Audit, plan, and refresh dependency upgrades for the Logseq repository by scanning every non-gitignored package.json, deps.edn, bb.edn and nbb.edn manifest, checking latest upstream versions, cross-root consistency, lockfile resolution, deprecation, staleness, and OSV vulnerabilities, then generating a batch-ordered upgrade plan and compact JSON artifact.
Use this skill when the task is to audit dependencies, build an upgrade plan, or refresh dependency-upgrade facts for this repository.
node .agents/skills/logseq-dependency-upgrade/scripts/audit_logseq_dependencies.mjs \
--output-json <json-output-path> \
--output-md <markdown-output-path> \
[--stale-months <months>] \
[--max-update-interval <months>] \
[--include-prerelease]
--stale-months — number of months since last publish to flag a package as stale (default: 36).--max-update-interval — maximum number of months between the current version's publish date and the latest version's publish date. If the interval is within this threshold, the package is NOT considered outdated and is excluded from upgrade batches (default: 6).--include-prerelease — boolean flag (no value). When present, the Risk column annotates any newer upstream pre-release version (SNAPSHOT / RC / alpha / beta / nightly / canary etc.). The regardless of this flag. When absent (default), pre-release versions are neither fetched nor shown.Read the generated Markdown report — it is the primary planning document, structured for batch-wise execution.
To execute an upgrade batch:
CAUTION: Verify dependency usage before updating; remove unused packages instead of upgrading. For any dependency crossing a major version boundary, perform a rigorous review for breaking changes.
package.json (dependencies + devDependencies).deps.edn and nbb.edn (:deps + :aliases extra-deps / replace-deps — covers clj-kondo, test deps, etc.).bb.edn (:deps + :pods).local/root deps (e.g. logseq/db, logseq/common) are excluded.Target versions preserve the original specifier prefix. If current is ^1.0.0 and latest is 1.5.0, target is ^1.5.0. If current is 1.0.0 (fixed), target is 1.5.0.
For npm packages with a range specifier (e.g. ^), the script checks yarn.lock to see if the resolved version already matches latest. These packages are flagged as already resolved — they need only a lockfile refresh, not a manifest change, and carry zero upgrade risk.
The script writes:
batches[] array for machine consumption.deprecated comes from upstream package metadata.vulnerabilities come from OSV batch queries.stale / low-maintenance is based on upstream publish dates.