AgentSkillsCN

dependency-management

通过版本锁定、锁定文件、漏洞扫描与更新策略,管理依赖关系。在添加新软件包、固定依赖版本、扫描漏洞、更新过时依赖,或管理单体仓库的依赖关系图时,可使用此技能。

SKILL.md
--- frontmatter
name: "dependency-management"
description: 'Manage dependencies with version pinning, lock files, vulnerability scanning, and update strategies. Use when adding new packages, pinning dependency versions, scanning for vulnerabilities, updating outdated dependencies, or managing monorepo dependency graphs.'
metadata:
  author: "AgentX"
  version: "1.0.0"
  created: "2025-01-15"
  updated: "2025-01-15"

Dependency Management

Purpose: Manage third-party dependencies securely and reliably.
Goal: Reproducible builds, no vulnerable packages, controlled updates.
Note: For implementation, see C# Development or Python Development.


When to Use This Skill

  • Adding new packages or libraries
  • Pinning dependency versions for reproducibility
  • Scanning for known vulnerabilities
  • Updating outdated dependencies safely
  • Managing monorepo dependency graphs

Prerequisites

  • Package manager installed (npm, pip, NuGet, cargo, etc.)

Decision Tree

code
Dependency concern?
├─ Adding new dependency?
│   ├─ Actively maintained? (commits in last 6 months) → Proceed
│   ├─ License compatible? (MIT/Apache → OK, GPL → careful)
│   ├─ Too many transitive deps? → Consider lighter alternative
│   └─ Can you build it in < 1 hour? → Maybe don't add dependency
├─ Updating dependencies?
│   ├─ Patch update (0.0.x) → Usually safe, auto-update
│   ├─ Minor update (0.x.0) → Review changelog, test
│   └─ Major update (x.0.0) → Review breaking changes, plan migration
├─ Vulnerability found?
│   ├─ Direct dependency? → Update immediately
│   └─ Transitive? → Override version or update parent
└─ Lock file conflict?
    └─ Delete lock file → reinstall → commit new lock file

Core Concepts

Dependency Types

code
Direct Dependencies:
  - Packages your code imports directly
  - Listed in your package manifest

Transitive Dependencies:
  - Dependencies of your dependencies
  - Automatically pulled in
  - Often source of vulnerabilities

Development Dependencies:
  - Testing frameworks
  - Build tools
  - Linters
  - NOT shipped to production

Dependency Files

code
Manifest File (what you want):
  - Lists packages and version constraints
  - Human-editable
  - Committed to version control

Lock File (what you get):
  - Lists exact versions resolved
  - Includes transitive dependencies
  - Machine-generated
  - Committed to version control

Examples by Language:
  Language    | Manifest           | Lock File
  ------------|--------------------|-----------------
  .NET        | *.csproj           | packages.lock.json
  Python      | pyproject.toml     | poetry.lock
  Node.js     | package.json       | package-lock.json
  Go          | go.mod             | go.sum
  Rust        | Cargo.toml         | Cargo.lock

Best Practices Summary

PracticeDescription
Use lock filesCommit and respect lock files
Pin production depsExact versions for reproducibility
Scan regularlyAutomated vulnerability scanning
Update strategicallyPatch often, minor carefully, major planned
Minimize dependenciesEvery dep is a liability
Review licensesEnsure compatibility
Separate dev depsDon't ship test frameworks
Audit new depsEvaluate before adding

Dependency Management Tools

LanguagePackage ManagerVulnerability Scanner
.NETNuGet, dotnetdotnet list package --vulnerable
Pythonpip, poetrypip-audit, safety
Node.jsnpm, yarn, pnpmnpm audit, Snyk
JavaMaven, GradleOWASP Dependency-Check
Gogo modgovulncheck
RustCargocargo-audit

See Also: SecurityC# DevelopmentPython Development

Scripts

ScriptPurposeUsage
audit-deps.ps1Audit for outdated/vulnerable dependencies (.NET/Python/Node)./scripts/audit-deps.ps1 [-FailOnVulnerability]

Troubleshooting

IssueSolution
Conflicting dependency versionsUse package manager resolution strategy, check peer dependency requirements
Vulnerability found in transitive depOverride/force specific version, or find alternative package
Lock file merge conflictsDelete lock file, reinstall dependencies, commit fresh lock file

References