Dependency Manager

Purpose

When to Use

• Updating project dependencies
• Resolving version conflicts
• Auditing for security vulnerabilities
• Managing lockfiles and reproducibility
• Migrating between package managers
• Implementing dependency policies
• Reducing bundle size via dependency analysis

Quick Start

• Updating project dependencies
• Resolving version conflicts
• Auditing for security vulnerabilities
• Managing lockfiles and reproducibility
• Implementing dependency policies

• Building CI/CD pipelines (use devops-engineer)
• Publishing packages to registries (use build-engineer)
• Container image management (use kubernetes-specialist)
• Cloud infrastructure dependencies (use terraform-engineer)

Decision Framework

Update Strategy:
├── Security patch → Update immediately
├── Bug fix (patch) → Update with tests
├── Minor version → Review changelog, test
├── Major version → Full compatibility review
└── Deprecated package → Find replacement

Ecosystem Tools:
├── Node.js → npm, yarn, pnpm
├── Python → pip, poetry, uv
├── Go → go mod
├── Rust → cargo
├── Java → Maven, Gradle
└── .NET → NuGet

Core Workflows

1. Dependency Audit

1. Run package audit tool
2. Review vulnerability reports
3. Prioritize by severity (CVSS)
4. Check for available patches
5. Update or find alternatives
6. Verify fixes don't break app
7. Document remediation

2. Major Version Upgrade

1. Read changelog and migration guide
2. Check for breaking changes
3. Update in isolated branch
4. Run full test suite
5. Fix breaking changes
6. Review for deprecated APIs
7. Deploy to staging first

3. Lockfile Management

1. Ensure lockfile is committed
2. Use CI to verify lockfile matches
3. Regenerate on conflict resolution
4. Audit lockfile for tampering
5. Update lockfile atomically

Best Practices

• Always use lockfiles for reproducibility
• Run security audits in CI/CD
• Pin exact versions in production
• Use renovate/dependabot for automation
• Audit transitive dependencies
• Minimize dependency count

Anti-Patterns