一键在 Manus 中运行任何 Skill

cnw-templates-dep-audit

星标1

分支0

更新时间2026年6月23日 19:01

Daily dependency-staleness audit for the CNW (Create Nx Workspace) template repos under ~/projects/cnw-templates/. Detects out-of-date deps (nx, @nx/*, AND third-party), applies safe upgrades within known compatibility constraints, verifies each repo (build/test/lint/typecheck/e2e), and opens one PR per repo that has updates. Use when "audit template deps", "check template dependencies", "update template deps", "template dep audit", or for a scheduled/daily run. Distinct from `cnw-update-templates` (which only nx-migrates the 4 base templates at the old flat paths).

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

jaysoo

jaysoo/dot-ai-config

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

SKILL.md

readonly

name

cnw-templates-dep-audit

description

CNW Templates — Daily Dependency Audit

Check every CNW template repo for stale dependencies and open update PRs. Built to run unattended on a daily schedule, but safe to run by hand.

Scope

Template repos live at ~/projects/cnw-templates/<name>-template. Push target is nrwl/<name>-template main.

Live on GitHub (PRs allowed)	Not yet on GitHub (audit + report only, NO push)
angular, astro-starlight, empty, express-api, nestjs, nextjs, react, react-mfe, remotion, tanstack-ai, tanstack-start, typescript	expo, fullstack, nuxt

Re-derive the live set at runtime (don't trust this table): a repo is live if GET https://api.github.com/repos/nrwl/<name>-template/commits/main returns a sha.

Prerequisites

A GitHub PAT with repo scope for the nrwl org. Read it from the environment ($GH_TOKEN) or 1Password (op read ...) — never hardcode, never commit. Log any op/remote-git call via the op-request-reason skill.
Clean working tree per repo before starting (git -C <repo> status --porcelain empty). If dirty, skip that repo and report — do not stash/discard.
Each repo currently builds green on main (this routine only proposes upgrades).

🚫 Hard constraints — do NOT "upgrade" these (they break the templates)

These were learned the hard way (2026-06-23). The audit must respect them or it will reintroduce broken state:

Node: CI node-version stays 24. Never 20 (EOL) or downgrade.
Astro (astro-starlight): do NOT bump astro to 7+. @astrojs/starlight latest still peers astro: ^6 — verify npm view @astrojs/starlight peerDependencies allows the target astro major BEFORE bumping astro. If Starlight still caps at 6, hold.
TypeScript: only these run on ~6.0.3 — astro-starlight, react-mfe, remotion, tanstack-ai, tanstack-start. Keep ~5.9.2 on express-api, nextjs, fullstack, nuxt, expo (playwright import.meta.dirname breaks under TS6), nestjs (moduleResolution: node10 → TS5107), typescript-template (baseUrl → TS5101). Do not bump TS major on a 5.9 repo unless its blocker is independently fixed.
tanstack-ai @tanstack/ai ecosystem: capped by @tanstack/ai-react-ui (latest 0.8.9 anchors @tanstack/ai to the 0.32 line). Do NOT bump @tanstack/ai, @tanstack/ai-anthropic, @tanstack/ai-react ahead of what ai-react-ui resolves — bumping ai-anthropic to a version that peers @tanstack/ai@^0.34 makes npm DROP ai-anthropic and breaks the chat. Only advance the whole set once ai-react-ui ships a release whose peers allow it. Verify the INSTALLED version (node_modules), not the declared range — peers can silently anchor a lower version while npm ci passes.
@types/node: ^24 for server/isomorphic repos only; don't add to browser-only SPAs.

When the latest of a constrained dep is newer than the cap, log it as "held (reason)" in the report rather than upgrading.

Process

1. Per repo, detect what's stale

cd ~/projects/cnw-templates/<repo>
npm outdated --json   # current vs wanted vs latest for every dep
npm view nx version   # latest nx (compare to installed)

Split findings into:

Nx set (nx, @nx/*, nx-cloud) — upgrade together via nx migrate.
Third-party — upgrade individually to latest unless a hard constraint applies.

2. Apply Nx upgrades (if behind)

CI=true npx nx migrate <latest-or-target>
CI=true npm install
[ -f migrations.json ] && CI=true npx nx migrate --run-migrations && rm -f migrations.json

3. Apply third-party upgrades (constraint-aware)

For each stale third-party dep NOT on the hard-constraint list, bump its range to the new latest in the relevant package.json, then npm install to refresh the lockfile. Bump peers together (e.g. a vite-plugin with its vite). For constrained deps, skip + log.

4. Verify (must pass before any PR)

NX_NO_CLOUD=true NX_DAEMON=false npx nx run-many -t build test lint typecheck --skip-nx-cache
# run e2e where the repo defines it
CI=true npx nx run-many -t e2e
npx prettier --write <changed package.json/lockfiles>   # keep nx format:check green

If verification fails, revert that repo's changes (git checkout .) and report the failure — never open a red PR. (Note: angular's build can't be verified in the sandbox; flag it for manual verification instead of pushing blind.)

5. Open one PR per repo with real, verified updates

Only if there are updates AND verification passed:

cd ~/projects/cnw-templates/<repo>
git checkout -b deps/update-<YYYY-MM-DD>
git add -A && git commit -m "chore(deps): update dependencies (<YYYY-MM-DD>)"
# log via op-request-reason, then:
git push -u origin deps/update-<YYYY-MM-DD>
# create PR via GitHub API (gh is BANNED):
curl -s -X POST -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" \
  "https://api.github.com/repos/nrwl/<repo>/pulls" \
  -d '{"title":"chore(deps): update dependencies","head":"deps/update-<YYYY-MM-DD>","base":"main","body":"<the per-repo outdated table + what was upgraded vs held>"}'

PR body must list: deps upgraded (old → new), deps held (with the constraint reason), and the verification result. For repos NOT live on GitHub, skip steps 5; just include them in the report as "audited, not pushed (repo not created)".

6. Report

One summary covering all repos: per repo → upgraded / held / no-change / PR link / skipped. Surface anything held so the owner knows an upstream is blocking (e.g. "astro 7 held — Starlight still peers ^6").

Scheduling it daily

This file IS the routine; trigger it once a day. Either:

Claude Code cron (preferred): /cron a daily job whose prompt is "run the cnw-templates-dep-audit skill". Provide $GH_TOKEN in the cron environment.
OS scheduler: a launchd/cron entry that runs claude -p "run the cnw-templates-dep-audit skill" headless with GH_TOKEN exported.

Keep it idempotent: if a deps/update-<date> branch/PR already exists for today, update it instead of opening a duplicate.

Notes / gotchas

Inline node -e / bash -c with ! mangles in fish — write scripts to a file and run them.
npm ci passing does NOT prove the declared versions resolved — a peer can anchor a lower version silently. Always check node_modules/<pkg>/package.json for the real version.
The 4 base templates' simpler nx-only update path also lives in cnw-update-templates (older skill, flat ~/projects/<x> paths — superseded by this for the dep-audit use case).

同仓库更多 Skills

同仓库

cnw-update-templates

jaysoo/dot-ai-config

Update all CNW (Create Nx Workspace) template repos to a target Nx version using nx migrate. Handles angular-template, react-template, typescript-template, and empty-template. Runs migrations, commits changes, but does NOT push without user confirmation. Use when "update templates", "cnw templates", "template update", "migrate templates", or specifying a version like "update templates to 22.7.0".

2026-06-231

pre-pr-review

jaysoo/dot-ai-config

Adversarial multi-dimension review of a branch's uncommitted/committed diff before opening or updating a PR. Fans out review dimensions (correctness, design conformance, copy/voice, hygiene/tests), adversarially verifies each finding, and drafts a terse PR description. Use for a pre-PR review, "review my branch before I open the PR", adversarial PR review, or a conformance gate before push. For deep maintainability/abstraction audits use thermo-nuclear-code-quality-review instead (complementary, not a substitute).

2026-06-181

nx-docs-iterate

jaysoo/dot-ai-config

Validate-and-ship loop for nx astro-docs changes. Runs prettier, vale, the STYLE_GUIDE structural pass, an anchor sweep, then amends the squashed commit and force-pushes with 1Password op-request logging. Use after every docs edit round in the nx repo. Triggers on "docs iterate", "amend and push the docs", "ship the docs change", "docs validate and push".

2026-06-171

readme-demo-injector

jaysoo/dot-ai-config

Save a live third-party page (GitHub repo page, npmx/npm package page, docs site) as a local static copy and inject an element into it (badge, banner, widget) for demos without shipping to prod. Use when user wants to "demo X on the GitHub README", "inject the badge into a real page", "make this page work locally", "mock up how it looks on npmjs/github", or "download and serve this page with my change". Output is a directory servable with `npx serve`.

2026-06-171

nx-deprecate-config-helper

jaysoo/dot-ai-config

Warn-only deprecation of a first-party Nx bundler config helper (composePlugins/withNx/withWeb/withReact and friends) for removal in the next major. Use when asked to "deprecate <helper>", for a "config helpers deprecated" milestone NXC ticket, or any of the @nx/{vite,webpack,rspack,next,expo,rollup}/react config-composition helpers. Triggers on "deprecate config helper", "deprecate withNx/withWeb/withReact/composePlugins", "warn-only deprecate <helper>".

2026-06-091

nx-scorecard

jaysoo/dot-ai-config

Compute Nx CLI scorecard metrics for a month: GitHub issues/PRs (nrwl/nx), Linear high-priority misc issues, and npm download counts with YoY growth. Outputs a Notion-ready markdown table. Use when user says "scorecard", "nx scorecard", "cli scorecard", "monthly scorecard", or asks for the Nx CLI team's monthly issue/PR/download metrics.

2026-06-091

name

cnw-templates-dep-audit

description

CNW Templates — Daily Dependency Audit

Check every CNW template repo for stale dependencies and open update PRs. Built to run unattended on a daily schedule, but safe to run by hand.

Scope

Template repos live at ~/projects/cnw-templates/<name>-template. Push target is nrwl/<name>-template main.

Live on GitHub (PRs allowed)	Not yet on GitHub (audit + report only, NO push)
angular, astro-starlight, empty, express-api, nestjs, nextjs, react, react-mfe, remotion, tanstack-ai, tanstack-start, typescript	expo, fullstack, nuxt

Re-derive the live set at runtime (don't trust this table): a repo is live if GET https://api.github.com/repos/nrwl/<name>-template/commits/main returns a sha.

Prerequisites

A GitHub PAT with repo scope for the nrwl org. Read it from the environment ($GH_TOKEN) or 1Password (op read ...) — never hardcode, never commit. Log any op/remote-git call via the op-request-reason skill.
Clean working tree per repo before starting (git -C <repo> status --porcelain empty). If dirty, skip that repo and report — do not stash/discard.
Each repo currently builds green on main (this routine only proposes upgrades).

🚫 Hard constraints — do NOT "upgrade" these (they break the templates)

These were learned the hard way (2026-06-23). The audit must respect them or it will reintroduce broken state:

Node: CI node-version stays 24. Never 20 (EOL) or downgrade.
Astro (astro-starlight): do NOT bump astro to 7+. @astrojs/starlight latest still peers astro: ^6 — verify npm view @astrojs/starlight peerDependencies allows the target astro major BEFORE bumping astro. If Starlight still caps at 6, hold.
TypeScript: only these run on ~6.0.3 — astro-starlight, react-mfe, remotion, tanstack-ai, tanstack-start. Keep ~5.9.2 on express-api, nextjs, fullstack, nuxt, expo (playwright import.meta.dirname breaks under TS6), nestjs (moduleResolution: node10 → TS5107), typescript-template (baseUrl → TS5101). Do not bump TS major on a 5.9 repo unless its blocker is independently fixed.
tanstack-ai @tanstack/ai ecosystem: capped by @tanstack/ai-react-ui (latest 0.8.9 anchors @tanstack/ai to the 0.32 line). Do NOT bump @tanstack/ai, @tanstack/ai-anthropic, @tanstack/ai-react ahead of what ai-react-ui resolves — bumping ai-anthropic to a version that peers @tanstack/ai@^0.34 makes npm DROP ai-anthropic and breaks the chat. Only advance the whole set once ai-react-ui ships a release whose peers allow it. Verify the INSTALLED version (node_modules), not the declared range — peers can silently anchor a lower version while npm ci passes.
@types/node: ^24 for server/isomorphic repos only; don't add to browser-only SPAs.

When the latest of a constrained dep is newer than the cap, log it as "held (reason)" in the report rather than upgrading.

Process

1. Per repo, detect what's stale

cd ~/projects/cnw-templates/<repo>
npm outdated --json   # current vs wanted vs latest for every dep
npm view nx version   # latest nx (compare to installed)

Split findings into:

Nx set (nx, @nx/*, nx-cloud) — upgrade together via nx migrate.
Third-party — upgrade individually to latest unless a hard constraint applies.

2. Apply Nx upgrades (if behind)

CI=true npx nx migrate <latest-or-target>
CI=true npm install
[ -f migrations.json ] && CI=true npx nx migrate --run-migrations && rm -f migrations.json

3. Apply third-party upgrades (constraint-aware)

4. Verify (must pass before any PR)

NX_NO_CLOUD=true NX_DAEMON=false npx nx run-many -t build test lint typecheck --skip-nx-cache
# run e2e where the repo defines it
CI=true npx nx run-many -t e2e
npx prettier --write <changed package.json/lockfiles>   # keep nx format:check green

5. Open one PR per repo with real, verified updates

Only if there are updates AND verification passed:

cd ~/projects/cnw-templates/<repo>
git checkout -b deps/update-<YYYY-MM-DD>
git add -A && git commit -m "chore(deps): update dependencies (<YYYY-MM-DD>)"
# log via op-request-reason, then:
git push -u origin deps/update-<YYYY-MM-DD>
# create PR via GitHub API (gh is BANNED):
curl -s -X POST -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" \
  "https://api.github.com/repos/nrwl/<repo>/pulls" \
  -d '{"title":"chore(deps): update dependencies","head":"deps/update-<YYYY-MM-DD>","base":"main","body":"<the per-repo outdated table + what was upgraded vs held>"}'

6. Report

Scheduling it daily

This file IS the routine; trigger it once a day. Either:

Claude Code cron (preferred): /cron a daily job whose prompt is "run the cnw-templates-dep-audit skill". Provide $GH_TOKEN in the cron environment.
OS scheduler: a launchd/cron entry that runs claude -p "run the cnw-templates-dep-audit skill" headless with GH_TOKEN exported.

Keep it idempotent: if a deps/update-<date> branch/PR already exists for today, update it instead of opening a duplicate.

Notes / gotchas

Inline node -e / bash -c with ! mangles in fish — write scripts to a file and run them.
npm ci passing does NOT prove the declared versions resolved — a peer can anchor a lower version silently. Always check node_modules/<pkg>/package.json for the real version.
The 4 base templates' simpler nx-only update path also lives in cnw-update-templates (older skill, flat ~/projects/<x> paths — superseded by this for the dep-audit use case).