dependency-management

Original🇺🇸 English
Translated

Manage project dependencies effectively. Use when adding, updating, or auditing dependencies. Covers version management, security scanning, and lockfiles.

2installs
Sourcenguyenhuuca/assessment
Added on

NPX Install

npx skill4agent add nguyenhuuca/assessment dependency-management

Tags

Translated version includes tags in frontmatter
dependency-managementsecurity-scanningversion-controllockfile-managementdependency-auditing

SKILL.md Content

View Translation Comparison →

Dependency Management

Workflows

  • Audit: Check for known vulnerabilities
  • Update: Keep dependencies reasonably current
  • Lock: Ensure reproducible builds
  • Minimize: Remove unused dependencies

Security Scanning

bash
# Node.js
npm audit
pnpm audit

# Python
pip-audit
safety check

# Go
govulncheck ./...

# Rust
cargo audit

Version Management

Semantic Versioning

  • Major (1.0.0): Breaking changes
  • Minor (0.1.0): New features, backward compatible
  • Patch (0.0.1): Bug fixes, backward compatible

Version Constraints

json
// package.json
{
  "dependencies": {
    "exact": "1.2.3",        // Exactly 1.2.3
    "patch": "~1.2.3",       // 1.2.x (patch updates)
    "minor": "^1.2.3",       // 1.x.x (minor updates)
    "range": ">=1.2.3 <2.0.0" // Range
  }
}

Lockfiles

Always commit lockfiles for reproducible builds:
  • package-lock.json
    or 
    pnpm-lock.yaml
    (Node.js)
  • poetry.lock
    or 
    uv.lock
    (Python)
  • go.sum
    (Go)
  • Cargo.lock
    (Rust)

Best Practices

  1. Pin Versions in Production: Use exact versions or lockfiles
  2. Update Regularly: Don't let dependencies get too stale
  3. Review Changelogs: Check breaking changes before major updates
  4. Test After Updates: Run full test suite after dependency changes
  5. Minimize Dependencies: Each dependency is a liability

Removing Unused Dependencies

bash
# Node.js
npx depcheck

# Python
pip-autoremove

# Go
go mod tidy