Dependency Health
Systematic dependency management: security-first, batch remediation, policy-driven.
Dependencies are attack surface. Manage them systematically, not reactively.
When to Use This Skill
Use this skill when:
- •🔒 Security vulnerabilities: Known CVEs in dependencies
- •📅 Outdated dependencies: Packages months/years behind
- •⚖️ License compliance: Need to verify license compatibility
- •🎯 Systematic management: Ad-hoc updates causing issues
- •🔄 Frequent breakage: Dependency updates break builds
- •📊 No visibility: Don't know dependency health status
Don't use when:
- •❌ Zero dependencies (static binary, no external deps)
- •❌ Dependencies already managed systematically
- •❌ Short-lived projects (throwaway tools, prototypes)
- •❌ Frozen dependencies (legacy systems, no updates allowed)
Quick Start (30 minutes)
Step 1: Audit Current State (10 min)
# Go projects go list -m -u all | grep '\[' # Node.js npm audit # Python pip list --outdated # Identify: # - Security vulnerabilities # - Outdated packages (>6 months old) # - License issues
Step 2: Prioritize by Security (10 min)
Severity levels:
- •Critical: Actively exploited, RCE, data breach
- •High: Authentication bypass, privilege escalation
- •Medium: DoS, information disclosure
- •Low: Minor issues, limited impact
Action timeline:
- •Critical: Immediate (same day)
- •High: Within 1 week
- •Medium: Within 1 month
- •Low: Next quarterly update
Step 3: Batch Remediation (10 min)
# Group compatible updates # Test together # Create single PR with all updates # Example: Update all patch versions go get -u=patch ./... go test ./... git commit -m "chore(deps): update dependencies (security + freshness)"
Security-First Prioritization
Vulnerability Assessment
Critical vulnerabilities (immediate action):
- •RCE (Remote Code Execution)
- •SQL Injection
- •Authentication bypass
- •Data breach potential
High vulnerabilities (1 week):
- •Privilege escalation
- •XSS (Cross-Site Scripting)
- •CSRF (Cross-Site Request Forgery)
- •Sensitive data exposure
Medium vulnerabilities (1 month):
- •DoS (Denial of Service)
- •Information disclosure
- •Insecure defaults
- •Weak cryptography
Low vulnerabilities (quarterly):
- •Minor issues
- •Informational
- •False positives
Remediation Strategy
Priority queue: 1. Critical vulnerabilities (immediate) 2. High vulnerabilities (week) 3. Dependency freshness (monthly) 4. License compliance (quarterly) 5. Medium/low vulnerabilities (quarterly)
Batch Remediation Strategy
Why Batch Updates?
Problems with one-at-a-time:
- •Update fatigue (100+ dependencies)
- •Test overhead (N tests for N updates)
- •PR overhead (N reviews)
- •Potential conflicts (update A breaks with update B)
Benefits of batching:
- •Single test run for all updates
- •Single PR review
- •Detect incompatibilities early
- •6x faster (validated in meta-cc)
Batching Strategies
Strategy 1: By Severity
# Batch 1: All security patches # Batch 2: All minor/patch updates # Batch 3: All major updates (breaking changes)
Strategy 2: By Compatibility
# Batch 1: Compatible updates (no breaking changes) # Batch 2: Breaking changes (one at a time)
Strategy 3: By Timeline
# Batch 1: Immediate (critical vulnerabilities) # Batch 2: Weekly (high vulnerabilities + freshness) # Batch 3: Monthly (medium vulnerabilities) # Batch 4: Quarterly (low vulnerabilities + license)
Policy-Driven Compliance
Security Policies
# .dependency-policy.yml
security:
critical_vulnerabilities:
action: block_merge
max_age: 0 days
high_vulnerabilities:
action: block_merge
max_age: 7 days
medium_vulnerabilities:
action: warn
max_age: 30 days
Freshness Policies
freshness:
max_age:
major: 12 months
minor: 6 months
patch: 3 months
exceptions:
- package: legacy-lib
reason: "No maintained alternative"
License Policies
licenses:
allowed:
- MIT
- Apache-2.0
- BSD-3-Clause
denied:
- GPL-3.0 # Copyleft issues
- AGPL-3.0
review_required:
- Custom
- Proprietary
Automation Tools
Vulnerability Scanning
# Go: govulncheck go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... # Node.js: npm audit npm audit --audit-level=moderate # Python: safety pip install safety safety check # Rust: cargo-audit cargo install cargo-audit cargo audit
Automated Updates
# Dependabot (GitHub)
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
groups:
security:
patterns:
- "*"
update-types:
- "patch"
- "minor"
License Checking
# Go: go-licenses go install github.com/google/go-licenses@latest go-licenses check ./... # Node.js: license-checker npx license-checker --summary # Python: pip-licenses pip install pip-licenses pip-licenses
Proven Results
Validated in bootstrap-010 (meta-cc project):
- •✅ Security-first prioritization implemented
- •✅ Batch remediation (5 dependencies updated together)
- •✅ 6x speedup: 9 hours manual → 1.5 hours systematic
- •✅ 3 iterations (rapid convergence)
- •✅ V_instance: 0.92 (highest among experiments)
- •✅ V_meta: 0.85
Metrics:
- •Vulnerabilities: 2 critical → 0 (resolved immediately)
- •Freshness: 45% outdated → 15% outdated
- •License compliance: 100% (all MIT/Apache-2.0/BSD)
Transferability:
- •Go (gomod): 100% (native)
- •Node.js (npm): 90% (npm audit similar)
- •Python (pip): 85% (safety similar)
- •Rust (cargo): 90% (cargo audit similar)
- •Java (Maven): 85% (OWASP dependency-check)
- •Overall: 88% transferable
Common Patterns
Pattern 1: Security Update Workflow
# 1. Scan for vulnerabilities govulncheck ./... # 2. Review severity # Critical/High → immediate # Medium/Low → batch # 3. Update dependencies go get -u github.com/vulnerable/package@latest # 4. Test go test ./... # 5. Commit git commit -m "fix(deps): resolve CVE-XXXX-XXXXX in package X"
Pattern 2: Monthly Freshness Update
# 1. Check for updates go list -m -u all # 2. Batch updates (patch/minor) go get -u=patch ./... # 3. Test go test ./... # 4. Commit git commit -m "chore(deps): monthly dependency freshness update"
Pattern 3: Major Version Upgrade
# One at a time (breaking changes) # 1. Update single package go get package@v2 # 2. Fix breaking changes # ... code modifications ... # 3. Test extensively go test ./... # 4. Commit git commit -m "feat(deps): upgrade package to v2"
Anti-Patterns
❌ Ignoring security advisories: "We'll update later" ❌ One-at-a-time updates: 100 separate PRs for 100 dependencies ❌ Automatic merging: Dependabot auto-merge without testing ❌ Dependency pinning forever: Never updating to avoid breakage ❌ License ignorance: Not checking license compatibility ❌ No testing after updates: Assuming updates won't break anything
Related Skills
Parent framework:
- •methodology-bootstrapping - Core OCA cycle
Complementary:
- •ci-cd-optimization - Automated dependency checks in CI
- •error-recovery - Dependency failure handling
Acceleration:
- •rapid-convergence - 3 iterations achieved
References
Core guides:
- •Reference materials in experiments/bootstrap-010-dependency-health/
- •Security-first prioritization framework
- •Batch remediation strategies
- •Policy-driven compliance
Tools:
- •govulncheck (Go)
- •npm audit (Node.js)
- •safety (Python)
- •cargo-audit (Rust)
- •go-licenses (license checking)
Status: ✅ Production-ready | 6x speedup | 88% transferable | V_instance 0.92 (highest)