dependency-manager
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseDependency Manager
依赖项管理器
Purpose
用途
Provides expertise in package management, version resolution, and software supply chain security. Handles dependency updates, vulnerability auditing, and conflict resolution across multiple package ecosystems.
提供包管理、版本解析与软件供应链安全方面的专业支持。可处理多包生态系统中的依赖项更新、漏洞审计及冲突解决工作。
When to Use
使用场景
- Updating project dependencies
- Resolving version conflicts
- Auditing for security vulnerabilities
- Managing lockfiles and reproducibility
- Migrating between package managers
- Implementing dependency policies
- Reducing bundle size via dependency analysis
- 更新项目依赖项
- 解决版本冲突
- 审计安全漏洞
- 管理锁定文件(lockfiles)与构建可复现性
- 在不同包管理器间迁移
- 实施依赖项管理策略
- 通过依赖项分析减小打包体积
Quick Start
快速入门
Invoke this skill when:
- Updating project dependencies
- Resolving version conflicts
- Auditing for security vulnerabilities
- Managing lockfiles and reproducibility
- Implementing dependency policies
Do NOT invoke when:
- Building CI/CD pipelines (use devops-engineer)
- Publishing packages to registries (use build-engineer)
- Container image management (use kubernetes-specialist)
- Cloud infrastructure dependencies (use terraform-engineer)
在以下场景调用此技能:
- 更新项目依赖项
- 解决版本冲突
- 审计安全漏洞
- 管理锁定文件与构建可复现性
- 实施依赖项管理策略
请勿在以下场景调用:
- 构建CI/CD流水线(请使用devops-engineer)
- 向注册表发布软件包(请使用build-engineer)
- 容器镜像管理(请使用kubernetes-specialist)
- 云基础设施依赖项管理(请使用terraform-engineer)
Decision Framework
决策框架
Update Strategy:
├── Security patch → Update immediately
├── Bug fix (patch) → Update with tests
├── Minor version → Review changelog, test
├── Major version → Full compatibility review
└── Deprecated package → Find replacement
Ecosystem Tools:
├── Node.js → npm, yarn, pnpm
├── Python → pip, poetry, uv
├── Go → go mod
├── Rust → cargo
├── Java → Maven, Gradle
└── .NET → NuGetUpdate Strategy:
├── Security patch → Update immediately
├── Bug fix (patch) → Update with tests
├── Minor version → Review changelog, test
├── Major version → Full compatibility review
└── Deprecated package → Find replacement
Ecosystem Tools:
├── Node.js → npm, yarn, pnpm
├── Python → pip, poetry, uv
├── Go → go mod
├── Rust → cargo
├── Java → Maven, Gradle
└── .NET → NuGetCore Workflows
核心工作流
1. Dependency Audit
1. 依赖项审计
- Run package audit tool
- Review vulnerability reports
- Prioritize by severity (CVSS)
- Check for available patches
- Update or find alternatives
- Verify fixes don't break app
- Document remediation
- 运行包审计工具
- 查看漏洞报告
- 按严重程度(CVSS)排序优先级
- 检查是否有可用补丁
- 更新依赖项或寻找替代方案
- 验证修复不会破坏应用
- 记录修复过程
2. Major Version Upgrade
2. 大版本升级
- Read changelog and migration guide
- Check for breaking changes
- Update in isolated branch
- Run full test suite
- Fix breaking changes
- Review for deprecated APIs
- Deploy to staging first
- 阅读更新日志与迁移指南
- 检查破坏性变更
- 在隔离分支中更新
- 运行完整测试套件
- 修复破坏性变更
- 检查已弃用的API
- 先部署到预发布环境
3. Lockfile Management
3. 锁定文件管理
- Ensure lockfile is committed
- Use CI to verify lockfile matches
- Regenerate on conflict resolution
- Audit lockfile for tampering
- Update lockfile atomically
- 确保锁定文件已提交到版本控制
- 使用CI验证锁定文件与配置匹配
- 解决冲突后重新生成锁定文件
- 审计锁定文件是否被篡改
- 原子化更新锁定文件
Best Practices
最佳实践
- Always use lockfiles for reproducibility
- Run security audits in CI/CD
- Pin exact versions in production
- Use renovate/dependabot for automation
- Audit transitive dependencies
- Minimize dependency count
- 始终使用锁定文件以确保构建可复现
- 在CI/CD中运行安全审计
- 生产环境固定依赖项的精确版本
- 使用renovate/dependabot实现自动化更新
- 审计传递性依赖项
- 尽量减少依赖项数量
Anti-Patterns
反模式
| Anti-Pattern | Problem | Correct Approach |
|---|---|---|
| No lockfile | Non-reproducible builds | Commit lockfiles |
| Ignoring audits | Security vulnerabilities | Address all high/critical |
| Auto-merge updates | Breaking changes in prod | Test before merge |
| Too many deps | Large attack surface | Audit and minimize |
| Outdated deps | Missing security patches | Regular update cadence |
| 反模式 | 问题 | 正确做法 |
|---|---|---|
| 不使用锁定文件 | 构建结果不可复现 | 提交锁定文件到版本控制 |
| 忽略审计结果 | 存在安全漏洞 | 处理所有高/严重级别的漏洞 |
| 自动合并更新 | 生产环境出现破坏性变更 | 合并前先测试 |
| 依赖项过多 | 攻击面扩大 | 审计并精简依赖项 |
| 依赖项过时 | 缺失安全补丁 | 定期更新依赖项 |