playbooks

home / skills / zpankz / mcp-skillset / dependency-health

dependency-health skill

/dependency-health

This skill manages dependencies with security-first prioritization, batch remediation, and policy-driven compliance to reduce risk and improve update

npx playbooks add skill zpankz/mcp-skillset --skill dependency-health

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
8.9 KB
---
name: Dependency Health
description: Security-first dependency management methodology with batch remediation, policy-driven compliance, and automated enforcement. Use when security vulnerabilities exist in dependencies, dependency freshness low (outdated packages), license compliance needed, or systematic dependency management lacking. Provides security-first prioritization (critical vulnerabilities immediately, high within week, medium within month), batch remediation strategy (group compatible updates, test together, single PR), policy-driven compliance framework (security policies, freshness policies, license policies), and automation tools for vulnerability scanning, update detection, and compliance checking. Validated in meta-cc with 6x speedup (9 hours manual to 1.5 hours systematic), 3 iterations, 88% transferability across package managers (concepts universal, tools vary by ecosystem).
allowed-tools: Read, Write, Edit, Bash
---

# Dependency Health

**Systematic dependency management: security-first, batch remediation, policy-driven.**

> Dependencies are attack surface. Manage them systematically, not reactively.

---

## When to Use This Skill

Use this skill when:
- πŸ”’ **Security vulnerabilities**: Known CVEs in dependencies
- πŸ“… **Outdated dependencies**: Packages months/years behind
- βš–οΈ **License compliance**: Need to verify license compatibility
- 🎯 **Systematic management**: Ad-hoc updates causing issues
- πŸ”„ **Frequent breakage**: Dependency updates break builds
- πŸ“Š **No visibility**: Don't know dependency health status

**Don't use when**:
- ❌ Zero dependencies (static binary, no external deps)
- ❌ Dependencies already managed systematically
- ❌ Short-lived projects (throwaway tools, prototypes)
- ❌ Frozen dependencies (legacy systems, no updates allowed)

---

## Quick Start (30 minutes)

### Step 1: Audit Current State (10 min)

```bash
# Go projects
go list -m -u all | grep '\['

# Node.js
npm audit

# Python
pip list --outdated

# Identify:
# - Security vulnerabilities
# - Outdated packages (>6 months old)
# - License issues
```

### Step 2: Prioritize by Security (10 min)

**Severity levels**:
- **Critical**: Actively exploited, RCE, data breach
- **High**: Authentication bypass, privilege escalation
- **Medium**: DoS, information disclosure
- **Low**: Minor issues, limited impact

**Action timeline**:
- Critical: Immediate (same day)
- High: Within 1 week
- Medium: Within 1 month
- Low: Next quarterly update

### Step 3: Batch Remediation (10 min)

```bash
# Group compatible updates
# Test together
# Create single PR with all updates

# Example: Update all patch versions
go get -u=patch ./...
go test ./...
git commit -m "chore(deps): update dependencies (security + freshness)"
```

---

## Security-First Prioritization

### Vulnerability Assessment

**Critical vulnerabilities** (immediate action):
- RCE (Remote Code Execution)
- SQL Injection
- Authentication bypass
- Data breach potential

**High vulnerabilities** (1 week):
- Privilege escalation
- XSS (Cross-Site Scripting)
- CSRF (Cross-Site Request Forgery)
- Sensitive data exposure

**Medium vulnerabilities** (1 month):
- DoS (Denial of Service)
- Information disclosure
- Insecure defaults
- Weak cryptography

**Low vulnerabilities** (quarterly):
- Minor issues
- Informational
- False positives

### Remediation Strategy

```
Priority queue:
1. Critical vulnerabilities (immediate)
2. High vulnerabilities (week)
3. Dependency freshness (monthly)
4. License compliance (quarterly)
5. Medium/low vulnerabilities (quarterly)
```

---

## Batch Remediation Strategy

### Why Batch Updates?

**Problems with one-at-a-time**:
- Update fatigue (100+ dependencies)
- Test overhead (N tests for N updates)
- PR overhead (N reviews)
- Potential conflicts (update A breaks with update B)

**Benefits of batching**:
- Single test run for all updates
- Single PR review
- Detect incompatibilities early
- 6x faster (validated in meta-cc)

### Batching Strategies

**Strategy 1: By Severity**
```bash
# Batch 1: All security patches
# Batch 2: All minor/patch updates
# Batch 3: All major updates (breaking changes)
```

**Strategy 2: By Compatibility**
```bash
# Batch 1: Compatible updates (no breaking changes)
# Batch 2: Breaking changes (one at a time)
```

**Strategy 3: By Timeline**
```bash
# Batch 1: Immediate (critical vulnerabilities)
# Batch 2: Weekly (high vulnerabilities + freshness)
# Batch 3: Monthly (medium vulnerabilities)
# Batch 4: Quarterly (low vulnerabilities + license)
```

---

## Policy-Driven Compliance

### Security Policies

```yaml
# .dependency-policy.yml
security:
  critical_vulnerabilities:
    action: block_merge
    max_age: 0 days
  high_vulnerabilities:
    action: block_merge
    max_age: 7 days
  medium_vulnerabilities:
    action: warn
    max_age: 30 days
```

### Freshness Policies

```yaml
freshness:
  max_age:
    major: 12 months
    minor: 6 months
    patch: 3 months
  exceptions:
    - package: legacy-lib
      reason: "No maintained alternative"
```

### License Policies

```yaml
licenses:
  allowed:
    - MIT
    - Apache-2.0
    - BSD-3-Clause
  denied:
    - GPL-3.0  # Copyleft issues
    - AGPL-3.0
  review_required:
    - Custom
    - Proprietary
```

---

## Automation Tools

### Vulnerability Scanning

```bash
# Go: govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

# Node.js: npm audit
npm audit --audit-level=moderate

# Python: safety
pip install safety
safety check

# Rust: cargo-audit
cargo install cargo-audit
cargo audit
```

### Automated Updates

```bash
# Dependabot (GitHub)
# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 5
    groups:
      security:
        patterns:
          - "*"
        update-types:
          - "patch"
          - "minor"
```

### License Checking

```bash
# Go: go-licenses
go install github.com/google/go-licenses@latest
go-licenses check ./...

# Node.js: license-checker
npx license-checker --summary

# Python: pip-licenses
pip install pip-licenses
pip-licenses
```

---

## Proven Results

**Validated in bootstrap-010** (meta-cc project):
- βœ… Security-first prioritization implemented
- βœ… Batch remediation (5 dependencies updated together)
- βœ… 6x speedup: 9 hours manual β†’ 1.5 hours systematic
- βœ… 3 iterations (rapid convergence)
- βœ… V_instance: 0.92 (highest among experiments)
- βœ… V_meta: 0.85

**Metrics**:
- Vulnerabilities: 2 critical β†’ 0 (resolved immediately)
- Freshness: 45% outdated β†’ 15% outdated
- License compliance: 100% (all MIT/Apache-2.0/BSD)

**Transferability**:
- Go (gomod): 100% (native)
- Node.js (npm): 90% (npm audit similar)
- Python (pip): 85% (safety similar)
- Rust (cargo): 90% (cargo audit similar)
- Java (Maven): 85% (OWASP dependency-check)
- **Overall**: 88% transferable

---

## Common Patterns

### Pattern 1: Security Update Workflow

```bash
# 1. Scan for vulnerabilities
govulncheck ./...

# 2. Review severity
# Critical/High β†’ immediate
# Medium/Low β†’ batch

# 3. Update dependencies
go get -u github.com/vulnerable/package@latest

# 4. Test
go test ./...

# 5. Commit
git commit -m "fix(deps): resolve CVE-XXXX-XXXXX in package X"
```

### Pattern 2: Monthly Freshness Update

```bash
# 1. Check for updates
go list -m -u all

# 2. Batch updates (patch/minor)
go get -u=patch ./...

# 3. Test
go test ./...

# 4. Commit
git commit -m "chore(deps): monthly dependency freshness update"
```

### Pattern 3: Major Version Upgrade

```bash
# One at a time (breaking changes)
# 1. Update single package
go get package@v2

# 2. Fix breaking changes
# ... code modifications ...

# 3. Test extensively
go test ./...

# 4. Commit
git commit -m "feat(deps): upgrade package to v2"
```

---

## Anti-Patterns

❌ **Ignoring security advisories**: "We'll update later"
❌ **One-at-a-time updates**: 100 separate PRs for 100 dependencies
❌ **Automatic merging**: Dependabot auto-merge without testing
❌ **Dependency pinning forever**: Never updating to avoid breakage
❌ **License ignorance**: Not checking license compatibility
❌ **No testing after updates**: Assuming updates won't break anything

---

## Related Skills

**Parent framework**:
- [methodology-bootstrapping](../methodology-bootstrapping/SKILL.md) - Core OCA cycle

**Complementary**:
- [ci-cd-optimization](../ci-cd-optimization/SKILL.md) - Automated dependency checks in CI
- [error-recovery](../error-recovery/SKILL.md) - Dependency failure handling

**Acceleration**:
- [rapid-convergence](../rapid-convergence/SKILL.md) - 3 iterations achieved

---

## References

**Core guides**:
- Reference materials in experiments/bootstrap-010-dependency-health/
- Security-first prioritization framework
- Batch remediation strategies
- Policy-driven compliance

**Tools**:
- govulncheck (Go)
- npm audit (Node.js)
- safety (Python)
- cargo-audit (Rust)
- go-licenses (license checking)

---

**Status**: βœ… Production-ready | 6x speedup | 88% transferable | V_instance 0.92 (highest)

Overview

This skill is a security-first dependency management methodology that combines batch remediation, policy-driven compliance, and automation to keep projects safe and up to date. It prioritizes vulnerabilities by severity, groups compatible updates into single reviewable batches, and enforces freshness and license policies with tooling. Proven to reduce manual remediation time dramatically and transferable across ecosystems.

How this skill works

It scans dependencies for vulnerabilities, freshness, and license issues, then ranks findings by security-first timelines (critical immediate, high within a week, medium within a month). Compatible updates are batched, tested together, and submitted as a single PR to minimize test and review overhead. Policies (security, freshness, license) are codified to block merges or raise warnings, and automation integrates scanners and update tooling to enforce the workflow.

When to use it

  • Known CVEs or active security advisories in dependencies
  • Large number of outdated packages or low dependency freshness
  • Need to enforce license compatibility across dependencies
  • No established, systematic dependency management process
  • Frequent breakage or high PR/test overhead from ad-hoc updates

Best practices

  • Prioritize by severity: fix critical immediately, high within a week, medium within a month
  • Batch compatible updates (patches/minors) and test them together before creating a single PR
  • Use policy files to enforce max_age and merge actions for security, freshness, and licenses
  • Automate scanning and update detection in CI with ecosystem tools (govulncheck, npm audit, safety, cargo-audit)
  • Treat major breaking upgrades as single-item batches with extended testing and fixes

Example use cases

  • Resolve an urgent critical RCE in a transitive dependency by blocking merges until patched
  • Run monthly batch updates for patch/minor versions to keep freshness within policy limits
  • Implement license checks in CI to prevent denied licenses from entering the codebase
  • Adopt batch remediation to reduce 100+ one-off PRs to a few grouped PRs, cutting remediation time by ~6x
  • Enforce a policy that warns on medium issues and blocks merges when high/critical vulnerabilities exceed age thresholds

FAQ

How do I balance batching with urgent security fixes?

Batch compatible, non-breaking updates weekly or monthly, but always treat critical vulnerabilities as immediate single-issue actions β€” apply the patch and merge as soon as validated.

Which tools should I use for different ecosystems?

Use native scanners: govulncheck for Go, npm audit for Node, safety for Python, cargo-audit for Rust; combine with automated update tools like Dependabot and license checkers (go-licenses, license-checker, pip-licenses).