home / skills / onekeyhq / app-monorepo / 1k-pkg-upgrade-review

1k-pkg-upgrade-review skill

safe

This skill analyzes npm package upgrades by diffing source, tracing usages, and generating a compatibility report to inform safe dependency changes.

npx playbooks add skill onekeyhq/app-monorepo --skill 1k-pkg-upgrade-review

Review the files below or copy the command above to add this skill to your agents.

Files (4)

SKILL.md

3.1 KB

---
name: 1k-pkg-upgrade-review
description: Reviews package version upgrades — diffs source between versions, traces call sites, and generates compatibility reports.
disable-model-invocation: true
allowed-tools: Read, Grep, Glob, Bash, WebFetch, Write
---

# Package Upgrade Review

Evaluates npm/yarn package version upgrades by performing source-level diff analysis, tracing all call sites, and producing a structured compatibility report.

**Output language**: Chinese (matching team conventions).

## Quick Reference

| Topic | Guide | Description |
|-------|-------|-------------|
| Review workflow | [review-workflow.md](references/rules/review-workflow.md) | Step-by-step review process |
| Report template | [report-template.md](references/rules/report-template.md) | Output format and risk guidelines |
| Example report | [example-report.md](references/example-report.md) | Real case: @isaacs/brace-expansion 5.0.0 -> 5.0.1 |

## When to Use

- Dependabot / Renovate PRs that bump dependency versions
- Manual `yarn upgrade` or `npm update` changes
- Any PR that modifies `yarn.lock` or `package-lock.json`
- When team needs to understand what actually changed inside a package before merging

## Workflow Overview

1. **Identify** the package name and version range (old -> new)
2. **Download** both versions from npm registry and extract
3. **Diff** source code between versions (focus on JS/TS, not metadata)
4. **Classify** changes: API signature, return value, new exports, removed exports, behavior changes
5. **Search** project source code for direct imports/usage
6. **Search** `node_modules` for indirect usage via intermediate packages
7. **Trace** each call site to verify argument usage and compatibility
8. **Assess** compatibility risks: signature, return type, return content, side effects
9. **Generate** structured report to `node_modules/.cache/pkg-upgrade/`
10. **Post** the full report as a PR comment via `gh pr comment`

## Key Commands

```bash
# Download and extract both versions for diffing
mkdir -p /tmp/pkg-diff && cd /tmp/pkg-diff
curl -sL $(npm view PKG@OLD_VER dist.tarball) | tar xz -C old
curl -sL $(npm view PKG@NEW_VER dist.tarball) | tar xz -C new

# Compare file lists
diff -rq old/package new/package

# Diff main source
diff old/package/dist/commonjs/index.js new/package/dist/commonjs/index.js

# Search project code for direct usage
grep -r "PACKAGE_NAME" --include="*.ts" --include="*.tsx" --include="*.js" -l . \
  --exclude-dir=.git --exclude-dir=node_modules

# Search node_modules for indirect usage
grep -rn "from ['\"]PACKAGE_NAME['\"]" node_modules/ --include="*.js" --include="*.mjs" \
  | grep -v "node_modules/.cache"

# Check package metadata
npm view PKG@NEW_VER deprecated
npm view PKG@NEW_VER dist.integrity
```

## Report Output

- **Local file**: `node_modules/.cache/pkg-upgrade/<package-name>-<old>-to-<new>.md`
- **PR comment**: The full report MUST also be posted as a comment on the PR via `gh pr comment`

## Related Skills

- `/pr-review` - Security-focused PR review (supply-chain risk)
- `/1k-code-review-pr` - Build reliability and runtime quality review

Overview

This skill reviews npm/yarn package version upgrades by diffing source between two releases, tracing call sites across the codebase, and producing a structured compatibility report. It helps teams decide whether a dependency bump is safe to merge by surfacing API changes, behavioral differences, and usage impacts. The output is saved locally and posted as a PR comment for traceability.

How this skill works

The tool downloads both package versions from the registry, extracts their sources, and performs file- and content-level diffs with emphasis on JS/TS artifacts. It classifies changes (signature, return value, exports, behavior), then searches the project and node_modules to locate direct and indirect call sites. Each call site is traced to verify argument shapes and expected return usage before a risk assessment is generated and saved as a structured report.

When to use it

Dependabot/Renovate PRs that bump dependency versions
Manual yarn upgrade or npm update changes
Any pull request that modifies yarn.lock or package-lock.json
Before merging a dependency bump when the team wants to understand internal changes
When you need an automated compatibility check for transitive updates

Best practices

Run the review on CI for every deps-related PR and fail on high-risk findings
Focus diffs on source files (dist, lib, esm) rather than metadata
Trace both direct imports and indirect usage in node_modules to catch transitive impacts
Classify changes by type (API signature, return content, side effects) and document examples
Store reports in a cache directory and post the full report as a PR comment for reviewer visibility

Example use cases

Assessing a minor patch version bump to confirm no breaking API changes
Reviewing a library upgrade that modifies returned object shapes used across the app
Validating a transitive dependency update introduced by another package
Triaging Dependabot PRs at scale by automatically generating compatibility risk summaries
Checking a new major version before adopting it in a mobile wallet app

FAQ

What files are compared during the review?

The review focuses on runtime source artifacts (dist, lib, esm) and other JS/TS code, while ignoring metadata-only changes unless they affect integrity or deprecation.

How are indirect usages detected?

The tool greps node_modules for imports of the package and traces through intermediate packages to find call sites that use the changed APIs.