playbooks

home / skills / 404kidwiz / claude-supercode-skills / dependency-manager-skill

dependency-manager-skill skill

/dependency-manager-skill

This skill helps you manage dependencies, resolve version conflicts, and strengthen supply chain security across projects.

npx playbooks add skill 404kidwiz/claude-supercode-skills --skill dependency-manager-skill

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.0 KB
---
name: dependency-manager
description: Expert at package management and supply chain security. Use when managing dependencies, updating packages, resolving version conflicts, ensuring supply chain security, or auditing vulnerabilities in project dependencies.
---

# Dependency Manager

## Purpose
Provides expertise in package management, version resolution, and software supply chain security. Handles dependency updates, vulnerability auditing, and conflict resolution across multiple package ecosystems.

## When to Use
- Updating project dependencies
- Resolving version conflicts
- Auditing for security vulnerabilities
- Managing lockfiles and reproducibility
- Migrating between package managers
- Implementing dependency policies
- Reducing bundle size via dependency analysis

## Quick Start
**Invoke this skill when:**
- Updating project dependencies
- Resolving version conflicts
- Auditing for security vulnerabilities
- Managing lockfiles and reproducibility
- Implementing dependency policies

**Do NOT invoke when:**
- Building CI/CD pipelines (use devops-engineer)
- Publishing packages to registries (use build-engineer)
- Container image management (use kubernetes-specialist)
- Cloud infrastructure dependencies (use terraform-engineer)

## Decision Framework
```
Update Strategy:
├── Security patch → Update immediately
├── Bug fix (patch) → Update with tests
├── Minor version → Review changelog, test
├── Major version → Full compatibility review
└── Deprecated package → Find replacement

Ecosystem Tools:
├── Node.js → npm, yarn, pnpm
├── Python → pip, poetry, uv
├── Go → go mod
├── Rust → cargo
├── Java → Maven, Gradle
└── .NET → NuGet
```

## Core Workflows

### 1. Dependency Audit
1. Run package audit tool
2. Review vulnerability reports
3. Prioritize by severity (CVSS)
4. Check for available patches
5. Update or find alternatives
6. Verify fixes don't break app
7. Document remediation

### 2. Major Version Upgrade
1. Read changelog and migration guide
2. Check for breaking changes
3. Update in isolated branch
4. Run full test suite
5. Fix breaking changes
6. Review for deprecated APIs
7. Deploy to staging first

### 3. Lockfile Management
1. Ensure lockfile is committed
2. Use CI to verify lockfile matches
3. Regenerate on conflict resolution
4. Audit lockfile for tampering
5. Update lockfile atomically

## Best Practices
- Always use lockfiles for reproducibility
- Run security audits in CI/CD
- Pin exact versions in production
- Use renovate/dependabot for automation
- Audit transitive dependencies
- Minimize dependency count

## Anti-Patterns
| Anti-Pattern | Problem | Correct Approach |
|--------------|---------|------------------|
| No lockfile | Non-reproducible builds | Commit lockfiles |
| Ignoring audits | Security vulnerabilities | Address all high/critical |
| Auto-merge updates | Breaking changes in prod | Test before merge |
| Too many deps | Large attack surface | Audit and minimize |
| Outdated deps | Missing security patches | Regular update cadence |

Overview

This skill provides expert guidance on package management, version resolution, and software supply chain security across major ecosystems. It helps update dependencies, resolve conflicts, audit vulnerabilities, and maintain reproducible lockfiles for safer releases. Use it to apply practical remediation steps and enforce dependency policies in projects.

How this skill works

The skill inspects project manifests and lockfiles, evaluates vulnerability reports from package-audit tools, and recommends precise update strategies based on severity and version semantics. It outlines step-by-step workflows for audits, major upgrades, and lockfile management, and maps actions to ecosystem tools like npm, pip, Cargo, Maven, and NuGet. It also provides prioritization guidance and verification steps to avoid regressions.

When to use it

  • When updating project dependencies or applying security patches
  • When resolving version conflicts or dependency hell scenarios
  • When auditing dependencies for vulnerabilities and transitive risks
  • When managing or regenerating lockfiles for reproducible builds
  • When planning a major version upgrade or migration between package managers
  • When implementing automated dependency policies or reducing bundle size

Best practices

  • Always commit and verify lockfiles to ensure reproducible builds
  • Run security audits in CI and prioritize high/critical vulnerabilities immediately
  • Pin exact versions in production and use automation (renovate/dependabot) for controlled updates
  • Audit transitive dependencies and minimize dependency count to reduce attack surface
  • Test updates in isolated branches and run full test suites before merging or deploying

Example use cases

  • Perform an audit and produce a prioritized remediation plan for high/critical CVEs
  • Resolve a dependency conflict by identifying compatible version ranges and updating lockfiles atomically
  • Plan and execute a major-version upgrade with changelog review, compatibility fixes, and staged deployment
  • Set up CI checks that enforce lockfile consistency and run automated security scans
  • Create a policy for automatic minor/patch updates while gating major upgrades behind manual review

FAQ

How do I decide when to update a dependency?

Apply security patches immediately. Patch-level bug fixes should be applied with tests. Review changelogs and test minor updates; treat major updates as breaking and require compatibility reviews.

What should I do when a lockfile conflicts between team environments?

Regenerate the lockfile in a clean environment, verify it matches CI, commit the regenerated file, and run the full test suite before merging to ensure reproducible installs.