chore: add dependency maintenance skill

Author: alainncls

.agents/skills/linea-dependency-maintenance/SKILL.md

@@ -0,0 +1,120 @@
+---
+name: linea-dependency-maintenance
+description: Safely plan and execute JavaScript/TypeScript dependency maintenance across npm and pnpm repositories, including npm lockfiles, pnpm workspaces, catalogs, overrides, release-age policies, audits, CI validation, Dependabot boundaries, PRs, and GitHub tracking issues. Use whenever the user asks to update, bump, refresh, audit, clean, modernize, or review dependencies, reduce vulnerabilities, clean overrides, or prepare dependency PRs/issues.
+metadata:
+  short-description: Safe npm/pnpm dependency maintenance
+---
+
+# Dependency Maintenance
+
+Use this workflow to maximize safe dependency progress without changing the repository's package-manager contract or hiding remaining risk.
+
+## Preflight
+
+1. Read repo instructions first: `AGENTS.md`, `CLAUDE.md`, package-specific instructions, and `CONTRIBUTING.md`.
+2. Detect the package-manager contract from lockfiles, `packageManager`, CI, deploy config, and package-manager guard scripts:
+   - npm repo: use npm, preserve `package-lock.json`, and validate with `npm ci`.
+   - pnpm repo: use pnpm, preserve `pnpm-lock.yaml`, `pnpm-workspace.yaml`, catalogs, and overrides.
+   - Do not introduce a different lockfile, workspace file, package-manager metadata, or install command.
+3. Check branch and worktree state with `git status --short --branch`. If unrelated changes are present, use an isolated worktree or avoid touching those files.
+4. Read `.nvmrc`, `.node-version`, `engines`, `.npmrc`, CI workflows, deploy config, and `dependabot.yml`.
+5. Capture the baseline: outdated report, audit report, lockfile state, and relevant validation commands.
+
+## Policy
+
+- Treat release-age and cooldown rules as hard gates. Compute exact cutoff timestamps before selecting versions.
+- In pnpm repos, `minimumReleaseAge` is a maturity window in minutes; respect `minimumReleaseAgeExclude` exactly.
+- Treat npm/pnpm dependency updates as owned by this skill. Do not re-enable Dependabot npm/pnpm package-ecosystem jobs unless the user explicitly asks; GitHub Actions, Docker, and other non-JavaScript ecosystems may remain under Dependabot.
+- Preserve version style: exact pins, ranges, `catalog:` references, `workspace:` references, and repo-specific package placement.
+- Default PR scope is eligible patch and minor updates. Major upgrades, risky transitive fixes, and broad migrations get tracking issues unless the user explicitly approves doing them now.
+- Prefer official migration guides, changelogs, package registry metadata, and advisory pages for decisions that affect risk.
+
+## Inventory
+
+Build an inventory from direct dependencies, dev dependencies, peer dependencies, optional dependencies, catalogs, overrides, lockfiles, and audit output.
+
+Use native commands first:
+
+```bash
+npm outdated --json || true
+npm audit --json || true
+npm explain <package>
+npm ls <package>
+
+pnpm outdated -r --format json || true
+pnpm audit --json || true
+pnpm why <package> -r
+```
+
+When registry-age gates matter, use the bundled helper as a reproducible first pass:
+
+```bash
+node <skill-dir>/scripts/eligible-updates.mjs --manager auto --days 3
+```
+
+Replace `<skill-dir>` with the directory containing this `SKILL.md`. Adjust `--days` or `--minutes` to match the repo policy.
+
+## Triage
+
+Classify every candidate before changing files:
+
+- Safe now: patch/minor, older than cutoff, peer-compatible, and locally validatable.
+- Blocked non-major: too fresh, peer-conflicting, runtime-breaking, upstream-pinned, or requiring nontrivial code/config migration.
+- Major migration: semver-major or framework/toolchain migration that needs a dedicated issue.
+- Audit-only blocked: no patched version, incompatible transitive major, bundled dependency, or upstream package must move first.
+- Removable: unused dependency that should be deleted instead of bumped.
+
+Group tightly coupled packages together when separate bumps are likely to create peer, type, or runtime friction.
+
+## Apply
+
+- Update catalogs before workspace manifests when dependencies are shared through `catalog:`.
+- In npm repos, update `package.json` and regenerate `package-lock.json` with npm. Prefer lockfile-only install when appropriate, then validate with clean install.
+- In pnpm repos, regenerate `pnpm-lock.yaml` with normal pnpm install flow. Do not bypass `minimumReleaseAge`.
+- Preserve package-manager script safety settings such as `engine-strict`, `ignore-scripts`, LavaMoat allow-scripts, and `only-allow`.
+- Keep code/config changes minimal and only when required by the dependency update.
+- If a supposedly safe update breaks validation, revert just that candidate and document why it moved to blocked work.
+
+## Overrides
+
+Treat overrides as temporary exceptions:
+
+- Remove stale overrides after direct bumps when they no longer affect resolution or audit posture.
+- Keep or add only targeted overrides that are compatible with the dependent package and materially improve security or toolchain behavior.
+- Avoid broad overrides for transitive major jumps unless upstream compatibility is proven.
+- Document every kept override with package path, advisory or compatibility reason, current resolution, target resolution, and remaining risk.
+
+## Validation
+
+Run the narrowest meaningful checks first, then broaden by blast radius:
+
+- install or clean install
+- audit after changes
+- lint, typecheck, build, and tests
+- repo-specific checks such as Docusaurus prebuild/build, Turbo filters, Prisma generate, Playwright/Storybook browsers, Docker builds, Foundry/forge, subgraph codegen/tests, or generated-doc checks
+
+If a command cannot run, report why. If CI fails, inspect the actual logs and classify the failure as introduced by the update, exposed baseline debt, or external/non-actionable.
+
+## Tracking
+
+Open one draft PR for safe updates unless the user asks otherwise. Include:
+
+- updated packages and grouped stacks
+- release-age cutoff and skipped versions with publish timestamps
+- audit before/after summary
+- overrides removed, kept, added, or narrowed
+- blocked non-major updates and remaining advisories
+- major or blocked migration issue links
+- validation commands and caveats
+
+Open English `chore(deps): ...` issues for deferred major upgrades or blocked migration streams. Each issue should include official docs, current and target versions, expected code areas, migration plan, validation, rollout risk, and rollback notes.
+
+## Stop And Ask
+
+Pause before contract deployments, public API breakage, package-manager migration, broad refactors, invalid override trees, or CI failures that suggest a cross-cutting regression.
+
+## Additional Resources
+
+- For npm/package-lock repositories, read `references/npm.md`.
+- For pnpm workspace/catalog/override repositories, read `references/pnpm.md`.
+- For reproducible release-age inventory, run `scripts/eligible-updates.mjs`.

.agents/skills/linea-dependency-maintenance/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Dependency Maintenance"
+  short_description: "Safe npm/pnpm upgrades, audits, PRs"
+  default_prompt: "Use this skill to refresh eligible dependencies safely, respect repo package-manager policy, document blocked work, and prepare a validated dependency PR."

.agents/skills/linea-dependency-maintenance/evals/evals.json

@@ -0,0 +1,29 @@
+{
+  "skill_name": "linea-dependency-maintenance",
+  "evals": [
+    {
+      "id": 1,
+      "prompt": "In an npm Docusaurus/Vercel repo with package-lock.json, refresh eligible non-major dependencies, keep npm as the package manager, avoid pnpm files, document skipped majors, and prepare a PR summary with validation.",
+      "expected_output": "Uses npm only, preserves package-lock.json, checks registry publish dates, avoids npm audit fix --force, validates lint/typecheck/build/audit, and documents blocked updates.",
+      "files": []
+    },
+    {
+      "id": 2,
+      "prompt": "In a pnpm monorepo with pnpm-workspace catalogs, minimumReleaseAge: 4320, and many pnpm overrides, bump safe patch/minor dependencies, clean stale overrides, and create issues for majors.",
+      "expected_output": "Updates catalog entries where appropriate, respects the 3-day maturity window and exclusions, regenerates pnpm-lock.yaml, minimizes overrides, validates affected workspaces, and tracks majors separately.",
+      "files": []
+    },
+    {
+      "id": 3,
+      "prompt": "An audit report shows vulnerable transitive packages where the only patched version is a major that upstream tools may not support. Decide what to update now and what to track.",
+      "expected_output": "Avoids forcing incompatible major overrides, records dependency paths and advisories, applies only compatible direct or targeted transitive fixes, and opens follow-up issues for blocked items.",
+      "files": []
+    },
+    {
+      "id": 4,
+      "prompt": "A dependency PR fails CI after a safe update. Inspect logs, identify whether it is introduced or baseline debt, apply the smallest safe fix, and update the PR summary.",
+      "expected_output": "Uses CI logs rather than guessing, reproduces narrowly when possible, classifies the failure, narrows or reverts the problematic update if needed, and keeps the PR description aligned with the actual update set.",
+      "files": []
+    }
+  ]
+}

.agents/skills/linea-dependency-maintenance/references/npm.md

@@ -0,0 +1,59 @@
+# npm Dependency Maintenance
+
+Use these notes only for npm repositories with `package-lock.json`, npm CI, or npm-based hosting/deploy detection.
+
+## Rules
+
+- Keep npm as the only package manager unless the user explicitly asks for a migration.
+- Do not commit `pnpm-lock.yaml`, `pnpm-workspace.yaml`, `yarn.lock`, or `packageManager` changes to an npm repo just to inspect dependencies.
+- Preserve existing version specifier style. Exact pins stay exact; intentional ranges stay ranges.
+- Do not rely on `npm audit fix --force` for dependency-refresh PRs because it can apply semver-major changes or obscure why the tree changed.
+
+## Baseline
+
+```bash
+node --version
+npm --version
+npm outdated --json || true
+npm audit --json > /tmp/npm-audit-before.json || true
+```
+
+Inspect `engines.node`, `.nvmrc`, Vercel/Docusaurus config, GitHub Actions, and existing `overrides`.
+
+## Update Flow
+
+1. Select eligible patch/minor direct dependencies using registry publish times.
+2. Inspect peer-sensitive updates before editing:
+   ```bash
+   npm view <package>@<target> peerDependencies --json
+   npm view <package>@<target> peerDependenciesMeta --json
+   ```
+3. Update `package.json` and regenerate the lockfile:
+   ```bash
+   npm install --package-lock-only
+   ```
+4. Validate the resulting tree:
+   ```bash
+   npm ls --all --depth=0
+   npm ci
+   ```
+
+## Overrides
+
+- Use package-manager-native `overrides` in `package.json`.
+- Confirm paths with `npm explain <package>` or `npm ls <package>`.
+- Prefer parent-scoped overrides when a broad override creates invalid peer/range errors.
+- If the tree becomes invalid, remove the override and document the advisory as blocked.
+
+## Common Validation
+
+Documentation and Docusaurus repos usually need:
+
+```bash
+npm run lint
+npm run typecheck
+npm run build
+npm audit --json > /tmp/npm-audit-after.json || true
+```
+
+If build/prebuild scripts mutate generated docs, images, or metadata unrelated to dependency maintenance, restore those unrelated files before staging.

.agents/skills/linea-dependency-maintenance/references/pnpm.md

@@ -0,0 +1,65 @@
+# pnpm Dependency Maintenance
+
+Use these notes for pnpm repositories with `pnpm-lock.yaml`, `pnpm-workspace.yaml`, catalogs, overrides, or pnpm-specific CI.
+
+## Rules
+
+- Keep pnpm as the only package manager. Respect `packageManager`, `.npmrc`, `engines`, `engine-strict`, and `only-allow` guards.
+- `minimumReleaseAge` is a maturity window in minutes. For example, `4320` means 3 days.
+- Respect `minimumReleaseAgeExclude`; do not manually block an excluded package solely because it is inside the maturity window.
+- Preserve `catalog:` and `workspace:` dependency references. Update the catalog entry rather than each manifest when a catalog owns the version.
+
+## Baseline
+
+```bash
+node --version
+pnpm --version
+pnpm install --frozen-lockfile
+pnpm outdated -r --format json || true
+pnpm audit --json || true
+```
+
+Inspect `pnpm-workspace.yaml`, package manifests, `pnpm.overrides`, `minimumReleaseAge`, `minimumReleaseAgeExclude`, `onlyBuiltDependencies`, `patchedDependencies`, LavaMoat/allow-scripts settings, and workspace-specific CI.
+
+## Update Flow
+
+1. Build a workspace-wide inventory of direct dependencies, catalog entries, and overrides.
+2. Select the highest eligible same-major version older than the maturity cutoff, unless the package is explicitly excluded.
+3. Update shared catalog entries first.
+4. Run normal pnpm install to regenerate the lockfile:
+   ```bash
+   pnpm install
+   ```
+5. Re-run outdated and audit reports.
+
+## Overrides
+
+- Test whether an override is stale by checking whether removing it changes resolution or audit output in a temporary copy/worktree.
+- Prefer targeted selectors such as `parent>child` when a global override changes unrelated tooling.
+- Do not force transitive major versions through overrides for Hardhat, Jest/Istanbul, Graph/Matchstick, Playwright, or framework stacks unless compatibility is proven.
+- Confirm override effects:
+  ```bash
+  pnpm why <package> -r
+  pnpm audit --json || true
+  ```
+
+## Common Validation
+
+Choose checks by affected workspace:
+
+```bash
+pnpm run lint
+pnpm run prettier
+pnpm run build
+pnpm run test
+```
+
+For monorepos, prefer filtered checks where they match CI:
+
+```bash
+pnpm run --filter=<workspace> lint
+pnpm run --filter=<workspace> build
+pnpm run --filter=<workspace> test
+```
+
+Also check domain-specific tasks when touched: Turbo pipelines, Prisma generate, Playwright browser installs, Storybook visual tests, Foundry/forge, subgraph codegen/tests, Docker builds, and generated artifacts.