Dependencies Skill
Core Philosophy
"Upgrade deliberately; keep lockfiles in sync."
Update dependencies in a controlled way: check compatibility, resolve conflicts, run tests, and commit lockfile changes.
Protocol
1. Understand Ecosystem
| Ecosystem | Manifest | Lockfile | Update commands |
|---|---|---|---|
| Node | package.json | package-lock.json / yarn.lock / pnpm-lock.yaml | npm update, npm install <pkg>@latest, yarn upgrade, pnpm update |
| Python | requirements.txt / pyproject.toml | requirements.lock / poetry.lock | pip install -U <pkg>, poetry update, uv lock |
| Go | go.mod | go.sum | go get -u ./... or go get module@version |
| Rust | Cargo.toml | Cargo.lock | cargo update or edit version then cargo build |
| Ruby | Gemfile | Gemfile.lock | bundle update <gem> |
Respect project choice: e.g. npm vs yarn vs pnpm, pip vs poetry vs uv.
2. Upgrade Workflow
- •Scope: All deps, or only named packages (and their dependents if needed).
- •Update: Use the ecosystem’s update command; avoid editing lockfile by hand.
- •Resolve: If there are version conflicts, relax constraints or pick a compatible version; document why.
- •Install/build: Run install and build so lockfile and manifests are in sync.
- •Test: Run test suite; fix any breakage from API or behavior changes.
- •Commit: Commit manifest + lockfile together (and any fix commits).
3. Conflict Resolution
- •Node:
npm installoryarn installoften suggests fixes; useoverrides/resolutionsonly when necessary and document. - •Python: Resolve version ranges in
requirements.txtorpyproject.toml; regenerate lockfile. - •Go:
go getor fixgo.mod; rungo mod tidy. - •Rust: Adjust version in
Cargo.toml;cargo updateorcargo build.
4. Security / Outdated
- •Use ecosystem tools when the user cares about vulnerabilities or outdated deps:
npm audit,yarn audit,pip audit,cargo audit,go list -m -u all, etc. - •Suggest upgrades or patches; don’t auto-fix without user context (e.g. breaking changes).
Checklist
- • Manifest and lockfile both updated and committed.
- • Install/build succeeds; tests pass after upgrade.
- • Conflicts resolved with a clear choice (and comment if non-obvious).
- • Major upgrades or breaking changes called out for the user.