Upgrade outdated npm dependencies in the pnpm monorepo (recursive update, latest, targeted packages). Use when the user asks to upgrade dependencies, bump packages, refresh lockfile, pnpm update, outdated packages, latest versions, or dependency refresh—not monorepo release versions.
Activate when the user says or implies:
@aws-sdk/client-s3 across workspaces)| Topic | Use instead |
|---|---|
Bumping "version" in workspace package.json files (parser / release semver) |
@dbt-tools/*| version-bump |
Editing workspace:* links | Leave as-is unless adding/removing packages |
Dependencies live in dependencies / devDependencies / optionalDependencies. Release package semver is the "version" field—different workflow.
| Approach | Feasibility | Risk | Fit for agents | Score |
|---|---|---|---|---|
Tiered: outdated → range update → targeted @latest → full --latest with consent | High | Controlled | Matches monorepo + CI | 92 |
Only pnpm -r update --latest | High | High breaks | Poor default | 45 |
| npm-check-updates as primary | Medium | Medium | Second toolchain; pnpm is canonical here | 48 |
| Manual edit every package.json | Low | High drift | Error-prone | 35 |
| Upgrade without lint/test/knip | High | Unknown | Violates repo gates | unacceptable |
Default path: inventory → conservative → targeted → aggressive only with explicit user OK.
pnpm outdated -r. Optional: pnpm outdated -r --long if the installed pnpm supports it and the output helps triage.pnpm -r update — refreshes the lockfile within existing semver ranges in each package.json.pnpm -r update <pkg>@latest (e.g. pnpm -r update @aws-sdk/client-s3@latest) so every workspace that declares <pkg> moves to latest and package.json ranges update as pnpm applies. For a single workspace only: pnpm --filter <workspace-name> add <pkg>@latest (dev: pnpm --filter <ws> add -D <pkg>@latest).pnpm -r update --latest — may jump majors across the tree. State the risk; do not run without confirmation.After any meaningful dependency or lockfile change:
pnpm lint:reportpnpm coverage:reportpnpm knipAll three must exit 0. If SDKs, bundlers, TypeScript, or ESLint majors moved, also run pnpm build and, for web, pnpm --filter @dbt-tools/web build (or full root build script). See AGENTS.md quality gates.
Full command notes, examples, and edge cases: references/pnpm-upgrade-workflow.md.