Back to Details

dependency-management

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Management

依赖管理

Workflows

工作流程

  • Audit: Check for known vulnerabilities
  • Update: Keep dependencies reasonably current
  • Lock: Ensure reproducible builds
  • Minimize: Remove unused dependencies
  • 审核:检查已知漏洞
  • 更新:保持依赖处于合理的最新状态
  • 锁定:确保构建可复现
  • 精简:移除未使用的依赖

Security Scanning

安全扫描

bash
undefined
bash
undefined

Node.js

Node.js

npm audit pnpm audit
npm audit pnpm audit

Python

Python

pip-audit safety check
pip-audit safety check

Go

Go

govulncheck ./...
govulncheck ./...

Rust

Rust

cargo audit
undefined
cargo audit
undefined

Version Management

版本管理

Semantic Versioning

语义化版本控制

  • Major (1.0.0): Breaking changes
  • Minor (0.1.0): New features, backward compatible
  • Patch (0.0.1): Bug fixes, backward compatible
  • 主版本(1.0.0):包含破坏性变更
  • 次版本(0.1.0):新增功能,向后兼容
  • 补丁版本(0.0.1):修复Bug,向后兼容

Version Constraints

版本约束

json
// package.json
{
  "dependencies": {
    "exact": "1.2.3",        // Exactly 1.2.3
    "patch": "~1.2.3",       // 1.2.x (patch updates)
    "minor": "^1.2.3",       // 1.x.x (minor updates)
    "range": ">=1.2.3 <2.0.0" // Range
  }
}
json
// package.json
{
  "dependencies": {
    "exact": "1.2.3",        // 精确匹配1.2.3
    "patch": "~1.2.3",       // 1.2.x(仅补丁更新)
    "minor": "^1.2.3",       // 1.x.x(次版本更新)
    "range": ">=1.2.3 <2.0.0" // 版本范围
  }
}

Lockfiles

锁文件

Always commit lockfiles for reproducible builds:
  • package-lock.json
    or 
    pnpm-lock.yaml
    (Node.js)
  • poetry.lock
    or 
    uv.lock
    (Python)
  • go.sum
    (Go)
  • Cargo.lock
    (Rust)
务必提交锁文件以确保构建可复现:
  • package-lock.json
    pnpm-lock.yaml
    (Node.js)
  • poetry.lock
    uv.lock
    (Python)
  • go.sum
    (Go)
  • Cargo.lock
    (Rust)

Best Practices

最佳实践

  1. Pin Versions in Production: Use exact versions or lockfiles
  2. Update Regularly: Don't let dependencies get too stale
  3. Review Changelogs: Check breaking changes before major updates
  4. Test After Updates: Run full test suite after dependency changes
  5. Minimize Dependencies: Each dependency is a liability
  1. 生产环境固定版本:使用精确版本或锁文件
  2. 定期更新:不要让依赖过于陈旧
  3. 查看变更日志:在进行主版本更新前检查破坏性变更
  4. 更新后测试:依赖变更后运行完整测试套件
  5. 精简依赖:每个依赖都是潜在的责任

Removing Unused Dependencies

移除未使用的依赖

bash
undefined
bash
undefined

Node.js

Node.js

npx depcheck
npx depcheck

Python

Python

pip-autoremove
pip-autoremove

Go

Go

go mod tidy
undefined
go mod tidy
undefined