live-dependency-resolver

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

When this skill is activated, always start your first response with the 🧢 emoji.

激活此技能后，你的第一个回复必须以🧢表情符号开头。

Live Dependency Resolver

实时依赖解析器

LLMs have knowledge cutoff dates that are months old. When helping users install coding dependencies, this causes hallucinated version numbers, suggestions for deprecated packages, and incorrect install commands. This skill teaches agents to always verify packages against live registries before suggesting any installation - using CLI commands first for speed and simplicity, with web API fallback when CLI tools are unavailable.

大语言模型（LLMs）存在知识截止日期，通常是几个月前的内容。在帮助用户安装代码依赖时，这会导致生成错误的版本号、建议已废弃的包，以及提供不正确的安装命令。此技能指导Agent在建议任何安装操作前，始终对照实时注册表验证包信息——优先使用CLI命令以保证速度和简便性，当CLI工具不可用时，再使用Web API作为备选方案。

When to use this skill

何时使用此技能

Trigger this skill when the user:

Asks to install, add, or update any package or dependency
Wants to check the latest version of a package
Needs to scaffold a project with third-party dependencies
Asks you to generate code that imports a third-party package

Requests a

package.json

requirements.txt

Cargo.toml

Gemfile

, or

go.mod

Asks to compare package versions or check compatibility
Mentions any package by name in a context where version matters

Do NOT trigger this skill for:

OS-level packages (apt, brew, yum) - different registries and tools
Private/internal registry packages - requires authentication, out of scope
Post-install usage questions where the package is already installed and version is irrelevant

当用户有以下需求时，触发此技能：

请求安装、添加或更新任何包或依赖
想要检查某个包的最新版本
需要搭建包含第三方依赖的项目
请求你生成导入第三方包的代码

索要

package.json

、

requirements.txt

、

Cargo.toml

、

Gemfile

或

go.mod

文件

请求比较包版本或检查兼容性
在版本相关的语境中提及任何包的名称

请勿在以下场景触发此技能：

操作系统级别的包（apt、brew、yum）——使用不同的注册表和工具
私有/内部注册表的包——需要身份验证，超出本技能范围
包已安装且版本无关的安装后使用问题

Key principles

核心原则

Never trust your training data for versions - Your knowledge cutoff means every version number you "know" is potentially wrong. Always verify against the live registry before suggesting any version, even for well-known packages like React or Django.
CLI first, API fallback - Use CLI tools (
```
npm view
```
,
```
pip index versions
```
,
```
cargo search
```
,
```
gem search
```
,
```
go list -m
```
) as the primary lookup method. They're faster, work offline against local caches, and produce simpler output. Fall back to web APIs only when the CLI tool is unavailable or fails.
Verify package existence before recommending - Before suggesting an unknown or less-popular package, confirm it actually exists in the registry. A nonexistent package name in an install command wastes the user's time and erodes trust.
Show your work - When providing version information, include the command you ran and the raw output. This lets the user verify the result and learn the lookup method for future use.
Respect major version boundaries - Major version bumps often contain breaking changes. When a user's existing code targets v4.x, don't blindly suggest upgrading to v5.x. Flag major version differences and let the user decide.

永远不要相信训练数据中的版本信息——你的知识截止日期意味着你"知道"的每个版本号都可能已过时。在建议任何版本前，始终对照实时注册表进行验证，即使是React或Django这类知名包也不例外。
优先使用CLI，备选使用API——使用CLI工具（
```
npm view
```
、
```
pip index versions
```
、
```
cargo search
```
、
```
gem search
```
、
```
go list -m
```
）作为主要查询方式。它们速度更快，可离线使用本地缓存，且输出更简洁。仅当CLI工具不可用或失败时，才使用Web API作为备选。
推荐前先验证包是否存在——在建议未知或不太流行的包前，确认它确实存在于注册表中。安装命令中的错误包名会浪费用户时间，还会降低信任度。
展示操作过程——提供版本信息时，附上你执行的命令和原始输出。这能让用户验证结果，并学习未来可使用的查询方法。
尊重主版本边界——主版本升级通常包含破坏性变更。当用户现有代码以v4.x为目标版本时，不要盲目建议升级到v5.x。需标注主版本差异，由用户自行决定是否升级。

Core concepts

核心概念

Quick reference table

速查表

Ecosystem	CLI: check latest version	Web API fallback
npm	`npm view <pkg> version`	`curl https://registry.npmjs.org/<pkg>/latest`
pip	`pip index versions <pkg>`	`curl https://pypi.org/pypi/<pkg>/json`
Go	`go list -m <mod>@latest`	`curl https://proxy.golang.org/<mod>/@latest`
cargo	`cargo search <crate> --limit 1`	`curl -H "User-Agent: skill" https://crates.io/api/v1/crates/<name>`
gem	`gem search ^<name>$ --remote`	`curl https://rubygems.org/api/v1/gems/<name>.json`

生态系统	CLI：检查最新版本	Web API备选方案
npm	`npm view <pkg> version`	`curl https://registry.npmjs.org/<pkg>/latest`
pip	`pip index versions <pkg>`	`curl https://pypi.org/pypi/<pkg>/json`
Go	`go list -m <mod>@latest`	`curl https://proxy.golang.org/<mod>/@latest`
cargo	`cargo search <crate> --limit 1`	`curl -H "User-Agent: skill" https://crates.io/api/v1/crates/<name>`
gem	`gem search ^<name>$ --remote`	`curl https://rubygems.org/api/v1/gems/<name>.json`

Decision tree

决策树

User mentions a package -> identify the ecosystem
Run the CLI command for that ecosystem
If CLI fails (tool not installed, network error) -> try the web API
If both fail -> tell the user you cannot verify and suggest they check manually
Never silently fall back to training data

用户提及某个包 → 确定其所属生态系统
运行该生态系统对应的CLI命令
如果CLI失败（工具未安装、网络错误）→ 尝试Web API
如果两者都失败 → 告知用户无法验证，建议手动检查
永远不要静默回退到训练数据

Major version handling

主版本处理

When a user's project already pins to a major version (e.g.

"react": "^17.0.0"

), check whether the latest version is in the same major line. If it's a new major version, explicitly flag this: "The latest React is 19.x, but your project uses 17.x. Upgrading across major versions may require migration steps."

当用户项目已固定主版本时（例如

"react": "^17.0.0"

），检查最新版本是否属于同一主版本系列。如果是新的主版本，需明确标注："React的最新版本是19.x，但你的项目使用的是17.x。跨主版本升级可能需要迁移步骤。"

Common tasks

常见任务

Check latest npm package version

检查npm包的最新版本

bash

undefined

bash

undefined

CLI (preferred)

CLI（优先选择）

npm view express version

Returns: 4.21.2

返回：4.21.2

With more detail (all published versions)

查看更多详情（所有已发布版本）

npm view express versions --json

Web API fallback

Web API备选方案

curl -s https://registry.npmjs.org/express/latest | jq '.version'


> **Gotcha:** For scoped packages like `@babel/core`, the CLI works directly (`npm view @babel/core version`), but the API URL needs encoding: `https://registry.npmjs.org/@babel%2fcore/latest`.

curl -s https://registry.npmjs.org/express/latest | jq '.version'


> **注意事项：** 对于`@babel/core`这类作用域包，CLI可直接使用（`npm view @babel/core version`），但API URL需要编码：`https://registry.npmjs.org/@babel%2fcore/latest`。

Check latest Python package version

检查Python包的最新版本

bash

undefined

bash

undefined

CLI (preferred - requires pip 21.2+)

CLI（优先选择 - 需要pip 21.2+版本）

pip index versions numpy

Output includes: LATEST: 2.2.3

输出包含：LATEST: 2.2.3

Web API fallback

Web API备选方案

curl -s https://pypi.org/pypi/numpy/json | jq '.info.version'


> **Gotcha:** `pip index versions` requires pip 21.2+. On older pip versions, this command doesn't exist. Fall back to the PyPI JSON API. Also, always use `python -m pip` instead of bare `pip` to ensure you're targeting the correct Python installation, especially in virtual environments.

curl -s https://pypi.org/pypi/numpy/json | jq '.info.version'


> **注意事项：** `pip index versions`命令需要pip 21.2及以上版本。在旧版pip中，该命令不存在，需回退到PyPI JSON API。此外，始终使用`python -m pip`而非直接使用`pip`，以确保针对正确的Python安装，尤其是在虚拟环境中。

Check latest Go module version

检查Go模块的最新版本

bash

undefined

bash

undefined

CLI (preferred - must be in a Go module directory)

CLI（优先选择 - 必须在Go模块目录中执行）

go list -m golang.org/x/sync@latest

Returns: golang.org/x/sync v0.12.0

返回：golang.org/x/sync v0.12.0

Web API fallback

Web API备选方案

curl -s https://proxy.golang.org/golang.org/x/sync/@latest | jq '.Version'


> **Gotcha:** Go module paths are case-sensitive. `github.com/User/Repo` and `github.com/user/repo` are different modules. The Go proxy uses case-encoding where uppercase letters become `!` + lowercase (e.g. `!user/!repo`).

curl -s https://proxy.golang.org/golang.org/x/sync/@latest | jq '.Version'


> **注意事项：** Go模块路径区分大小写。`github.com/User/Repo`和`github.com/user/repo`是不同的模块。Go代理使用大小写编码，大写字母会转为`!`+小写字母（例如`!user/!repo`）。

Add a Rust crate dependency

添加Rust crate依赖

bash

undefined

bash

undefined

CLI: search for latest version

CLI：搜索最新版本

cargo search serde --limit 1

Output: serde = "1.0.219" # A generic serialization/deserialization framework

输出：serde = "1.0.219" # 通用序列化/反序列化框架

CLI: add to project (cargo-edit required for older Rust, built-in since Rust 1.62)

CLI：添加到项目（旧版Rust需要cargo-edit，Rust 1.62及以上版本内置该功能）

cargo add serde --features derive

Web API fallback

Web API备选方案

curl -s -H "User-Agent: live-dep-resolver"
https://crates.io/api/v1/crates/serde | jq '.crate.max_version'


> **Gotcha:** `cargo search` output includes a description after the version. Parse carefully - extract just the version string within quotes. Also, crates.io API **requires** a `User-Agent` header or returns 403.

curl -s -H "User-Agent: live-dep-resolver"
https://crates.io/api/v1/crates/serde | jq '.crate.max_version'


> **注意事项：** `cargo search`的输出在版本后包含描述信息。需仔细解析——仅提取引号内的版本字符串。此外，crates.io API **必须**携带`User-Agent`请求头，否则会返回403错误。

Check latest Ruby gem version

检查Ruby gem的最新版本

bash

undefined

bash

undefined

CLI (preferred)

CLI（优先选择）

gem search ^rails$ --remote

Output: rails (8.0.2)

输出：rails (8.0.2)

Web API fallback

Web API备选方案

curl -s https://rubygems.org/api/v1/gems/rails.json | jq '.version'


> **Gotcha:** `gem search` without regex anchors (`^...$`) matches partial names. `gem search rail` returns dozens of gems. Always use `^name$` for exact matches.

curl -s https://rubygems.org/api/v1/gems/rails.json | jq '.version'


> **注意事项：** 不带正则锚点（`^...$`）的`gem search`会匹配部分名称。`gem search rail`会返回数十个gem。始终使用`^name$`进行精确匹配。

Scoped npm packages and version ranges

作用域npm包和版本范围

bash

undefined

bash

undefined

Check a scoped package

检查作用域包

npm view @types/react version

Check a specific version range's latest match

检查特定版本范围的最新匹配版本

npm view react@^18 version

Returns the latest 18.x version

返回最新的18.x版本

Check peer dependencies (important for plugin ecosystems)

检查 peer 依赖（对插件生态系统很重要）

npm view eslint-plugin-react peerDependencies --json

undefined

npm view eslint-plugin-react peerDependencies --json

undefined

Python version compatibility check

Python版本兼容性检查

bash

undefined

bash

undefined

Check which Python versions a package supports

检查包支持的Python版本

curl -s https://pypi.org/pypi/django/json | jq '.info.requires_python'

Returns: ">=3.10"

返回：">=3.10"

List all available versions to find one compatible with Python 3.9

列出所有可用版本，找到兼容Python 3.9的版本

pip index versions django

Then check the classifiers for the specific version:

然后检查特定版本的分类器：

curl -s https://pypi.org/pypi/django/4.2.20/json | jq '.info.requires_python'

---

curl -s https://pypi.org/pypi/django/4.2.20/json | jq '.info.requires_python'

---

Anti-patterns

反模式

Mistake	Why it's wrong	What to do instead
Hardcoding a version from memory	Your training data is months old; the version may be outdated or wrong	Run the CLI lookup command and use the live result
Suggesting `npm install pkg@latest` without checking	`@latest` resolves at install time, but the user may need to know the version for lockfiles, CI, or compatibility	Look up the version first, then suggest `pkg@x.y.z` explicitly
Using `pip install pkg` without verifying it exists	Typosquatting is real - `python-dateutil` vs `dateutil` can install malicious packages	Verify the exact package name against the registry first
Ignoring major version boundaries	Blindly suggesting the latest version can break existing projects	Check the user's current pinned version and flag major bumps
Skipping the lookup because "everyone knows React"	Even popular packages have breaking version changes; React 18 vs 19 matters	Always verify, regardless of package popularity
Falling back to training data silently when CLI fails	The user trusts your output; stale data without disclosure breaks that trust	If both CLI and API fail, explicitly say you cannot verify the version

错误行为	错误原因	正确做法
从记忆中硬编码版本	你的训练数据已过时数月，版本可能已更新或错误	运行CLI查询命令，使用实时结果
未检查就建议 `npm install pkg@latest`	`@latest` 会在安装时解析，但用户可能需要知道版本号用于锁文件、CI或兼容性检查	先查询版本，再明确建议 `pkg@x.y.z`
未验证存在性就建议 `pip install pkg`	存在打字 squatting 攻击—— `python-dateutil` 和 `dateutil` 可能安装恶意包	先对照注册表验证包的准确名称
忽略主版本边界	盲目建议最新版本可能破坏现有项目	检查用户当前固定的版本，标注主版本升级风险
因为"大家都知道React"而跳过查询	即使是流行包也会有破坏性版本变更；React 18和19差异很大	无论包的流行度如何，始终进行验证
CLI失败时静默回退到训练数据	用户信任你的输出；未披露的过时数据会破坏信任	如果CLI和API都失败，明确告知用户无法验证版本

References

参考资料

For detailed registry-specific commands, API endpoints, and edge cases, load the relevant reference file only when the current task requires that ecosystem:

```
references/npm-registry.md
```
- npm CLI commands, registry API, scoped packages, peer deps, lockfiles
```
references/python-registry.md
```
- pip commands, PyPI API, pip vs pip3, virtual envs, PEP 440 specifiers
```
references/go-modules.md
```
- go list commands, Go proxy API, go get vs go install, major version suffixes
```
references/rust-crates.md
```
- cargo commands, crates.io API (User-Agent required), feature flags, version reqs
```
references/ruby-gems.md
```
- gem commands, RubyGems API, bundler vs gem install, version constraints

Only load a references file if the current task requires it - they are long and will consume context.

如需了解特定注册表的详细命令、API端点和边缘情况，仅在当前任务需要时加载相关参考文件：

```
references/npm-registry.md
```
- npm CLI命令、注册表API、作用域包、peer依赖、锁文件
```
references/python-registry.md
```
- pip命令、PyPI API、pip与pip3、虚拟环境、PEP 440版本规范
```
references/go-modules.md
```
- go list命令、Go代理API、go get与go install、主版本后缀
```
references/rust-crates.md
```
- cargo命令、crates.io API（需要User-Agent）、功能标志、版本要求
```
references/ruby-gems.md
```
- gem命令、RubyGems API、bundler与gem install、版本约束

仅在当前任务需要时加载参考文件——这些文件内容较长，会占用上下文空间。