Dependency Management

This skill manages project dependencies including updates, vulnerability scanning, license compliance, and dependency tree optimization.

When to Use This Skill

• When updating project dependencies

• When scanning for security vulnerabilities

• When analyzing dependency trees

• When ensuring license compliance

• When resolving version conflicts

• When optimizing dependency usage

What This Skill Does

• Dependency Analysis: Identifies unused dependencies and version conflicts

• Vulnerability Scanning: Finds and fixes known security vulnerabilities

• License Compliance: Verifies dependency licenses are compatible

• Safe Updates: Updates dependencies with testing and validation

• Tree Optimization: Optimizes dependency trees and reduces bloat

• Version Management: Resolves version conflicts and updates

Helper Scripts

This skill includes Python helper scripts in scripts/ :

parse_dependencies.py : Parses dependency files (package.json, requirements.txt, pyproject.toml). Outputs JSON with parsed dependencies and metadata.

python scripts/parse_dependencies.py package.json requirements.txt

How to Use

Manage Dependencies

Update all dependencies and check for vulnerabilities

Scan dependencies for security issues

Specific Tasks

Check license compatibility for all dependencies

Management Process

1. Analyze Dependencies

Using Helper Script:

The skill includes a Python helper script for parsing dependency files:

Parse dependency files

python scripts/parse_dependencies.py package.json requirements.txt pyproject.toml

Package Manager Tools:

• npm: npm outdated , npm list

• pip: pip list --outdated

• maven: mvn versions:display-dependency-updates

• gradle: gradle dependencyUpdates

2. Scan for Vulnerabilities

Tools:

• npm: npm audit

• pip: pip-audit

• maven: OWASP Dependency Check

• gradle: Dependency Check plugin

3. Check Licenses

Process:

• List all dependency licenses

• Check compatibility with project license

• Identify any incompatible licenses

• Provide license report

4. Update Dependencies

Safe Update Process:

• Check for updates

• Review changelogs

• Update incrementally

• Run tests after each update

• Verify functionality

Examples

Example 1: Vulnerability Scan

Input: Scan for vulnerabilities

Output:

Dependency Vulnerability Scan

Critical Vulnerabilities

1. lodash (4.17.20)

• Severity: High
• Issue: Prototype Pollution
• Fix: Update to 4.17.21

npm update lodash

2. express (4.16.4)

- Severity: Medium

- Issue: Path Traversal

- Fix: Update to 4.18.2

npm update express

Summary

- Total vulnerabilities: 5

- Critical: 1

- High: 2

- Medium: 2

## Reference Files

For package manager-specific commands and patterns, load reference files as needed:

- **`references/package_managers.md`** - Commands and patterns for npm, pip, Poetry, Maven, Gradle, Cargo, and common dependency management patterns
- **`references/DEPENDENCY_AUDIT.template.md`** - Dependency audit report template with vulnerabilities, outdated packages, license compliance

When working with specific package managers, load `references/package_managers.md` and refer to the relevant package manager section.

## Best Practices

### Dependency Management

1. **Regular Updates**: Update dependencies regularly
2. **Security First**: Prioritize security updates
3. **Test After Updates**: Always test after updating
4. **Lock Files**: Use lock files (package-lock.json, yarn.lock)
5. **Version Pinning**: Pin critical dependencies

## Related Use Cases

- Dependency updates
- Security vulnerability scanning
- License compliance
- Dependency tree optimization
- Version conflict resolution