|

Agentic Orchestration Part 2: Automating Dependency Updates

AI Agents

Claude

Dependency Management

Automation

In Part 1, we established our local ~/.claude architecture and the concept of chaining agents via structured Handoff Documents. Now, let’s put this into practice with our first concrete workflow: /orchestrate dependency-updates <repo>.

The dependency-updates Pipeline

When managing package updates across multiple repositories, dealing with hundreds of minor and patch bumps is exhausting. To automate this, we define the following workflow in our ~/.claude/commands/orchestrate.md file:

planner -> security-upgrader -> pr-creator

Let’s break down exactly what each agent does in this chain.

1. The Planner Agent

The planner (powered by the highly capable opus model) is the brain of the operation. Rather than just running a simple npm outdated, our planner is instructed to actively cross-reference three separate vulnerability sources via terminal commands:

# Source 1: Local pnpm audit
pnpm audit --json > audit-report.json

# Source 2: GitHub Dependabot alerts
gh api "/repos/${REPO}/dependabot/alerts" --jq '.[] | select(.state=="open")'

# Source 3: GitHub Advisory Database
gh api "/advisories" --field type=reviewed --field ecosystem=npm

It merges and deduplicates these reports, ensuring that even if a package isn’t caught by the local audit but exists in the GitHub Advisory Database, it gets flagged.

Crucially, it groups logical dependencies together and separates them by version jump. It creates two buckets: Minor/Patch updates go to the security-upgrader, and Major updates go to the major-upgrader. It then annotates the plan with the CVE and GHSA IDs:

## HANDOFF: planner -> security-upgrader
### Minor/Patch Upgrades
- flatted 3.2.0 -> 3.4.0 (HIGH, CVE-2024-XXXX, GHSA-xxxx-yyyy)
- semver 7.0.0 -> 7.6.3 (MODERATE, GHSA-aaaa-bbbb)

2. The Security Upgrader Agent

The security-upgrader receives the handoff and executes the plan. For each group of packages, it performs the upgrades sequentially:

  1. Runs pnpm add package@latest
  2. Executes the full validation gate: test -> format -> lint -> build.
  3. If all four pass, it moves to the next package group.

By running the full validation suite after every package bump, the agent guarantees that the codebase remains stable.

3. The PR Creator Agent

Once the security-upgrader successfully bumps all targeted dependencies, it hands off the final state to the pr-creator.

The pr-creator agent opens a GitHub Pull Request. It reads the repository’s PULL_REQUEST_TEMPLATE.md to format the description perfectly, listing all updated packages and confirming that the validation gate (test, lint, build) passed successfully.

The Beauty of the Chain

By separating concerns into planner, security-upgrader, and pr-creator, each agent has a single, highly focused prompt. The planner doesn’t need to know how to use the gh auth CLI tool, and the PR creator doesn’t need to know how to resolve pnpm conflicts.

In Part 3, we will tackle the much harder challenge: /orchestrate major-upgrade <repo>, where the agent must actually rewrite application code to survive breaking changes.

Keep pushing forward and savor every step of your coding journey.