Automating Dependency Upgrades and Migrations with AI Agents
Turn dependency upgrades and code migrations into a focused agent run — with prompts, safety patterns, and a workflow your team can repeat.
Dependency upgrades and framework migrations are the quiet tax on every codebase. A major library release, a deprecated API, a runtime version bump — each arrives as a ticket that lingers in the backlog while security advisories pile up. Engineers know the work matters; they rarely have a spare sprint to do it properly.
Stripe’s engineering team documented how large-scale migrations can consume months of effort across multiple teams. Industry surveys consistently put maintenance at 30–50% of development capacity, and dependency churn is the largest slice of that pie. The bottleneck is rarely the version bump itself — it is the mechanical work of finding every call site, applying the right replacement, and proving nothing broke.
AI agents change the economics. Instead of reading changelogs line by line and patching imports file by file, you delegate the repetitive loop to an agent that plans the migration, applies changes across the tree, runs tests, and hands you a reviewable summary. That is AI dependency upgrade automation in practice: not magic, but a repeatable maintenance automation workflow that technical leads can standardise across services.
Why manual upgrades stall
Most upgrade tickets follow the same arc. Someone reads the release notes, greps for deprecated symbols, opens a dozen files, fixes the obvious cases, runs tests, discovers edge cases, fixes those, and eventually merges a PR that took three times longer than estimated. Multiply that across a monorepo and the work never finishes — it just moves between teams.
| Stage | What humans do | Where time disappears |
|---|---|---|
| Discovery | Read changelogs, migration guides, GitHub issues | Cross-referencing breaking changes against your actual usage |
| Analysis | Search for imports, deprecated APIs, config keys | Missed dynamic imports, generated code, test fixtures |
| Execution | Edit files one pattern at a time | Context switching between migration patterns |
| Verification | Run tests, interpret failures, iterate | Flaky tests blamed on the upgrade; unclear root cause |
| Review | Manual diff, risk assessment | Large diffs skipped; subtle regressions slip through |
A code migration AI agent does not eliminate human judgement. It compresses the mechanical stages so your review time focuses on behaviour, not boilerplate.
What agents bring to the table
The shift is from ad hoc fixes to an orchestrated pass. The agent reads official documentation, maps breaking changes to your repository, categorises call sites by migration pattern, and applies transformations in a single branch.
| Layer | Manual approach | Agentic approach |
|---|---|---|
| Discovery | Tab-hop between docs and IDE | Agent summarises breaking changes that affect this codebase |
| Analysis | Line-by-line grep and mental model | Agent lists every affected file grouped by pattern |
| Execution | One file, one pattern, repeat | Agent applies all patterns in one pass against an approved plan |
| Verification | You run tests and debug | Agent runs the suite, interprets failures, iterates within scope |
| Review | Raw diff only | Structured summary with risk annotations per change type |
Teams that schedule weekly upgrade sessions — even thirty minutes — often stay current on dependencies year-round instead of scrambling after a CVE. The win is cadence, not just speed.
Writing the upgrade prompt
The prompt is the contract. A vague “upgrade Express” invites guesswork; a scoped brief gives the agent permission to plan, execute, and verify without wandering into unrelated refactors.
Upgrade this Node.js project from Express 4 to Express 5.
Steps:
1. Read the official Express 5 migration guide and list breaking changes that affect our codebase
2. Find every file that imports Express or calls Express APIs
3. Apply migrations: replace implicit `res.send(body)` with explicit status calls; update error-handler `app.use` signatures; replace `req.param()` with `req.params` or `req.query`
4. Bump the dependency in package.json
5. Run the full test suite and fix failures caused by this migration only
6. Output a summary grouped by migration pattern, with file paths
Constraints:
- Do not change non-Express code or alter route behaviour
- Preserve existing error-handling middleware structure where possible
- Keep all TypeScript annotations intactThis structure separates planning (steps 1–2) from execution (3–4) from verification (5). Pin version numbers and, where helpful, link to the official migration guide so the agent grounds changes in published semantics rather than training-data guesses.
Agentic refactoring in action: Express 4 to 5
Framework upgrades reward pattern recognition. Express 5 removes several convenience shortcuts that worked in version 4. The res.send(body) change is among the most common.
// Express 4 — before
app.get("/users/:id", (req, res) => {
const user = findUser(req.params.id);
if (!user) return res.send("User not found");
res.json(user);
});// Express 5 — after
app.get("/users/:id", (req, res) => {
const user = findUser(req.params.id);
if (!user) return res.status(404).send("User not found");
res.json(user);
});One route handler is a five-minute fix. Forty handlers across twelve files is a weekend. An agent applies the same transformation everywhere, flags handlers that omit status codes, and surfaces ambiguous patterns for your review. Value compounds when several breaking changes land together — error-handler signatures, removed req.param(), async error propagation — because the agent tracks patterns you would otherwise apply sequentially.
The same playbook works beyond HTTP frameworks: React class-to-hooks migrations, Jest to Vitest config moves, Python 2-to-3-style import rewrites, or updating Playwright selectors after a major release.
Safety: plan, verify, merge
Agentic refactoring without guardrails is just fast breakage. Pair every automated migration with artefacts you can audit before merge.
| Practice | What it prevents | How to implement |
|---|---|---|
| Plan before edit | Wrong assumptions applied at scale | Require a file list and per-pattern plan before any changes |
| Scoped test runs | Unrelated regressions blamed on the upgrade | Name the test command in the prompt; agent fixes only migration failures |
| Diff review | Subtle logic bugs tests miss | Inspect the PR; treat the agent summary as a checklist, not a substitute |
| Pinned context | Stale or hallucinated API guidance | Include target versions and official doc URLs in the prompt |
| Clean rollback | Broken main branch | Upgrade on a dedicated branch; never mix dependency bumps with feature work |
A practical loop: branch, run the upgrade prompt, read the structured summary, scan the diff, run tests once more locally, merge. What used to block a day often fits a single review session.
Agents versus codemods and bots
Not every tool fits every job. Understanding the trade-offs keeps you from over- or under-automating.
| Approach | Best for | Limitation |
|---|---|---|
| Dependabot / Renovate | Patch and minor bumps, security PRs | Cannot rewrite call sites for breaking API changes |
| Codemods (jscodeshift, etc.) | Deterministic AST transforms at scale | Requires writing and maintaining transform scripts |
| AI agent | Multi-pattern migrations, semantic replacements | Needs prompts, review, and clear verification steps |
| Manual edit | Single-file or trivial version pins | Does not scale across services |
Use bots for routine version pins. Use codemods when you have already solved the transform once and need to replay it across thousands of files — Stripe’s post describes investing heavily in migration infrastructure for that reason. Use agents when the migration is messy: several breaking patterns, framework-specific idioms, and test failures that need interpretation. The three approaches complement each other; many teams let Renovate open the PR and an agent handle the code changes when CI fails.
When not to delegate
Patch bumps, dev-dependency updates, and transitive pins that resolve a warning rarely need an agent. Save code migration AI agent runs for work that touches behaviour or spans many files:
- Major versions with documented breaking changes
- Deprecated APIs requiring semantic replacement, not a simple rename
- Runtime or framework upgrades (Node LTS, React major, Python version)
- Security patches that alter core infrastructure or auth flows
Everything else still belongs to npm install and a quick smoke test.
Making maintenance invisible
The generalisable pattern is simple: define scope in the prompt, let the agent plan and execute within constraints, verify through tests and human review, merge, repeat on a schedule. Over a quarter, reclaimed hours compound into real feature capacity.
For a full framework on embedding these workflows in team practice — from single-service upgrades to monorepo automation — see Agentic Coding Pro, which covers the PLAN methodology and production patterns for agent-driven development.
The tooling is mature enough to use today. The remaining question is whether dependency upgrades stay a recurring fire drill or become background maintenance your team barely notices.
More insights
All ArticlesWhen to Call in a Developer: An Honest Guide for Vibe Coders
A practical guide to recognising the moment your vibe-coded project needs professional help — before technical debt or security holes catch up with you.
Read articleMicrosoft 365 Copilot for Knowledge Workers: Tasks Worth Automating First
Discover which everyday Microsoft 365 tasks deliver the biggest productivity gains when automated with Copilot — from email triage to spreadsheet analysis.
Read articleHow to Scope an App Idea Before You Prompt an AI
A five-question scoping framework that turns a vague app idea into a focused brief before your first prompt — so the model builds what you actually meant.
Read articleOutcome Prompts vs Vague Prompts: Before-and-After Examples
See how rewriting a vague prompt into an outcome-based prompt transforms AI coding results — with real before-and-after examples you can apply to your next session.
Read article