>_

dev-dependency-management

Package and dependency management patterns across ecosystems (npm, pip, cargo, maven). Covers lockfiles, semantic versioning, dependency security scanning, update strategies, monorepo workspaces, transitive dependencies, and avoiding dependency hell.

$ Installieren

git clone https://github.com/vasilyu1983/AI-Agents-public /tmp/AI-Agents-public && cp -r /tmp/AI-Agents-public/frameworks/claude-code-kit/framework/skills/dev-dependency-management ~/.claude/skills/AI-Agents-public

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: dev-dependency-management description: Package and dependency management patterns across ecosystems (npm, pip, cargo, maven). Covers lockfiles, semantic versioning, dependency security scanning, update strategies, monorepo workspaces, transitive dependencies, and avoiding dependency hell.

Dependency Management — Production Patterns

Modern Best Practices (2025): Lockfile-first workflows, automated security scanning (Dependabot, Snyk), semantic versioning, minimal dependencies principle, monorepo workspaces (pnpm, Nx), supply chain security (SBOM, signatures), and reproducible builds.

When to Use This Skill

Claude should invoke this skill when a user requests:

  • Adding new dependencies to a project
  • Updating existing dependencies safely
  • Resolving dependency conflicts or version mismatches
  • Auditing dependencies for security vulnerabilities
  • Understanding lockfile management and reproducible builds
  • Setting up monorepo workspaces (pnpm, npm, yarn)
  • Managing transitive dependencies and overrides
  • Choosing between similar packages (bundle size, maintenance, security)
  • Dependency version constraints and semantic versioning
  • Dependency security best practices and supply chain security
  • Troubleshooting "dependency hell" scenarios
  • Package manager configuration and optimization
  • Creating reproducible builds across environments

Quick Reference

TaskTool/CommandKey ActionWhen to Use
Install from lockfilenpm ci, poetry install, cargo buildClean install, reproducibleCI/CD, production deployments
Add dependencynpm install <pkg>, poetry add <pkg>Updates lockfile automaticallyNew feature needs library
Update dependenciesnpm update, poetry update, cargo updateUpdates within version constraintsMonthly/quarterly maintenance
Check for vulnerabilitiesnpm audit, pip-audit, cargo auditScans for known CVEsBefore releases, weekly
View dependency treenpm ls, pnpm why, pipdeptreeShows transitive dependenciesDebugging conflicts
Override transitive depoverrides (npm), pnpm.overridesForce specific versionSecurity patch, conflict resolution
Monorepo setuppnpm workspaces, npm workspacesShared dependencies, cross-linkingMulti-package projects
Check outdatednpm outdated, poetry show --outdatedLists available updatesPlanning update sprints

Decision Tree: Dependency Management

User needs: [Dependency Task]
    ├─ Adding new dependency?
    │   ├─ Check: Do I really need this? (Can implement in <100 LOC?)
    │   ├─ Check: Is it well-maintained? (Last commit <6 months, >10k downloads/week)
    │   ├─ Check: Bundle size impact? (Use Bundlephobia for JS)
    │   ├─ Check: Security risks? (`npm audit`, Snyk)
    │   └─ If all checks pass → Add with `npm install <pkg>` → Commit lockfile
    │
    ├─ Updating dependencies?
    │   ├─ Security vulnerability? → `npm audit fix` → Test → Deploy immediately
    │   ├─ Routine update?
    │       ├─ Patch versions → `npm update` → Safe, do frequently
    │       ├─ Minor/major → Check CHANGELOG → Test in staging → Update gradually
    │       └─ All at once → ❌ RISKY → Update in batches instead
    │
    ├─ Dependency conflict?
    │   ├─ Transitive dependency issue?
    │       ├─ View tree: `npm ls <package>`
    │       ├─ Use overrides sparingly: `overrides` in package.json
    │       └─ Document why override is needed
    │   └─ Peer dependency mismatch?
    │       └─ Check version compatibility → Update parent or child
    │
    ├─ Monorepo project?
    │   ├─ Use pnpm workspaces (fastest, best)
    │   ├─ Shared deps → Root package.json
    │   ├─ Package-specific → Package directories
    │   └─ Use Nx or Turborepo for task caching
    │
    └─ Choosing package manager?
        ├─ New project → **pnpm** (3x faster, 1/3 disk space)
        ├─ Existing npm project → Migrate or stay (check team preference)
        ├─ Python → **Poetry** (apps), pip+venv (simple)
        └─ Data science → **conda** (environment management)

Navigation: Core Patterns

Lockfile Management

resources/lockfile-management.md

Lockfiles ensure reproducible builds by recording exact versions of all dependencies (direct + transitive). Essential for preventing "works on my machine" issues.

  • Golden rules (always commit, never edit manually, regenerate on changes)
  • Commands by ecosystem (npm ci, poetry install, cargo build)
  • Troubleshooting lockfile conflicts
  • CI/CD integration patterns

Semantic Versioning (SemVer)

resources/semver-guide.md

Understanding version constraints (^, ~, exact) and how to specify dependency ranges safely.

  • SemVer format (MAJOR.MINOR.PATCH)
  • Version constraint syntax (caret, tilde, exact)
  • Recommended strategies by project type
  • Cross-ecosystem version management

Dependency Security Auditing

resources/security-scanning.md

Automated security scanning, vulnerability management, and supply chain security best practices.

  • Automated tools (Dependabot, Snyk, GitHub Advanced Security)
  • Running audits (npm audit, pip-audit, cargo audit)
  • CI integration and alert configuration
  • Incident response workflows

Dependency Selection

resources/dependency-selection-guide.md

Deciding whether to add a new dependency and choosing between similar packages.

  • Minimal dependencies principle (best dependency is the one you don't add)
  • Evaluation checklist (maintenance, bundle size, security, alternatives)
  • Choosing between similar packages (comparison matrix)
  • When to reject a dependency

Update Strategies

resources/update-strategies.md

Keeping dependencies up to date safely while minimizing breaking changes and security risks.

  • Update strategies (continuous, scheduled, security-only)
  • Safe update workflow (check outdated, categorize risk, test, deploy)
  • Automated update tools (Dependabot, Renovate, npm-check-updates)
  • Handling breaking changes and rollback plans

Monorepo Management

resources/monorepo-patterns.md

Managing multiple related packages in a single repository with shared dependencies.

  • Workspace tools (pnpm, npm, yarn workspaces)
  • Monorepo structure and organization
  • Build optimization (Nx, Turborepo)
  • Versioning and publishing strategies

Transitive Dependencies

resources/transitive-dependencies.md

Dealing with dependencies of your dependencies (indirect dependencies).

  • Viewing dependency trees (npm ls, pnpm why, pipdeptree)
  • Resolving transitive conflicts (overrides, resolutions, constraints)
  • Security risks and version conflicts
  • Best practices (use sparingly, document, test)

Ecosystem-Specific Guides

resources/ecosystem-guides.md

Language and package-manager-specific best practices.

  • Node.js (npm, yarn, pnpm comparison and best practices)
  • Python (pip, poetry, conda)
  • Rust (cargo), Go (go mod), Java (maven, gradle)
  • PHP (composer), .NET (nuget)

Anti-Patterns

resources/anti-patterns.md

Common mistakes to avoid when managing dependencies.

  • Critical anti-patterns (not committing lockfiles, wildcards, ignoring audits)
  • Dangerous anti-patterns (never updating, deprecated packages)
  • Moderate anti-patterns (overusing overrides, ignoring peer deps)

Navigation: Templates

Node.js

templates/nodejs/

Python

templates/python/

Automation

templates/automation/

Quick Decision Matrix

ScenarioRecommendation
Adding new dependencyCheck Bundlephobia, npm audit, weekly downloads, last commit
Updating dependenciesUse npm outdated, update in batches, test in staging
Security vulnerability foundUse npm audit fix, review CHANGELOG, test, deploy immediately
Monorepo setupUse pnpm workspaces or Nx/Turborepo for build caching
Transitive conflictUse overrides sparingly, document why, test thoroughly
Choosing package managerpnpm (fastest), npm (most compatible), yarn (good middle)
Python environmentPoetry (apps), pip+venv (simple), conda (data science)

Core Principles

1. Always Commit Lockfiles

Lockfiles ensure reproducible builds across environments. Never add them to .gitignore.

Exception: Don't commit Cargo.lock for Rust libraries (only for applications).

2. Use Semantic Versioning

Use caret (^) for most dependencies, exact versions for mission-critical, avoid wildcards (*).

{
  "dependencies": {
    "express": "^4.18.0",  // Allows patches and minors
    "critical-lib": "1.2.3"  // Exact for critical
  }
}

3. Audit Dependencies Regularly

Run security audits weekly, fix critical vulnerabilities immediately.

npm audit
npm audit fix

4. Minimize Dependencies

The best dependency is the one you don't add. Ask: Can I implement this in <100 LOC?

5. Update Regularly

Update monthly or quarterly. Don't let technical debt accumulate.

npm outdated
npm update

6. Use Overrides Sparingly

Only override transitive dependencies for security patches or conflicts. Document why.

{
  "overrides": {
    "axios": "1.6.0"  // CVE-2023-xxxxx fix
  }
}

Related Skills

For complementary workflows and deeper dives:

External Resources

See data/sources.json for 82 curated resources:

  • Package managers: npm, pnpm, Yarn, pip, Poetry, Cargo, Go modules, Maven, Composer
  • Semantic versioning: SemVer spec, version calculators, constraint references
  • Security tools: Snyk, Dependabot, GitHub Advanced Security, OWASP Dependency-Check, pip-audit, cargo-audit, Socket.dev, Renovate
  • Lockfile management: Official docs for package-lock.json, poetry.lock, Cargo.lock, pnpm-lock.yaml
  • Monorepo tools: pnpm workspaces, npm workspaces, Yarn workspaces, Nx, Turborepo, Lerna, Bazel
  • Analysis tools: Bundlephobia, npm-check-updates, depcheck, pipdeptree, cargo tree
  • Supply chain security: SLSA framework, SBOM (CISA), Sigstore, npm provenance, OpenSSF Scorecard
  • Best practices: npm/Poetry/Cargo guides, ACM Queue articles, dependency hell references
  • Version management: nvm, pyenv, rustup, asdf
  • Learning resources: npm guides, Python Packaging User Guide, Rust Book, Monorepo.tools

Usage Notes

For Claude:

  • Use this skill when users need dependency management guidance
  • Reference specific resources based on the task (lockfiles, security, updates)
  • Provide ecosystem-specific guidance (Node.js, Python, Rust)
  • Always recommend security audits and reproducible builds
  • Encourage minimal dependencies and regular updates
  • Link to templates for common configurations

Best Practices:

  • Always commit lockfiles (except Cargo.lock for libraries)
  • Use semantic versioning (caret for most deps, exact for critical)
  • Audit dependencies weekly (npm audit, pip-audit, cargo audit)
  • Update dependencies monthly or quarterly (not all at once)
  • Choose package manager based on project needs (pnpm for speed, Poetry for Python apps)
  • Document dependency choices in ADRs (Architecture Decision Records)

Success Criteria: Dependencies are minimal, well-maintained, secure, reproducible across environments, and regularly audited for vulnerabilities.

Repository

vasilyu1983
vasilyu1983
Author
vasilyu1983/AI-Agents-public/frameworks/claude-code-kit/framework/skills/dev-dependency-management
21
Stars
6
Forks
Updated5d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-creator
openai/codex
54.7k
Plugin Settings
anthropics/claude-code
47.9k
MCP Integration
anthropics/claude-code
47.9k
payload
payloadcms/payload
39.0k
creating-financial-models
anthropics/claude-cookbooks
28.3k