dev-dependency-management
Dependency Management — Production Patterns
Modern Best Practices (January 2026): Lockfile-first workflows, automated security scanning (Dependabot, Snyk, Socket.dev), semantic versioning, minimal dependencies principle, monorepo workspaces (pnpm, Nx, Turborepo), supply chain security (SBOM, AI BOM, Sigstore), reproducible builds, and AI-generated code validation.
When to Use This Skill
The agent should invoke this skill when a user requests:
- Adding new dependencies to a project
- Updating existing dependencies safely
- Resolving dependency conflicts or version mismatches
- Auditing dependencies for security vulnerabilities
- Understanding lockfile management and reproducible builds
- Setting up monorepo workspaces (pnpm, npm, yarn)
- Managing transitive dependencies and overrides
- Choosing between similar packages (bundle size, maintenance, security)
- Dependency version constraints and semantic versioning
- Dependency security best practices and supply chain security
- Troubleshooting "dependency hell" scenarios
- Package manager configuration and optimization
- Creating reproducible builds across environments
Quick Reference
| Task | Tool/Command | Key Action | When to Use |
|---|---|---|---|
| Install from lockfile | npm ci, poetry install, cargo build |
Clean install, reproducible | CI/CD, production deployments |
| Add dependency | npm install <pkg>, poetry add <pkg> |
Updates lockfile automatically | New feature needs library |
| Update dependencies | npm update, poetry update, cargo update |
Updates within version constraints | Monthly/quarterly maintenance |
| Check for vulnerabilities | npm audit, pip-audit, cargo audit |
Scans for known CVEs | Before releases, weekly |
| View dependency tree | npm ls, pnpm why, pipdeptree |
Shows transitive dependencies | Debugging conflicts |
| Override transitive dep | overrides (npm), pnpm.overrides |
Force specific version | Security patch, conflict resolution |
| Monorepo setup | pnpm workspaces, npm workspaces |
Shared dependencies, cross-linking | Multi-package projects |
| Check outdated | npm outdated, poetry show --outdated |
Lists available updates | Planning update sprints |
Decision Tree: Dependency Management
User needs: [Dependency Task]
├─ Adding new dependency?
│ ├─ Check: Do I really need this? (Can implement in <100 LOC?)
│ ├─ Check: Is it well-maintained? (Last commit <6 months, >10k downloads/week)
│ ├─ Check: Bundle size impact? (Use Bundlephobia for JS)
│ ├─ Check: Security risks? (`npm audit`, Snyk)
│ └─ If all checks pass → Add with `npm install <pkg>` → Commit lockfile
│
├─ Updating dependencies?
│ ├─ Security vulnerability? → `npm audit fix` → Test → Deploy immediately
│ ├─ Routine update?
│ ├─ Patch versions → `npm update` → Safe, do frequently
│ ├─ Minor/major → Check CHANGELOG → Test in staging → Update gradually
│ └─ All at once → [FAIL] RISKY → Update in batches instead
│
├─ Dependency conflict?
│ ├─ Transitive dependency issue?
│ ├─ View tree: `npm ls <package>`
│ ├─ Use overrides sparingly: `overrides` in package.json
│ └─ Document why override is needed
│ └─ Peer dependency mismatch?
│ └─ Check version compatibility → Update parent or child
│
├─ Monorepo project?
│ ├─ Use pnpm workspaces (recommended default)
│ ├─ Shared deps → Root package.json
│ ├─ Package-specific → Package directories
│ └─ Use Nx or Turborepo for task caching
│
└─ Choosing package manager?
├─ New JS project → **pnpm** (recommended default) or **Bun** (often faster; verify ecosystem maturity)
├─ Enterprise monorepo → **pnpm** (mature workspace support)
├─ Speed-focused experimentation → **Bun** (verify ecosystem maturity)
├─ Existing npm project → Migrate to pnpm or stay (check team preference)
├─ Python → **uv** (fast), Poetry (mature), pip+venv (simple)
└─ Data science → **conda** or **uv** (faster environment setup)
Navigation: Core Patterns
Lockfile Management
references/lockfile-management.md
Lockfiles ensure reproducible builds by recording exact versions of all dependencies (direct + transitive). Essential for preventing "works on my machine" issues.
- Golden rules (always commit, never edit manually, regenerate on changes)
- Commands by ecosystem (npm ci, poetry install, cargo build)
- Troubleshooting lockfile conflicts
- CI/CD integration patterns
Semantic Versioning (SemVer)
Understanding version constraints (^, ~, exact) and how to specify dependency ranges safely.
- SemVer format (MAJOR.MINOR.PATCH)
- Version constraint syntax (caret, tilde, exact)
- Recommended strategies by project type
- Cross-ecosystem version management
Dependency Security Auditing
references/security-scanning.md
Automated security scanning, vulnerability management, and supply chain security best practices.
- Automated tools (Dependabot, Snyk, GitHub Advanced Security)
- Running audits (npm audit, pip-audit, cargo audit)
- CI integration and alert configuration
- Incident response workflows
Dependency Selection
references/dependency-selection-guide.md
Deciding whether to add a new dependency and choosing between similar packages.
- Minimal dependencies principle (best dependency is the one you don't add)
- Evaluation checklist (maintenance, bundle size, security, alternatives)
- Choosing between similar packages (comparison matrix)
- When to reject a dependency
Update Strategies
references/update-strategies.md
Keeping dependencies up to date safely while minimizing breaking changes and security risks.
- Update strategies (continuous, scheduled, security-only)
- Safe update workflow (check outdated, categorize risk, test, deploy)
- Automated update tools (Dependabot, Renovate, npm-check-updates)
- Handling breaking changes and rollback plans
Monorepo Management
references/monorepo-patterns.md
Managing multiple related packages in a single repository with shared dependencies.
- Workspace tools (pnpm, npm, yarn workspaces)
- Monorepo structure and organization
- Build optimization (Nx, Turborepo)
- Versioning and publishing strategies
Transitive Dependencies
references/transitive-dependencies.md
Dealing with dependencies of your dependencies (indirect dependencies).
- Viewing dependency trees (npm ls, pnpm why, pipdeptree)
- Resolving transitive conflicts (overrides, resolutions, constraints)
- Security risks and version conflicts
- Best practices (use sparingly, document, test)
Ecosystem-Specific Guides
references/ecosystem-guides.md
Language and package-manager-specific best practices.
- Node.js (npm, yarn, pnpm comparison and best practices)
- Python (pip, poetry, conda)
- Rust (cargo), Go (go mod), Java (maven, gradle)
- PHP (composer), .NET (nuget)
Anti-Patterns
Common mistakes to avoid when managing dependencies.
- Critical anti-patterns (not committing lockfiles, wildcards, ignoring audits)
- Dangerous anti-patterns (never updating, deprecated packages)
- Moderate anti-patterns (overusing overrides, ignoring peer deps)
Container Dependency Patterns
references/container-dependency-patterns.md
Managing dependencies in containerized environments (Docker, OCI).
- Multi-stage builds, layer caching, base image selection
- Runtime vs build dependencies, image scanning, reproducible images
Version Conflict Resolution
references/version-conflict-resolution.md
Systematic approaches to resolving dependency version conflicts.
- Diamond dependency problems, resolution algorithms by ecosystem
- Override strategies, compatibility matrices, migration paths
License Compliance
references/license-compliance.md
Open-source license management and compliance automation.
- License compatibility matrix, copyleft vs permissive, SPDX identifiers
- Automated scanning (FOSSA, license-checker), policy enforcement in CI
Navigation: Templates
Node.js
package-json-template.json- Production-ready package.json with best practicesnpmrc-template.txt- Team configuration for npmpnpm-workspace-template.yaml- Monorepo workspace setup
Python
pyproject-toml-template.toml- Poetry configuration with best practices
Automation
dependabot-config.yml- GitHub Dependabot configurationrenovate-config.json- Renovate Bot configurationaudit-checklist.md- Security audit workflowtemplate-supply-chain-security.md- NEW SBOM, provenance, vulnerability managementtemplate-dependency-upgrade-playbook.md- Upgrade batching, rollout, rollbacktemplate-sbom-vuln-triage-checklist.md- SBOM mapping + vulnerability triage
Supply Chain Security
assets/automation/template-supply-chain-security.md — Production-grade dependency security covering SBOM generation (CycloneDX/SPDX), provenance and attestation (SLSA, Sigstore), vulnerability management SLAs, upgrade playbooks, and EU Cyber Resilience Act requirements.
Key rules: generate SBOM per release, sign artifacts (Sigstore/cosign), run audit scans in CI, fix critical CVEs within 24 hours, use npm ci (never npm install) in pipelines, batch non-security updates by risk level.
Related templates:
- assets/automation/template-dependency-upgrade-playbook.md
- assets/automation/template-sbom-vuln-triage-checklist.md
AI-Generated Dependency Risks
WARNING: AI coding agents can introduce vulnerable or non-existent packages at scale (Endor Labs, 2025).
The Problem
AI tools accelerate coding but introduce supply chain risks:
- Hallucinated packages — AI suggests packages that don't exist (typosquatting vectors)
- Vulnerable dependencies — AI recommends outdated or CVE-affected versions
- Unnecessary dependencies — AI over-relies on packages for simple tasks
Best Practices
| Do | Don't |
|---|---|
| Treat AI-generated code as untrusted third-party input | Blindly accept AI dependency suggestions |
| Enforce same SAST/SCA scanning for AI-generated code | Skip security review for "AI-written" code |
| Verify all AI-suggested packages actually exist | Trust AI to know current package versions |
| Integrate security tools into AI workflows (MCP) | Allow AI to add dependencies without review |
| Vet MCP servers as part of supply chain | Use unvetted AI integrations |
Validation Checklist
Before accepting AI-suggested dependencies:
- Package exists on registry (npm, PyPI, crates.io)
- Package name is spelled correctly (no typosquatting)
- Version is current and maintained
-
npm audit/pip-auditshows no vulnerabilities - Weekly downloads >1000 (established package)
- Last commit <6 months (actively maintained)
Optional: AI/Automation
Note: AI assists with triage but security decisions need human judgment.
- Automated PR triage — Categorize dependency updates by risk
- Changelog summarization — Summarize breaking changes in updates
- Vulnerability correlation — Link CVEs to affected packages
Bounded Claims
- AI cannot determine business risk acceptance
- Automated fixes require security team review
- Vulnerability severity context needs human validation
Quick Decision Matrix
| Scenario | Recommendation |
|---|---|
| Adding new dependency | Check Bundlephobia, npm audit, weekly downloads, last commit |
| Updating dependencies | Use npm outdated, update in batches, test in staging |
| Security vulnerability found | Use npm audit fix, review CHANGELOG, test, deploy immediately |
| Monorepo setup | Use pnpm workspaces or Nx/Turborepo for build caching |
| Transitive conflict | Use overrides sparingly, document why, test thoroughly |
| Choosing JS package manager | pnpm (fastest, disk-efficient), Bun (7× faster), npm (most compatible) |
| Python environment | uv (10-100× faster), Poetry (mature), pip+venv (simple), conda (data science) |
Core Principles
1. Always Commit Lockfiles
Lockfiles ensure reproducible builds across environments. Never add them to .gitignore.
Exception: Don't commit Cargo.lock for Rust libraries (only for applications).
2. Use Semantic Versioning
Use caret (^) for most dependencies, exact versions for mission-critical, avoid wildcards (*). See references/semver-guide.md for constraint syntax and strategies.
3. Audit Dependencies Regularly
Run npm audit / pip-audit / cargo audit weekly; fix critical vulnerabilities immediately. See references/security-scanning.md.
4. Minimize Dependencies
The best dependency is the one you don't add. Ask: Can I implement this in <100 LOC? See references/dependency-selection-guide.md.
5. Update Regularly
Update monthly or quarterly in batches — do not update all at once. See references/update-strategies.md.
6. Use Overrides Sparingly
Only override transitive dependencies for security patches or conflicts. Document why in a comment (// CVE-2023-xxxxx fix). See references/transitive-dependencies.md.
Related Skills
For complementary workflows and deeper dives:
dev-api-design- API versioning strategies, dependency injection patternsdev-git-workflow- Git workflows for managing lockfile conflicts, branching strategiesqa-testing-strategy- Testing strategies for dependency updates, integration testingsoftware-security-appsec- OWASP Top 10, cryptography standards, authentication patternsops-devops-platform- CI/CD pipelines, Docker containerization, DevSecOps, deployment automationdocs-codebase- Documenting dependency choices, ADRs, changelogs
External Resources
See data/sources.json for curated resources:
- Package managers: npm, pnpm, Yarn, pip, Poetry, Cargo, Go modules, Maven, Composer
- Semantic versioning: SemVer spec, version calculators, constraint references
- Security tools: Snyk, Dependabot, GitHub Advanced Security, OWASP Dependency-Check, pip-audit, cargo-audit, Socket.dev, Renovate
- Lockfile management: Official docs for package-lock.json, poetry.lock, Cargo.lock, pnpm-lock.yaml
- Monorepo tools: pnpm workspaces, npm workspaces, Yarn workspaces, Nx, Turborepo, Lerna, Bazel
- Analysis tools: Bundlephobia, npm-check-updates, depcheck, pipdeptree, cargo tree
- Supply chain security: SLSA framework, SBOM (CISA), Sigstore, npm provenance, OpenSSF Scorecard
- Best practices: npm/Poetry/Cargo guides, ACM Queue articles, dependency hell references
- Version management: nvm, pyenv, rustup, asdf
- Learning resources: npm guides, Python Packaging User Guide, Rust Book, Monorepo.tools
Usage Notes
For Codex / Claude Code:
- Use this skill when users need dependency management guidance
- Reference specific resources based on the task (lockfiles, security, updates)
- Provide ecosystem-specific guidance (Node.js, Python, Rust)
- Always recommend security audits and reproducible builds
- Encourage minimal dependencies and regular updates
- Link to templates for common configurations
Best Practices:
- Always commit lockfiles (except Cargo.lock for libraries)
- Use semantic versioning (caret for most deps, exact for critical)
- Audit dependencies weekly (
npm audit,pip-audit,cargo audit) - Update dependencies monthly or quarterly (not all at once)
- Choose package manager based on project needs (pnpm for speed, Poetry for Python apps)
- Document dependency choices in ADRs (Architecture Decision Records)
Success Criteria: Dependencies are minimal, well-maintained, secure, reproducible across environments, and regularly audited for vulnerabilities.
Trend Awareness Protocol
IMPORTANT: When users ask recommendation questions about package managers, dependency tools, or supply chain security, you MUST use WebSearch to check current trends before answering.
Trigger Conditions
- "What's the best package manager for [ecosystem]?"
- "What should I use for [dependency management/security]?"
- "What's the latest in dependency management?"
- "Current best practices for [npm/pnpm/Poetry]?"
- "Is [tool/approach] still relevant in 2026?"
- "[pnpm] vs [npm] vs [yarn]?"
- "Best dependency security scanner?"
Required Searches
- Search:
"dependency management best practices 2026" - Search:
"[specific tool] vs alternatives 2026" - Search:
"supply chain security trends January 2026" - Search:
"[package manager] features 2026"
What to Report
After searching, provide:
- Current landscape: What dependency tools are popular NOW
- Emerging trends: New package managers, security tools, or patterns gaining traction
- Deprecated/declining: Tools/approaches losing relevance or support
- Recommendation: Based on fresh data, not just static knowledge
Example Topics (verify with fresh search)
- Package managers (pnpm, npm, yarn, Poetry, uv for Python)
- Security scanning (Snyk, Dependabot, Socket.dev)
- Supply chain security (SBOM, Sigstore, SLSA)
- Monorepo tools (Nx, Turborepo, Bazel)
- Lockfile and reproducibility patterns
- Automated dependency updates (Renovate, Dependabot)
Ops Preflight: Dependency and Toolchain Health (for LLM Agents)
Run this before build/test/edit loops to prevent avoidable churn such as next: command not found.
# 1) Runtime + package manager sanity
node -v
npm -v
# 2) Lockfile and install mode
ls -1 package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
test -d node_modules || npm ci
# 3) Verify framework binaries resolve
npx next --version 2>/dev/null || echo "next missing"
npx eslint --version 2>/dev/null || echo "eslint missing"
# 4) Surface dependency graph issues early
npm ls --depth=0
Remediation Rules
- If binary missing: install from lockfile, do not ad-hoc install random versions.
- If lockfile drift detected: re-install using project standard tool (
npm ci,pnpm install --frozen-lockfile, etc). - If peer dependency conflict appears, fix root cause before continuing broad edits.
- Cache these checks at session start for long agent runs.
Fact-Checking
- Use web search/web fetch to verify current external facts, versions, pricing, deadlines, regulations, or platform behavior before final answers.
- Prefer primary sources; report source links and dates for volatile information.
- If web access is unavailable, state the limitation and mark guidance as unverified.