zhongwei/gh-shavakan-claude-marketplace-commands
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-shavakan-claude-marketpl…/shavakan/cleanup-deps.md
Zhongwei Li 1c24761eb8 Initial commit
2025-11-30 08:56:23 +08:00

175 lines
4.7 KiB
Markdown
Raw Permalink Blame History

---
description: Clean dependencies - remove unused, fix security issues, update outdated, deduplicate
---
# Clean Up Dependencies
Remove unused packages, fix security vulnerabilities, update outdated packages, eliminate duplicate versions.
## Prerequisites
**Safety requirements:**
1. Git repository with clean working tree
2. All tests passing before cleanup
3. Backup branch created automatically
4. Test validation after each dependency change
**Run prerequisite check:**
```bash
PLUGIN_ROOT="$HOME/.claude/plugins/marketplaces/shavakan"
if [[ ! "$PLUGIN_ROOT" =~ ^"$HOME"/.* ]]; then
echo "ERROR: Invalid plugin root path"
exit 1
fi
PREREQ_SCRIPT="$PLUGIN_ROOT/commands/cleanup/scripts/check-prerequisites.sh"
if [[ ! -f "$PREREQ_SCRIPT" ]]; then
echo "ERROR: Prerequisites script not found"
exit 1
fi
PREREQ_OUTPUT=$(mktemp)
if "$PREREQ_SCRIPT" > "$PREREQ_OUTPUT" 2>&1; then
source "$PREREQ_OUTPUT"
rm "$PREREQ_OUTPUT"
else
cat "$PREREQ_OUTPUT"
rm "$PREREQ_OUTPUT"
exit 1
fi
```
This exports: `TEST_CMD`, `BACKUP_BRANCH`, `LOG_FILE`
---
## Additional Instructions
$ARGUMENTS
---
## Objective
Clean up project dependencies across four categories:
**Unused dependencies** - Installed but never imported, dev deps not used in build/test
**Security vulnerabilities** - Packages with known CVEs (critical/high priority)
**Outdated dependencies** - Packages with newer stable versions, major updates available
**Duplicates** - Same package at multiple versions, conflicting peer dependencies
---
## Execution
### Phase 1: Detect Package Manager & Scan
Identify package manager (npm/pnpm/yarn/pip/cargo/go) from lockfiles.
Scan dependencies for all four categories. Present findings grouped by category with counts and severity:
- Critical vulnerabilities (fix immediately)
- Unused packages (safe to remove)
- Outdated packages (by semver level: major/minor/patch)
- Duplicates (version conflicts)
**Gate**: User must see full audit before proceeding.
### Phase 2: Prioritize with User
Present findings with risk assessment:
- **Critical**: Security vulnerabilities (URGENT - fix immediately)
- **Safe**: Unused dependencies (safe to remove after verification)
- **Low risk**: Minor/patch updates (backwards compatible)
- **Medium risk**: Major version updates (review breaking changes)
- **Needs review**: Duplicate resolution (check compatibility)
Offer update strategies:
```
Choose cleanup strategy:
□ Conservative - Patch only, critical security fixes
□ Moderate - Minor + patch, all security fixes
□ Aggressive - All major updates (extensive testing required)
□ Custom - Select specific categories
□ Cancel
```
**Gate**: Get user approval on which categories and strategy level.
### Phase 3: Execute Cleanup
For each approved category:
**Security vulnerabilities:**
- Update to patched version
- Check release notes for breaking changes
- Update code if API changed
- Test thoroughly
**Unused dependencies:**
- Verify not imported anywhere (check for dynamic requires)
- Remove from package manifest
- Clean lockfile
- Test immediately
**Outdated packages:**
- Check CHANGELOG for breaking changes
- Update one package at a time (or related packages together)
- Update code for API changes
- Test after each update
**Duplicates:**
- Choose version to keep (usually newer)
- Use resolutions/overrides if needed
- Rebuild lockfile
- Test compatibility
**Critical safety constraint**: One change at a time. Test after each. Commit on success, rollback on failure.
**Gate**: Tests must pass before moving to next category.
### Phase 4: Report Results
Summarize: vulnerabilities fixed (by severity), unused removed, packages updated (major/minor/patch), duplicates resolved, overall security/maintenance improvement.
Delete the backup branch after successful completion:
```bash
git branch -D "$BACKUP_BRANCH"
```
---
## Safety Constraints
**CRITICAL:**
- Security fixes first - prioritize over cosmetic improvements
- One package change at a time - test between each
- Read release notes before major updates
- Commit granularly
- Don't blindly auto-fix - some fixes introduce breaking changes
- Keep lockfiles - commit package-lock.json, yarn.lock, etc.
- Check peer dependencies after updates
**If tests fail**: Rollback, check if jumping too many versions, try intermediate version, review release notes for breaking changes.
---
## After Cleanup
**Review with code-reviewer agent before pushing:**
Use `shavakan-agents:code-reviewer` to verify changes don't introduce issues.
---
## Related Commands
- `/shavakan-commands:cleanup` - Full repository audit
- `/shavakan-commands:cleanup-dead-code` - Remove unused code
- `/shavakan-commands:cleanup-architecture` - Refactor structure
Reference in New Issue View Git Blame Copy Permalink