From 79a53f856e2d2b3e231d6e5001c244d2f03f8a27 Mon Sep 17 00:00:00 2001
From: Tobi Lutke <tobi@shopify.com>
Date: Sun, 5 Apr 2026 18:17:13 -0400
Subject: [PATCH] docs(release): add dependency pinning policy and update check
 step

Release process now checks for sqlite-vec, node-llama-cpp, and
better-sqlite3 updates before cutting a release. All deps must be
pinned to exact versions.
---
 skills/release/SKILL.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/skills/release/SKILL.md b/skills/release/SKILL.md
index c4b2d82..442db34 100644
--- a/skills/release/SKILL.md
+++ b/skills/release/SKILL.md
@@ -46,8 +46,21 @@ When the user triggers `/release <version>`:
    ```
    The agent will be notified when CI completes and should report the result.
 
+7. **Check dependency updates** — before cutting the release, check for
+   updates to `sqlite-vec` (and platform packages), `node-llama-cpp`,
+   and `better-sqlite3`. Run `pnpm outdated` and report any available
+   updates for these packages. If updates exist, bump them (pinned, no
+   `^` ranges) and re-run tests before proceeding.
+
 If any step fails, stop and explain. Never force-push or skip validation.
 
+## Dependency Policy
+
+All dependencies must be pinned to exact versions (no `^` or `~` ranges).
+The lockfile ensures reproducible installs. When adding or updating any
+dependency, always use the exact version string (e.g. `"3.18.1"` not
+`"^3.18.1"`).
+
 ## Changelog Standard
 
 The changelog lives in `CHANGELOG.md` and follows [Keep a Changelog](https://keepachangelog.com/) conventions.