Streamlining Dependency Management and Updates with Claude Code

Challenges of Dependency Management

Modern JavaScript/TypeScript projects depend on hundreds of packages. With Claude Code, you can update dependencies safely and efficiently.

Assessing the Current State

Ask Claude Code to analyze your project’s dependencies.

Analyze the project's dependencies.
- List of outdated packages
- Packages with security vulnerabilities
- Unused dependencies
- Duplicate dependencies

Auto-Update Script

import { execSync } from "child_process";
import { readFileSync, writeFileSync } from "fs";

interface OutdatedPackage {
  current: string;
  wanted: string;
  latest: string;
  location: string;
}

function checkOutdated(): Record<string, OutdatedPackage> {
  try {
    const output = execSync("npm outdated --json", {
      encoding: "utf-8",
    });
    return JSON.parse(output);
  } catch (e: any) {
    // `npm outdated` exits with code 1 when outdated packages are found
    return JSON.parse(e.stdout || "{}");
  }
}

function categorizeUpdates(
  packages: Record<string, OutdatedPackage>
) {
  const patch: string[] = [];
  const minor: string[] = [];
  const major: string[] = [];

  for (const [name, info] of Object.entries(packages)) {
    const [curMajor, curMinor] = info.current.split(".").map(Number);
    const [latMajor, latMinor] = info.latest.split(".").map(Number);

    if (latMajor > curMajor) {
      major.push(name);
    } else if (latMinor > curMinor) {
      minor.push(name);
    } else {
      patch.push(name);
    }
  }

  return { patch, minor, major };
}

Safe Update Flow

async function safeUpdate(packageName: string) {
  console.log(`Updating ${packageName}...`);

  // 1. Back up the current lock file
  execSync("cp package-lock.json package-lock.json.bak");

  try {
    // 2. Update the package
    execSync(`npm install ${packageName}@latest`);

    // 3. Type check
    execSync("npx tsc --noEmit");

    // 4. Run tests
    execSync("npm test");

    // 5. Verify the build
    execSync("npm run build");

    console.log(`${packageName} updated successfully`);
    // Delete the backup
    execSync("rm package-lock.json.bak");
  } catch (error) {
    console.error(`Update failed for ${packageName}, rolling back`);
    execSync("cp package-lock.json.bak package-lock.json");
    execSync("npm install");
    throw error;
  }
}

Finding Unused Dependencies

import depcheck from "depcheck";

async function findUnusedDeps(projectPath: string) {
  const options = {
    ignoreDirs: ["node_modules", "dist", "build"],
    ignorePatterns: ["*.test.*", "*.spec.*"],
  };

  const result = await depcheck(projectPath, options);

  console.log("Unused dependencies:");
  result.dependencies.forEach((dep) => console.log(`  - ${dep}`));

  console.log("\nUnused devDependencies:");
  result.devDependencies.forEach((dep) => console.log(`  - ${dep}`));

  console.log("\nMissing dependencies:");
  for (const [dep, files] of Object.entries(result.missing)) {
    console.log(`  - ${dep} (used in: ${files.join(", ")})`);
  }

  return result;
}

Generating Renovate/Dependabot Configurations

Ask Claude Code to generate a CI configuration for automatic updates.

// renovate.json
{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"],
  "schedule": ["every weekend"],
  "packageRules": [
    {
      "matchUpdateTypes": ["patch"],
      "automerge": true
    },
    {
      "matchUpdateTypes": ["minor"],
      "automerge": true,
      "automergeType": "pr"
    },
    {
      "matchUpdateTypes": ["major"],
      "labels": ["breaking-change"],
      "automerge": false
    },
    {
      "matchPackageNames": ["typescript", "eslint"],
      "groupName": "tooling"
    }
  ]
}

Automating Security Audits

function securityAudit() {
  try {
    const output = execSync("npm audit --json", {
      encoding: "utf-8",
    });
    const audit = JSON.parse(output);

    const critical = audit.metadata.vulnerabilities.critical;
    const high = audit.metadata.vulnerabilities.high;

    if (critical > 0 || high > 0) {
      console.error(
        `Critical: ${critical}, High: ${high} vulnerabilities found`
      );
      // Try to auto-fix
      execSync("npm audit fix");
    }

    return audit;
  } catch (e) {
    console.error("Audit failed:", e);
    throw e;
  }
}

Useful Prompts for Claude Code

Here’s an example prompt for asking Claude Code to handle dependency management. For automation configuration, see the hooks guide, and for efficient workflows, see 10 productivity tips that 3x your output.

Clean up the dependencies.
- Use `npm outdated` to check for outdated packages
- Batch update patch and minor versions and run tests
- Update majors one at a time and verify behavior
- Remove any unused dependencies
- Fix vulnerabilities reported by `npm audit`

For dependency management best practices, see the official npm documentation. For Claude Code details, check the official documentation.

Summary

Dependency management is unglamorous, but it’s an important task that directly affects security and maintainability. With Claude Code, you can update with a clear understanding of the impact and move forward safely.