AgentSkillsCN

dependency-management

在所有包管理器中强制执行固定版本依赖安装,确保构建的可重复性、供应链安全与稳定性。 适用于安装软件包、更新依赖项、处理package.json/requirements.txt/go.mod/Cargo.toml/pom.xml/build.gradle/composer.json/Gemfile/.csproj文件,审查依赖配置,或配置CI/CD流水线时使用。

SKILL.md
--- frontmatter
name: dependency-management
description: |
  Enforces fixed version dependency installation across all package managers. Ensures reproducible builds, supply chain security, and stability.
  Use when: installing packages, updating dependencies, working with package.json/requirements.txt/go.mod/Cargo.toml/pom.xml/build.gradle/composer.json/Gemfile/.csproj, reviewing dependency configurations, configuring CI/CD pipelines

Dependency Management

Basic Principles

Always Use Exact Versions

  • Use exact versions only: package@1.2.3
  • Forbid: ^1.2.3, ~1.2.3, latest, *, version ranges
  • Exception: Library peerDependencies only

Lock Files Are Mandatory

  • Always commit to version control
  • Forbid manual editing
  • CI/CD must use frozen/locked mode

Security Audit First

  • Check vulnerabilities before installation
  • Automate regular audits

Installation Commands

bash
# Node.js
npm install --save-exact package@1.2.3
pnpm add --save-exact package@1.2.3
yarn add --exact package@1.2.3

# Python
pip install package==1.2.3
poetry add package@1.2.3

# Go
go get package@v1.2.3

# Rust
cargo add package@=1.2.3

# PHP
composer require vendor/package:1.2.3

# Ruby (Gemfile)
gem 'package', '1.2.3'

# Java/Kotlin
implementation("group:artifact:1.2.3")  # Gradle
<version>1.2.3</version>                # Maven

# .NET
dotnet add package PackageName --version 1.2.3

CI/CD Commands

bash
npm ci                          # npm
pnpm install --frozen-lockfile  # pnpm
yarn install --frozen-lockfile  # yarn
poetry install --no-update      # poetry
go mod verify                   # go
cargo build --locked            # rust
composer install --no-update    # php
bundle install --frozen         # ruby
dotnet restore --locked-mode    # .NET

Common Mistakes

❌ Wrong✅ Correct
npm install (CI)npm ci
package@latestpackage@1.2.3
package@^1.2.3package@1.2.3
Lock file in .gitignoreCommit lock file
Manual lock file editingRegenerate via package manager