Dependency Management
Workflows
- • Audit: Check for known vulnerabilities
- • Update: Keep dependencies reasonably current
- • Lock: Ensure reproducible builds
- • Minimize: Remove unused dependencies
Security Scanning
bash
# Node.js npm audit pnpm audit # Python pip-audit safety check # Go govulncheck ./... # Rust cargo audit
Version Management
Semantic Versioning
- •Major (1.0.0): Breaking changes
- •Minor (0.1.0): New features, backward compatible
- •Patch (0.0.1): Bug fixes, backward compatible
Version Constraints
json
// package.json
{
"dependencies": {
"exact": "1.2.3", // Exactly 1.2.3
"patch": "~1.2.3", // 1.2.x (patch updates)
"minor": "^1.2.3", // 1.x.x (minor updates)
"range": ">=1.2.3 <2.0.0" // Range
}
}
Lockfiles
Always commit lockfiles for reproducible builds:
- •
package-lock.jsonorpnpm-lock.yaml(Node.js) - •
poetry.lockoruv.lock(Python) - •
go.sum(Go) - •
Cargo.lock(Rust)
Best Practices
- •Pin Versions in Production: Use exact versions or lockfiles
- •Update Regularly: Don't let dependencies get too stale
- •Review Changelogs: Check breaking changes before major updates
- •Test After Updates: Run full test suite after dependency changes
- •Minimize Dependencies: Each dependency is a liability
Removing Unused Dependencies
bash
# Node.js npx depcheck # Python pip-autoremove # Go go mod tidy