up-to-date
npx machina-cli add skill LeonMelamud/claude-code-security-review/up-to-date --openclawUp To Date
Rule
Before writing ANY code that touches an external package or API, fetch the real documentation first. Never rely on training data — it is stale by definition.
When This Triggers
- Installing a package (
npm install,pip install,brew install) - Importing or using any third-party library
- Calling any external API (REST, GraphQL, SDK methods)
- Modifying existing integration code
- Debugging API calls that silently fail
Mandatory Steps
1. Check Version
# What's installed?
cat node_modules/<pkg>/package.json | grep '"version"'
# or: pip show <pkg> | grep Version
# What's latest?
npm info <pkg> version
# or: pip index versions <pkg>
Update if more than 1 major version behind.
2. Fetch Real Docs (pick one or more)
Context7 (preferred for popular libraries):
resolve-library-id → query-docs with specific endpoint/method question
Browser (fetch_webpage):
Fetch the official API reference page for the specific endpoint or method being used
DeepWiki (if available):
Fetch from deepwiki.com for GitHub-based packages
Do NOT skip this step. Do NOT write integration code from memory.
3. Compare Code vs Docs
Check for mismatches:
- Parameters code sends vs parameters docs accept
- Endpoint paths code hits vs current paths
- Response shape code expects vs current shape
- Required vs optional fields
- Removed or renamed parameters
4. After Changes
- Remove deprecated env vars and parameters
- Update all call sites
- Build to verify types
- Test live and verify the actual downstream effect — don't just check the HTTP status code. Confirm the resource appears where expected (dashboard, database, UI). A 200 with a valid-looking response body can still mean nothing happened.
Why This Matters
Real incident: Resend deprecated Audiences and replaced them with Segments. contacts.create() without a segments parameter still returned 200 and a valid contact object — but the contact was a global orphan invisible in the dashboard. First fix removed audienceId (training data said it was gone). Second fix added segments: [{ id }] after fetching real docs. The 200 OK trap delayed discovery twice.
Anti-Patterns
| Pattern | Risk |
|---|---|
| Writing API code from memory | Parameters may not exist anymore |
catch (e) { return { success: true } } | Hides failures completely |
if (CONFIG) { callAPI() } with no else-log | Silent skip when config is missing |
| Passing extra params API won't reject | Silently ignored, feature broken |
| Trusting 200 + valid response body = success | Resource may exist but be orphaned/invisible |
| Verifying only the API response, not the dashboard/DB | Missed side effects go undetected |
Bundled Resources
scripts/check_versions.py
Automated version checker for npm and pip packages. Run it to quickly identify outdated dependencies:
# Check a single npm package
python3 scripts/check_versions.py npm resend
# Check all package.json dependencies
python3 scripts/check_versions.py npm --all
# Check a pip package
python3 scripts/check_versions.py pip requests
references/doc-urls.md
Quick-reference table of official API documentation and changelog URLs for 30+ popular packages (email, payments, AI, databases, auth, cloud, analytics, frameworks). Consult this before searching — the correct URL may already be listed.
Related Skills
- dependency-management — use alongside when resolving version conflicts or managing lockfiles
- third-party-integration — use alongside when implementing the actual integration patterns after verifying docs
- api-versioning-strategy — use when designing your own API's versioning, not checking upstream
Source
git clone https://github.com/LeonMelamud/claude-code-security-review/blob/main/.github/skills/up-to-date/SKILL.mdView on GitHub Overview
Before touching any external package or API, this skill fetches real documentation and checks installed versus latest versions. It matters because relying on outdated training data or memory can lead to silent failures and broken integrations.
How This Skill Works
The process starts by checking what's installed (node_modules or pip) and what the latest version is. It then fetches official docs using one or more methods (Context7 for popular libraries, Browser fetch_webpage to pull the API reference, or DeepWiki if available). Finally, it compares code versus docs for parameter names, endpoints, and required fields, updates call sites and environment vars, runs builds/tests, and verifies downstream effects beyond a 200 response.
When to Use It
- Installing a package (npm install, pip install, brew install)
- Importing or using any third-party library
- Calling any external API (REST, GraphQL, SDK methods)
- Modifying existing integration code
- Debugging API calls that silently fail
Quick Start
- Step 1: Check installed vs latest versions (npm/pip) for target packages
- Step 2: Fetch real docs using Context7, Browser fetch_webpage, or DeepWiki
- Step 3: Compare code vs docs, update call sites, run build/tests, and verify downstream effects
Best Practices
- Always fetch real docs before touching code that uses external packages
- Compare your code against official docs for parameters and endpoints
- Check installed vs latest versions and update if more than 1 major version behind
- Update all call sites and environment/config options after changes
- Test live to confirm downstream effects beyond HTTP status codes (dashboard/DB/UI)
Example Use Cases
- Upgrading a REST client where API parameters changed; code no longer matches docs and requests fail until updated
- A 200 response that causes no dashboard update; after fetching docs, a required field is missing and is added to the call
- Integrating a new npm package; verify docs via Browser fetch_webpage to confirm endpoint usage before coding
- A pip package with a known major version behind; use the version check to trigger an upgrade and doc verification
- Running the bundled scripts/check_versions.py to identify outdated dependencies and fix them with current docs in hand
