Why major dependency bumps feel scary (and how we think about them)
When a bot opens “bump react to 19,” the easy part is merging a version number. The hard part is knowing what breaks in your repo and fixing it before your users see it.
What semver promises (and what it doesn’t)
Semver is a contract between a library and its consumers: major bumps signal incompatible API changes. It does not guarantee that your app still passes tests, that types line up, or that transitive deps behave. That’s why majors feel risky even when the library author did everything right.
Where Upshift sits
Dependabot and Renovate answer “what’s newer?” Upshift is the after-the-bump layer: upshift explain (and optional --ai) for plain-language risk, upshift fix for suggested code changes (always review), and upshift upgrade with your test command and automatic rollback if something fails.
We publish an honest boundary of what our CI regression suite guarantees vs what’s model-dependent—see Capabilities.
A pattern that works
upshift explain <pkg> --risk(free) or--aiwhen you want depth.upshift fix <pkg> --dry-runto preview diffs.upshift upgrade <pkg>(or batch) so tests run and rollback is automatic.
This is the first post in our “why it broke” series—framework-specific deep dives coming next. Tell us which upgrade hurt you: GitHub Issues (use Beta feedback if you hit a bug).