| name | dependency-updates |
| description | Safe dependency update workflow for gnwebsite fullstack Django/Vue project. Use when updating packages, upgrading dependencies, fixing vulnerabilities, or when user asks to update dependencies. Covers backend Python (pyproject.toml), frontend npm packages, vulnerability audits, testing requirements, and rollback procedures. Ensures updates maintain compatibility and don't break existing functionality. |
Dependency Updates
Comprehensive guide for safely updating backend and frontend dependencies in gnwebsite project while maintaining stability and security.
When to Use This Skill
- User asks to "update dependencies" or "upgrade packages"
- Monthly/quarterly dependency maintenance
- Security vulnerability alerts
- When fixing known CVEs or vulnerabilities
- Before major feature releases
- When you hear: "Are our dependencies up to date?"
Core Principles
- Security First: Update packages with known vulnerabilities immediately
- Test-Driven: Never update without running full test suite
- Incremental: Update one category at a time (backend → frontend → devDeps)
- Documented: Track what changed and why in CODEBASE_CHANGELOG.md
- Reversible: Always commit before updates for easy rollback
Pre-Update Checklist
Before starting any dependency updates:
Backend Dependency Updates (Python)
Step 1: Audit Current Dependencies
docker-compose exec backend pip install pip-audit
docker-compose exec backend pip-audit
docker-compose exec backend pip list --outdated
Step 2: Update pyproject.toml
Source of truth: backend/pyproject.toml
[project]
dependencies = [
"Django>=5.1.0",
"djangorestframework>=3.15.2",
]
[project.optional-dependencies]
dev = [
"pytest>=8.0.0",
]
Update strategy:
- Patch updates (5.1.0 → 5.1.1): Generally safe, update automatically
- Minor updates (5.1.0 → 5.2.0): Review changelog, test thoroughly
- Major updates (5.1.0 → 6.0.0): May require code changes, plan separately
Step 3: Regenerate requirements.txt
cd backend && ./update-requirements.sh
docker-compose exec backend pip-compile pyproject.toml -o requirements.txt --resolver=backtracking --strip-extras
What this does:
- Resolves all transitive dependencies
- Locks exact versions for reproducible builds
- Generates requirements.txt from pyproject.toml
Step 4: Rebuild Backend Container
docker-compose build backend
docker-compose up -d backend
Step 5: Run Backend Tests
MANDATORY - DO NOT SKIP
docker-compose exec backend pytest jewelry_portfolio/ -x
If tests fail:
- Read error messages carefully
- Check changelogs for breaking changes
- Update code to match new API
- Re-run tests until all pass
- If unfixable, rollback:
git checkout backend/pyproject.toml backend/requirements.txt
Step 6: Test Django Admin & API Manually
docker-compose up backend
Step 7: Regenerate OpenAPI Schema
Required if Django/DRF updated:
docker-compose exec backend python manage.py spectacular --file openapi_schema.json
git diff backend/openapi_schema.json
If schema changed → proceed to frontend TypeScript client regeneration
Frontend Dependency Updates (npm)
Step 1: Audit Current Dependencies
cd frontend && npm audit
npm audit --json > audit-report.json
npm outdated
Step 2: Update package.json
Two approaches:
A. Interactive Update (Recommended for major updates)
npm install -g npm-check-updates
ncu
ncu -u
git diff package.json
B. Targeted Update (For specific packages)
npm install vue@latest
npm install typescript@~5.9.3
npm install -D vite@latest
Step 3: Install Updated Dependencies
npm install
npm install --legacy-peer-deps
Step 4: Run Frontend Tests
MANDATORY - DO NOT SKIP
npm run type-check
npm run test:run
npm run build
If tests fail:
- Check for TypeScript errors first:
npm run type-check
- Read error messages for breaking API changes
- Update components/composables to match new APIs
- Check migration guides in package changelogs
- If unfixable, rollback:
git checkout frontend/package.json frontend/package-lock.json && npm install
Step 5: Regenerate TypeScript API Client (If Backend Updated)
Required if openapi_schema.json changed:
cd frontend
npx @openapitools/openapi-generator-cli generate \
-i ../backend/openapi_schema.json \
-g typescript-fetch \
-o src/api/generated
npm run type-check
Step 6: Test Frontend Manually
npm run dev
Vulnerability-Specific Updates
For critical security updates, use expedited workflow:
Backend Vulnerabilities
docker-compose exec backend pip-audit
cd backend && ./update-requirements.sh
docker-compose build backend
docker-compose exec backend pytest jewelry_portfolio/ -x
git add backend/pyproject.toml backend/requirements.txt
git commit -m "security: update Pillow to fix CVE-XXXX-YYYY"
Frontend Vulnerabilities
npm audit
npm audit fix
npm install vulnerable-package@latest
npm run type-check && npm run test:run
git add package.json package-lock.json
git commit -m "security: update axios to fix CVE-XXXX-YYYY"
Testing Matrix
After ANY dependency update, run ALL relevant tests:
| Changed | Commands | Required |
|---|
| Backend dependencies | docker-compose exec backend pytest jewelry_portfolio/ -x | ✅ MANDATORY |
| Django/DRF | Regenerate OpenAPI schema → TypeScript client | ✅ If major update |
| Frontend dependencies | cd frontend && npm run type-check | ✅ MANDATORY |
| Frontend logic packages | cd frontend && npm run test:run | ✅ MANDATORY |
| Vue/TypeScript | cd frontend && npm run build | ✅ MANDATORY |
| Any dependency | Manual smoke testing in browser | ✅ MANDATORY |
Update Categories & Priority
High Priority (Update Immediately)
- Security vulnerabilities: Any CVE with severity ≥ 7.0
- Critical bug fixes: Data loss, auth bypass, XSS, CSRF
- Zero-day exploits: Update same day if possible
Medium Priority (Update Monthly/Quarterly)
- Minor version updates: New features, performance improvements
- Patch updates: Bug fixes without breaking changes
- DevDependencies: Testing tools, build tools
Low Priority (Update Before Major Releases)
- Major version updates: Breaking changes, require code migration
- Experimental features: Alpha/beta packages
- Optional dependencies: Nice-to-have features
Common Pitfalls & Solutions
❌ Pitfall 1: Updating Everything at Once
Problem: Can't identify which update broke tests
Solution:
git commit -m "deps: update backend security packages"
git commit -m "deps: update backend dev tools"
git commit -m "deps: update frontend runtime packages"
git commit -m "deps: update frontend dev tools"
❌ Pitfall 2: Skipping Tests
Problem: Broken code reaches production
Solution: ALWAYS run full test suite:
docker-compose exec backend pytest jewelry_portfolio/ -x
cd frontend && npm run type-check && npm run test:run && npm run build
❌ Pitfall 3: Not Reading Changelogs
Problem: Breaking changes surprise you in production
Solution: For major updates, read migration guides:
❌ Pitfall 4: Forgetting Docker Rebuild
Problem: Old packages still in container, tests pass locally but fail in CI
Solution:
docker-compose build backend
docker-compose up -d backend
❌ Pitfall 5: Using Exact Versions
Problem: Can't get security patches without manual updates
Solution:
Django==5.1.0
Django>=5.1.0
Django>=5.1.0,<6.0.0
Rollback Procedure
If updates break critical functionality:
Quick Rollback (Last Commit)
git reset --hard HEAD~1
docker-compose build backend
cd frontend && npm install
docker-compose exec backend pytest jewelry_portfolio/ -x
cd frontend && npm run test:run
Selective Rollback (Specific Files)
git checkout HEAD~1 -- backend/pyproject.toml backend/requirements.txt
cd backend && ./update-requirements.sh
docker-compose build backend
git checkout HEAD~1 -- frontend/package.json frontend/package-lock.json
cd frontend && npm install
Post-Update Checklist
After successful updates:
Commit Message Format
git commit -m "security: update Django to 5.1.4 (CVE-2024-XXXXX)"
git commit -m "deps: update backend dependencies (Django 5.1.4, DRF 3.15.3)"
git commit -m "deps: update frontend dependencies (Vue 3.5.26, Vite 7.3.0)"
git commit -m "deps!: update Vue to 3.5.0 (breaking: new Composition API)"
Documentation Requirements
Update CODEBASE_CHANGELOG.md after significant updates:
## Session: Dependency Updates - Backend Security (Jan 17, 2026)
**Goal**: Update Django and Pillow to fix security vulnerabilities
**Changes**:
- [backend/pyproject.toml](backend/pyproject.toml): Django 5.1.0 → 5.1.4 (CVE-2024-XXXXX)
- [backend/pyproject.toml](backend/pyproject.toml): Pillow 10.4.0 → 10.5.0 (CVE-2024-YYYYY)
- [backend/requirements.txt](backend/requirements.txt): Regenerated with pip-compile
**Validation**:
- ✅ Backend tests: 156 passed
- ✅ Manual admin panel check: OK
- ✅ API endpoints: OK
**Key Learning**: Django 5.1.4 changes cookie handling - required updating JWT settings
Monthly Maintenance Workflow
Recommended schedule: First Monday of each month
git checkout -b chore/dependency-updates-$(date +%Y-%m)
docker-compose exec backend pip-audit
cd backend && ./update-requirements.sh
docker-compose build backend
docker-compose exec backend pytest jewelry_portfolio/ -x
git commit -m "deps: update backend dependencies"
cd frontend
npm audit
npm outdated
ncu -u
npm install
npm run type-check && npm run test:run && npm run build
git commit -m "deps: update frontend dependencies"
git commit -m "docs: update changelog for dependency updates"
git push origin chore/dependency-updates-$(date +%Y-%m)
Integration with Other Skills
Related Files
Quick Reference Commands
cd backend && ./update-requirements.sh
docker-compose build backend
docker-compose exec backend pytest jewelry_portfolio/ -x
cd frontend
npm audit
npm outdated
ncu -u && npm install
npm run type-check && npm run test:run && npm run build
docker-compose exec backend python manage.py spectacular --file openapi_schema.json
cd frontend && npx @openapitools/openapi-generator-cli generate \
-i ../backend/openapi_schema.json \
-g typescript-fetch \
-o src/api/generated