dev-dependency-management

Dependency Management — Production Patterns

Modern Best Practices (January 2026): Lockfile-first workflows, automated security scanning (Dependabot, Snyk, Socket.dev), semantic versioning, minimal dependencies principle, monorepo workspaces (pnpm, Nx, Turborepo), supply chain security (SBOM, AI BOM, Sigstore), reproducible builds, and AI-generated code validation.

When to Use This Skill

The agent should invoke this skill when a user requests:

Adding new dependencies to a project Updating existing dependencies safely Resolving dependency conflicts or version mismatches Auditing dependencies for security vulnerabilities Understanding lockfile management and reproducible builds Setting up monorepo workspaces (pnpm, npm, yarn) Managing transitive dependencies and overrides Choosing between similar packages (bundle size, maintenance, security) Dependency version constraints and semantic versioning Dependency security best practices and supply chain security Troubleshooting "dependency hell" scenarios Package manager configuration and optimization Creating reproducible builds across environments Quick Reference Task Tool/Command Key Action When to Use Install from lockfile npm ci, poetry install, cargo build Clean install, reproducible CI/CD, production deployments Add dependency npm install , poetry add Updates lockfile automatically New feature needs library Update dependencies npm update, poetry update, cargo update Updates within version constraints Monthly/quarterly maintenance Check for vulnerabilities npm audit, pip-audit, cargo audit Scans for known CVEs Before releases, weekly View dependency tree npm ls, pnpm why, pipdeptree Shows transitive dependencies Debugging conflicts Override transitive dep overrides (npm), pnpm.overrides Force specific version Security patch, conflict resolution Monorepo setup pnpm workspaces, npm workspaces Shared dependencies, cross-linking Multi-package projects Check outdated npm outdated, poetry show --outdated Lists available updates Planning update sprints Decision Tree: Dependency Management User needs: [Dependency Task] ├─ Adding new dependency? │ ├─ Check: Do I really need this? (Can implement in <100 LOC?) │ ├─ Check: Is it well-maintained? (Last commit <6 months, >10k downloads/week) │ ├─ Check: Bundle size impact? (Use Bundlephobia for JS) │ ├─ Check: Security risks? (npm audit, Snyk) │ └─ If all checks pass → Add with npm install <pkg> → Commit lockfile │ ├─ Updating dependencies? │ ├─ Security vulnerability? → npm audit fix → Test → Deploy immediately │ ├─ Routine update? │ ├─ Patch versions → npm update → Safe, do frequently │ ├─ Minor/major → Check CHANGELOG → Test in staging → Update gradually │ └─ All at once → [FAIL] RISKY → Update in batches instead │ ├─ Dependency conflict? │ ├─ Transitive dependency issue? │ ├─ View tree: npm ls <package> │ ├─ Use overrides sparingly: overrides in package.json │ └─ Document why override is needed │ └─ Peer dependency mismatch? │ └─ Check version compatibility → Update parent or child │ ├─ Monorepo project? │ ├─ Use pnpm workspaces (recommended default) │ ├─ Shared deps → Root package.json │ ├─ Package-specific → Package directories │ └─ Use Nx or Turborepo for task caching │ └─ Choosing package manager? ├─ New JS project → pnpm (recommended default) or Bun (often faster; verify ecosystem maturity) ├─ Enterprise monorepo → pnpm (mature workspace support) ├─ Speed-focused experimentation → Bun (verify ecosystem maturity) ├─ Existing npm project → Migrate to pnpm or stay (check team preference) ├─ Python → uv (fast), Poetry (mature), pip+venv (simple) └─ Data science → conda or uv (faster environment setup)

Navigation: Core Patterns Lockfile Management

references/lockfile-management.md

Lockfiles ensure reproducible builds by recording exact versions of all dependencies (direct + transitive). Essential for preventing "works on my machine" issues.

Golden rules (always commit, never edit manually, regenerate on changes) Commands by ecosystem (npm ci, poetry install, cargo build) Troubleshooting lockfile conflicts CI/CD integration patterns Semantic Versioning (SemVer)

references/semver-guide.md

Understanding version constraints (^, ~, exact) and how to specify dependency ranges safely.

SemVer format (MAJOR.MINOR.PATCH) Version constraint syntax (caret, tilde, exact) Recommended strategies by project type Cross-ecosystem version management Dependency Security Auditing

references/security-scanning.md

Automated security scanning, vulnerability management, and supply chain security best practices.

Automated tools (Dependabot, Snyk, GitHub Advanced Security) Running audits (npm audit, pip-audit, cargo audit) CI integration and alert configuration Incident response workflows Dependency Selection

references/dependency-selection-guide.md

Deciding whether to add a new dependency and choosing between similar packages.

Minimal dependencies principle (best dependency is the one you don't add) Evaluation checklist (maintenance, bundle size, security, alternatives) Choosing between similar packages (comparison matrix) When to reject a dependency Update Strategies

references/update-strategies.md

Keeping dependencies up to date safely while minimizing breaking changes and security risks.

Update strategies (continuous, scheduled, security-only) Safe update workflow (check outdated, categorize risk, test, deploy) Automated update tools (Dependabot, Renovate, npm-check-updates) Handling breaking changes and rollback plans Monorepo Management

references/monorepo-patterns.md

Managing multiple related packages in a single repository with shared dependencies.

Workspace tools (pnpm, npm, yarn workspaces) Monorepo structure and organization Build optimization (Nx, Turborepo) Versioning and publishing strategies Transitive Dependencies

references/transitive-dependencies.md

Dealing with dependencies of your dependencies (indirect dependencies).

Viewing dependency trees (npm ls, pnpm why, pipdeptree) Resolving transitive conflicts (overrides, resolutions, constraints) Security risks and version conflicts Best practices (use sparingly, document, test) Ecosystem-Specific Guides

references/ecosystem-guides.md

Language and package-manager-specific best practices.

Node.js (npm, yarn, pnpm comparison and best practices) Python (pip, poetry, conda) Rust (cargo), Go (go mod), Java (maven, gradle) PHP (composer), .NET (nuget) Anti-Patterns

references/anti-patterns.md

Common mistakes to avoid when managing dependencies.

Critical anti-patterns (not committing lockfiles, wildcards, ignoring audits) Dangerous anti-patterns (never updating, deprecated packages) Moderate anti-patterns (overusing overrides, ignoring peer deps) Navigation: Templates Node.js

assets/nodejs/

package-json-template.json - Production-ready package.json with best practices npmrc-template.txt - Team configuration for npm pnpm-workspace-template.yaml - Monorepo workspace setup Python

assets/python/

pyproject-toml-template.toml - Poetry configuration with best practices Automation

assets/automation/

dependabot-config.yml - GitHub Dependabot configuration renovate-config.json - Renovate Bot configuration audit-checklist.md - Security audit workflow template-supply-chain-security.md - NEW SBOM, provenance, vulnerability management template-dependency-upgrade-playbook.md - Upgrade batching, rollout, rollback template-sbom-vuln-triage-checklist.md - SBOM mapping + vulnerability triage Supply Chain Security

assets/automation/template-supply-chain-security.md — Production-grade dependency security.

Related templates:

assets/automation/template-dependency-upgrade-playbook.md assets/automation/template-sbom-vuln-triage-checklist.md Key Sections SBOM Generation — CycloneDX, SPDX formats; CI/CD integration AI BOM (Emerging) — Extended SBOM for AI-native systems (models, datasets, training artifacts) Provenance & Attestation — SLSA levels, Sigstore signing, npm provenance Vulnerability Management — Triage workflow, severity SLAs, scanning tools Upgrade Playbooks — Batching strategy, rollback procedures Pinning & Reproducibility — Lockfiles, hash pinning, version constraints EU Cyber Resilience Act — SBOM requirements effective Dec 2027 Do / Avoid GOOD: Do Generate SBOM for every release Sign release artifacts (Sigstore/cosign) Run vulnerability scans in CI/CD Fix critical vulnerabilities within 24 hours Use lockfiles for reproducible builds Verify npm package provenance Batch non-security updates by risk level BAD: Avoid Publishing without SBOM Using unsigned packages in production Ignoring vulnerability scanner output Updating all dependencies at once Using wildcard version ranges (*, >=) Committing without updating lockfile Bypassing security gates "just this once" Anti-Patterns Anti-Pattern Problem Fix No SBOM Can't respond to supply chain attacks Generate SBOM in CI/CD Unsigned artifacts Tampering undetectable Sign with Sigstore Floating versions Build not reproducible Use lockfiles + exact versions All-at-once updates Hard to bisect regressions Batch by risk level npm install in CI Non-deterministic Use npm ci No audit gate Vulnerabilities ship to prod Gate deployments on audit AI-Generated Dependency Risks

WARNING: AI coding agents can introduce vulnerable or non-existent packages at scale (Endor Labs, 2025).

The Problem

AI tools accelerate coding but introduce supply chain risks:

Hallucinated packages — AI suggests packages that don't exist (typosquatting vectors) Vulnerable dependencies — AI recommends outdated or CVE-affected versions Unnecessary dependencies — AI over-relies on packages for simple tasks Best Practices Do Don't Treat AI-generated code as untrusted third-party input Blindly accept AI dependency suggestions Enforce same SAST/SCA scanning for AI-generated code Skip security review for "AI-written" code Verify all AI-suggested packages actually exist Trust AI to know current package versions Integrate security tools into AI workflows (MCP) Allow AI to add dependencies without review Vet MCP servers as part of supply chain Use unvetted AI integrations Validation Checklist

Before accepting AI-suggested dependencies:

Package exists on registry (npm, PyPI, crates.io) Package name is spelled correctly (no typosquatting) Version is current and maintained npm audit / pip-audit shows no vulnerabilities Weekly downloads >1000 (established package) Last commit <6 months (actively maintained) Optional: AI/Automation

Note: AI assists with triage but security decisions need human judgment.

Automated PR triage — Categorize dependency updates by risk Changelog summarization — Summarize breaking changes in updates Vulnerability correlation — Link CVEs to affected packages Bounded Claims AI cannot determine business risk acceptance Automated fixes require security team review Vulnerability severity context needs human validation Quick Decision Matrix Scenario Recommendation Adding new dependency Check Bundlephobia, npm audit, weekly downloads, last commit Updating dependencies Use npm outdated, update in batches, test in staging Security vulnerability found Use npm audit fix, review CHANGELOG, test, deploy immediately Monorepo setup Use pnpm workspaces or Nx/Turborepo for build caching Transitive conflict Use overrides sparingly, document why, test thoroughly Choosing JS package manager pnpm (fastest, disk-efficient), Bun (7× faster), npm (most compatible) Python environment uv (10-100× faster), Poetry (mature), pip+venv (simple), conda (data science) Core Principles 1. Always Commit Lockfiles

Lockfiles ensure reproducible builds across environments. Never add them to .gitignore.

Exception: Don't commit Cargo.lock for Rust libraries (only for applications).

1. Use Semantic Versioning

Use caret (^) for most dependencies, exact versions for mission-critical, avoid wildcards (*).

{ "dependencies": { "express": "^4.18.0", // Allows patches and minors "critical-lib": "1.2.3" // Exact for critical } }

1. Audit Dependencies Regularly

Run security audits weekly, fix critical vulnerabilities immediately.

npm audit npm audit fix

1. Minimize Dependencies

The best dependency is the one you don't add. Ask: Can I implement this in <100 LOC?

1. Update Regularly

Update monthly or quarterly. Don't let technical debt accumulate.

npm outdated npm update

1. Use Overrides Sparingly

Only override transitive dependencies for security patches or conflicts. Document why.

{ "overrides": { "axios": "1.6.0" // CVE-2023-xxxxx fix } }

Related Skills

For complementary workflows and deeper dives:

dev-api-design - API versioning strategies, dependency injection patterns git-workflow - Git workflows for managing lockfile conflicts, branching strategies qa-testing-strategy - Testing strategies for dependency updates, integration testing software-security-appsec - OWASP Top 10, cryptography standards, authentication patterns ops-devops-platform - CI/CD pipelines, Docker containerization, DevSecOps, deployment automation docs-codebase - Documenting dependency choices, ADRs, changelogs External Resources

See data/sources.json for curated resources:

Package managers: npm, pnpm, Yarn, pip, Poetry, Cargo, Go modules, Maven, Composer Semantic versioning: SemVer spec, version calculators, constraint references Security tools: Snyk, Dependabot, GitHub Advanced Security, OWASP Dependency-Check, pip-audit, cargo-audit, Socket.dev, Renovate Lockfile management: Official docs for package-lock.json, poetry.lock, Cargo.lock, pnpm-lock.yaml Monorepo tools: pnpm workspaces, npm workspaces, Yarn workspaces, Nx, Turborepo, Lerna, Bazel Analysis tools: Bundlephobia, npm-check-updates, depcheck, pipdeptree, cargo tree Supply chain security: SLSA framework, SBOM (CISA), Sigstore, npm provenance, OpenSSF Scorecard Best practices: npm/Poetry/Cargo guides, ACM Queue articles, dependency hell references Version management: nvm, pyenv, rustup, asdf Learning resources: npm guides, Python Packaging User Guide, Rust Book, Monorepo.tools Usage Notes

For Codex / Claude Code:

Use this skill when users need dependency management guidance Reference specific resources based on the task (lockfiles, security, updates) Provide ecosystem-specific guidance (Node.js, Python, Rust) Always recommend security audits and reproducible builds Encourage minimal dependencies and regular updates Link to templates for common configurations

Best Practices:

Always commit lockfiles (except Cargo.lock for libraries) Use semantic versioning (caret for most deps, exact for critical) Audit dependencies weekly (npm audit, pip-audit, cargo audit) Update dependencies monthly or quarterly (not all at once) Choose package manager based on project needs (pnpm for speed, Poetry for Python apps) Document dependency choices in ADRs (Architecture Decision Records)

Success Criteria: Dependencies are minimal, well-maintained, secure, reproducible across environments, and regularly audited for vulnerabilities.

Trend Awareness Protocol

IMPORTANT: When users ask recommendation questions about package managers, dependency tools, or supply chain security, you MUST use WebSearch to check current trends before answering.

Trigger Conditions "What's the best package manager for [ecosystem]?" "What should I use for [dependency management/security]?" "What's the latest in dependency management?" "Current best practices for [npm/pnpm/Poetry]?" "Is [tool/approach] still relevant in 2026?" "[pnpm] vs [npm] vs [yarn]?" "Best dependency security scanner?" Required Searches Search: "dependency management best practices 2026" Search: "[specific tool] vs alternatives 2026" Search: "supply chain security trends January 2026" Search: "[package manager] features 2026" What to Report

After searching, provide:

Current landscape: What dependency tools are popular NOW Emerging trends: New package managers, security tools, or patterns gaining traction Deprecated/declining: Tools/approaches losing relevance or support Recommendation: Based on fresh data, not just static knowledge Example Topics (verify with fresh search) Package managers (pnpm, npm, yarn, Poetry, uv for Python) Security scanning (Snyk, Dependabot, Socket.dev) Supply chain security (SBOM, Sigstore, SLSA) Monorepo tools (Nx, Turborepo, Bazel) Lockfile and reproducibility patterns Automated dependency updates (Renovate, Dependabot)