code changes or when reviewing a pull request.
| name | bump-dependencies |
| description | Bump or upgrade declared dependency versions in this pnpm workspace (root and packages/* package.json), with supply-chain checks before and after install. Use when the user asks to upgrade, bump, or refresh npm dependencies in manifests—not only the lockfile. |
| argument-hint | [scope: 'all' | 'root' | 'common' | 'agents' | 'backend' | 'frontend' | or specific package names / intent] |
| allowed-tools | Bash(pnpm *), Bash(npx *), Bash(osv-scanner *) |
Apply the following scope and intent:
$ARGUMENTS
npm-check-updates inside a package directory; then return to the root for pnpm install.package.json, run pnpm install at the root so pnpm-lock.yaml stays consistent.| Directory | pnpm --filter name | Manifest |
|---|---|---|
packages/common | @llmops-demo/common | packages/common/package.json |
packages/agents | @llmops-demo-ts/agents | packages/agents/package.json |
packages/backend | @llmops-demo-ts/backend | packages/backend/package.json |
packages/frontend | @llmops-demo-ts/frontend | packages/frontend/package.json |
| (root) | — | package.json |
pnpm up -r -L may not change package.jsonCaret ranges (^x.y.z) often already allow the latest compatible release. pnpm can update the lockfile without rewriting package.json. To raise declared versions in a manifest, use targeted pnpm add, npm-check-updates, or manual edits plus root pnpm install.
@llmops-demo/commonpnpm --filter @llmops-demo/common add @langchain/core@latest @google/genai@latest
pnpm --filter @llmops-demo/common add -D jest@latest
cd packages/common && npx npm-check-updates -u
cd ../.. && pnpm install
cd packages/common && npx npm-check-updates -u -f '/@langchain/'
cd ../.. && pnpm install
@llmops-demo-ts/agentspnpm --filter @llmops-demo-ts/agents add @langchain/core@latest @langchain/langgraph@latest
pnpm --filter @llmops-demo-ts/agents add -D typescript@latest
cd packages/agents && npx npm-check-updates -u
cd ../.. && pnpm install
cd packages/agents && npx npm-check-updates -u -f '/@langchain/'
cd ../.. && pnpm install
LangGraph / SDK release notes: langgraphjs releases.
@llmops-demo-ts/backendtsoa and @tsoa/runtime are pinned to 7.0.0-alpha.0. Treat upgrades as explicit (read release notes, run backend build).
pnpm --filter @llmops-demo-ts/backend add express@latest @langchain/core@latest
pnpm --filter @llmops-demo-ts/backend add -D typescript@latest
cd packages/backend && npx npm-check-updates -u
cd ../.. && pnpm install
@llmops-demo-ts/frontendpnpm --filter @llmops-demo-ts/frontend add vue@latest pinia@latest
pnpm --filter @llmops-demo-ts/frontend add -D vite@latest
cd packages/frontend && npx npm-check-updates -u
cd ../.. && pnpm install
package.jsonnpx npm-check-updates -u
pnpm install
Or for specific devDependencies: pnpm add -D <package>@latest at the repo root, then pnpm install.
Manual edit: change version strings in the relevant package.json, then pnpm install at the root. Always review the diff before committing (especially the lockfile and new package names).
Run these before pnpm add, pnpm install, or bulk ncu when they will pull new registry versions. They reduce typosquatting, unexpected packages, and “install first, think later” risk; they do not guarantee absence of compromise.
pnpm audit (and pnpm run audit:osv if available) on the branch before changing manifests, so you know pre-existing vs new findings after the bump.@langchain/*, @google/*) when that matches the ecosystem; question unsolicited substitutes with similar names.pnpm view <name> version repository homepage — confirm the repository URL matches the project you expect.git: / tarball / non-registry URLs unless explicitly approved for this repo; stick to the default npm registry.ncu -u, “bump all”): Treat as higher risk—scan the planned version list; skip or manually review anything that introduces a new dependency name or a suspicious major jump.npx helpers: Prefer pinned invocations (npx npm-check-updates@<version> -u) if you want less drift from a moving global tool; understand npx may download a package.Then run the execution commands above for the chosen scope. After pnpm install, run the post-change gate below.
@langchain/*: Declared in common, agents, and backend. When upgrading LangChain, bump those packages together when possible so the lockfile stays consistent.workspace:*: Do not replace internal workspace dependencies with registry versions.tsoa / @tsoa/runtime: Pinned to 7.0.0-alpha.0. Treat upgrades as explicit—read upstream release notes and run the backend build; do not blind bulk-bump without review.pnpm audit and pnpm run audit:osv (or osv-scanner scan -r .); compare to the pre-change baseline.git diff pnpm-lock.yaml for unexpected new package names or version jumps (typosquats, dependency confusion, surprising transitives). Use pnpm why <name> if something looks wrong.pnpm.overrides when interpreting audit results; document any new override rationale if you add one.pnpm run audit:supply-chain runs pnpm audit; pnpm run audit:osv runs OSV Scanner when installed. If osv-scanner is missing, install it from OSV Scanner for pnpm audit:osv.From the repo root:
pnpm install
pnpm build
pnpm test
pnpm audit:supply-chain
pnpm audit:osv
If osv-scanner is not installed, run pnpm audit and install the scanner for pnpm audit:osv.
If frontend e2e tests fail for missing browsers (after a Playwright upgrade or fresh machine):
pnpm run install:playwright
Playwright is only installed under @llmops-demo-ts/frontend. Do not run pnpm exec playwright from the repo root. To open the last HTML report from the root:
pnpm run playwright:report
Ongoing version PRs: .github/dependabot.yml. Enable Dependabot security updates in the GitHub repo settings where applicable. Review CI, lockfile diffs, and supply-chain checks before merging those PRs.