Dependency Management Skill
Purpose
Ensure dependencies are secure, compatible, and properly managed throughout their lifecycle. Balance velocity with security and maintainability.
Pre-Approved Libraries
These libraries are pre-vetted and can be installed autonomously without asking permission:
Testing Libraries
JavaScript/TypeScript:
fast-check- Property-based testing@faker-js/faker- Test data generationvitest- Unit testing frameworkjest- Unit testing framework@testing-library/react- React component testing@testing-library/dom- DOM testing utilitiesplaywright- E2E testingcypress- E2E testing
Python:
hypothesis- Property-based testingfaker- Test data generationpytest- Unit testing frameworkpytest-cov- Coverage reportingpytest-mock- Mocking utilities
Go:
github.com/stretchr/testify- Testing toolkitgithub.com/golang/mock- Mocking frameworkgopter- Property-based testinggo-fuzz- Fuzzing
Development Tools
JavaScript/TypeScript:
eslint- Lintingprettier- Code formattingtypescript- Type checkingts-node- TypeScript execution
Python:
black- Code formattingpylint- Lintingmypy- Type checkingruff- Fast linter
Go:
golangci-lint- Comprehensive lintinggofmt- Code formattingstaticcheck- Static analysis
Vetting Process for New Dependencies
When adding a dependency NOT on the pre-approved list:
1. Security Check
- NPM: Run
npm auditafter installation - Python: Check with
pip-auditorsafety check - Go: Run
govulncheck - All: Search for known CVEs at https://cve.mitre.org
2. Maintenance Assessment
Check these indicators:
- Last updated: Within 12 months (active maintenance)
- GitHub stars: >1000 for critical dependencies
- Open issues: <50 unresolved critical issues
- Contributors: >5 active contributors
- Downloads: High weekly download count
3. License Compatibility
Verify license is compatible with project:
- Permissive (Safe): MIT, Apache 2.0, BSD, ISC
- Weak Copyleft (Usually Safe): LGPL, MPL
- Strong Copyleft (Ask First): GPL, AGPL
- Proprietary (Ask First): Custom licenses
4. Bundle Size Impact (Frontend Only)
- Check bundle size at https://bundlephobia.com
- Avoid packages >100KB unless essential
- Prefer tree-shakeable packages
Installation Standards
Version Pinning
Always pin versions for production dependencies:
// Good: Exact version
"dependencies": {
"express": "4.18.2"
}
// Bad: Loose version
"dependencies": {
"express": "^4.18.2"
}
Use ranges for dev dependencies:
"devDependencies": {
"vitest": "^1.0.0"
}
Lockfile Hygiene
- ALWAYS commit lockfiles:
package-lock.json,yarn.lock,pnpm-lock.yaml,go.sum,poetry.lock - Never manually edit lockfiles
- Regenerate after conflicts: Delete and reinstall
Installation Commands
JavaScript/TypeScript:
# NPM
npm install --save-exact <package> # Production
npm install --save-dev <package> # Development
# Yarn
yarn add --exact <package>
yarn add --dev <package>
# PNPM
pnpm add --save-exact <package>
pnpm add --save-dev <package>
Python:
# Pip with requirements.txt
pip install <package>
pip freeze > requirements.txt
# Poetry (preferred)
poetry add <package>
poetry add --group dev <package>
Go:
# Go modules
go get <package>@<version>
go mod tidy
When to Ask Permission
ALWAYS ask before installing if:
- Package is NOT on pre-approved list
- License is GPL/AGPL or proprietary
- Package has known security vulnerabilities
- Package is unmaintained (>2 years since update)
- Package adds >50MB to bundle size
- Installing a major version upgrade (e.g., v2 → v3)
Format for asking:
I need to install `<package>` for <reason>.
Security: <audit results>
Maintenance: Last updated <date>, <stars> stars
License: <license type>
Size: <bundle size if frontend>
Alternatives considered:
- <alternative 1>: <why not chosen>
- <alternative 2>: <why not chosen>
Approve installation?
Dependency Updates
Update Strategy
- Security patches: Apply immediately
- Minor versions: Monthly review
- Major versions: Quarterly review with testing
Update Process
- Check changelog for breaking changes
- Update in isolated branch
- Run full test suite
- Check for deprecation warnings
- Update documentation if API changed
Automated Updates
Configure Dependabot/Renovate for:
- Security patches: Auto-merge if tests pass
- Minor updates: Create PR for review
- Major updates: Create PR with manual review required
Supply Chain Security
Best Practices
- Verify package integrity: Check checksums/signatures
- Use private registry: For internal packages
- Scan dependencies: Regular vulnerability scanning
- Audit transitive deps: Check what your deps depend on
- Use SBOMs: Generate Software Bill of Materials
Red Flags
NEVER install packages that:
- Have no source code repository
- Were published <7 days ago with no history
- Have suspicious install scripts
- Request unusual permissions
- Have typosquatting names (e.g.,
reqestsinstead ofrequests)
Removal Process
When removing a dependency:
- Search codebase for imports/usage
- Remove from package.json/requirements.txt/go.mod
- Run
npm prune/pip uninstall/go mod tidy - Verify tests still pass
- Check bundle size reduction
Common Pitfalls
Over-dependency: Don't install a library for a simple function you can write in 10 lines.
Outdated packages: Regularly audit and update dependencies.
Dev vs Prod confusion: Keep dev dependencies separate.
Ignoring warnings: Address deprecation warnings promptly.
Quick Reference
| Action | NPM | Python | Go |
|---|---|---|---|
| Install | npm install --save-exact | poetry add | go get |
| Install dev | npm install --save-dev | poetry add --group dev | N/A |
| Update | npm update | poetry update | go get -u |
| Audit | npm audit | pip-audit | govulncheck |
| Remove | npm uninstall | poetry remove | go mod tidy |
| List | npm list | poetry show | go list -m all |
Integration with Agents
QA Engineer: Can autonomously install pre-approved testing libraries.
System/UI/DevOps Engineers: Must ask for non-pre-approved production dependencies.
Tech Lead: Reviews and approves dependency decisions.
Security Engineer: Audits dependencies during security review.