| name | dependency-management |
| description | Universal dependency management workflow. Use when updating packages, fixing vulnerabilities, or maintaining dependencies. Covers security-first approach, incremental updates, semantic versioning, and rollback procedures. Works with npm, pip, cargo, go mod, or any package manager. |
Dependency Management
Safe and systematic approach to updating dependencies while maintaining stability and security.
When to Use This Skill
Use when:
- User asks to "update dependencies" or "upgrade packages"
- Monthly/quarterly dependency maintenance
- Security vulnerability alerts (CVEs)
- Before major feature releases
- Package manager shows outdated dependencies
- User mentions: "Are our dependencies up to date?"
Core Principles
- Security First: Update packages with known vulnerabilities immediately
- Test-Driven: Never update without running full test suite
- Incremental: Update one category at a time (prod → dev → tooling)
- Semantic Versioning: Understand patch/minor/major implications
- Documented: Track what changed and why
- Reversible: Always commit before updates for easy rollback
Pre-Update Checklist
Before starting any dependency updates:
Semantic Versioning Strategy
Understanding version numbers: MAJOR.MINOR.PATCH
| Update Type | Example | Risk | Testing |
|---|
| Patch | 5.1.0 → 5.1.1 | Low | Run tests |
| Minor | 5.1.0 → 5.2.0 | Medium | Test thoroughly + manual QA |
| Major | 5.0.0 → 6.0.0 | High | Review changelog, expect code changes |
Update strategy:
- Patch updates: Generally safe, apply automatically
- Minor updates: Review changelog, test thoroughly
- Major updates: Plan separately, may require code changes
Universal Workflow
Step 1: Audit Current Dependencies
JavaScript/TypeScript (npm):
npm audit
npm outdated
Python (pip):
pip list --outdated
pip-audit
Rust (cargo):
cargo outdated
cargo audit
Go (go mod):
go list -u -m all
go list -u -m all | go-mod-outdated -update -direct
Ruby (bundler):
bundle outdated
bundle audit
Step 2: Update Dependency Manifest
JavaScript/TypeScript (package.json):
npx npm-check-updates
npx npm-check-updates -u
npm install package-name@latest
npm install -D dev-package@latest
Python (requirements.txt or pyproject.toml):
pip install --upgrade package-name
pip freeze > requirements.txt
Rust (Cargo.toml):
cargo install cargo-edit
cargo upgrade
Go (go.mod):
go get -u package-name
go get -u ./...
go mod tidy
Ruby (Gemfile):
bundle update package-name
bundle update
Step 3: Install/Update Dependencies
JavaScript/TypeScript:
npm install
npm ci
Python:
pip install -r requirements.txt
pip install -e .
Rust:
cargo update
cargo build
Go:
go mod download
go mod verify
Ruby:
bundle install
Step 4: Run Tests (MANDATORY)
DO NOT SKIP TESTING
JavaScript/TypeScript:
npm test
npm test -- --coverage
npm run lint
npm run type-check
Python:
python -m pytest
python -m pytest --cov
pylint src/
mypy .
Rust:
cargo test
cargo test --all-features
cargo clippy
Go:
go test ./...
go test -cover ./...
go vet ./...
golangci-lint run
Ruby:
bundle exec rspec
bundle exec rubocop
Step 5: Manual Testing
Test critical paths:
Step 6: Review Changes
git diff package.json
git diff pyproject.toml
git diff Cargo.toml
git diff go.mod
git diff Gemfile.lock
Step 7: Commit Changes
git add package.json package-lock.json
git add pyproject.toml requirements.txt
git add Cargo.toml Cargo.lock
git add go.mod go.sum
git add Gemfile Gemfile.lock
git commit -m "chore(deps): update dependencies
- Updated production dependencies (patch/minor/major)
- Updated dev dependencies
- All tests passing (X passed)
- No breaking changes / Breaking changes: [list]
- Security fixes: [CVEs if applicable]"
Security Updates (High Priority)
When security vulnerabilities are detected:
1. Assess Severity
npm audit
safety check
pip-audit
cargo audit
2. Update Affected Packages
Targeted security updates:
JavaScript:
npm audit fix
npm audit fix --force
Python:
pip install --upgrade vulnerable-package
Rust:
cargo update -p vulnerable-package
Go:
go get -u vulnerable-package@latest
go mod tidy
3. Test Immediately
Security updates should be tested and deployed ASAP:
- Run full test suite
- Quick manual smoke test
- Deploy to staging
- Monitor for issues
- Deploy to production
Rollback Procedure
If updates break something:
Option 1: Revert Commit
git revert HEAD
npm install
Option 2: Reset Branch
git reset --hard origin/main
npm install
Option 3: Selective Rollback
git checkout HEAD~1 package.json package-lock.json
npm install
git checkout HEAD~1 requirements.txt
pip install -r requirements.txt
git checkout HEAD~1 Cargo.toml Cargo.lock
cargo build
git checkout HEAD~1 go.mod go.sum
go mod download
Common Scenarios
Scenario 1: Monthly Maintenance
Goal: Keep dependencies reasonably up-to-date
npm outdated / pip list --outdated / cargo outdated
npx npm-check-updates -u --target minor
npm install && npm test
Scenario 2: Security Alert
Goal: Fix vulnerability ASAP
npm audit / pip-audit / cargo audit
npm install vulnerable-package@patched-version
npm test
Scenario 3: Pre-Release Prep
Goal: Fresh dependencies before release
npm update --dev / pip install -U -r requirements-dev.txt
npm update / pip install -U package
npm test && npm run e2e
Best Practices
Do:
- ✅ Update dependencies regularly (monthly/quarterly)
- ✅ Read changelogs for major updates
- ✅ Run tests after EVERY update
- ✅ Update one category at a time (prod → dev → peer)
- ✅ Commit after each successful category update
- ✅ Document breaking changes in commit message
- ✅ Use lockfiles (package-lock.json, Cargo.lock, go.sum)
Don't:
- ❌ Update everything at once ("big bang" approach)
- ❌ Skip testing after updates
- ❌ Use exact version pins unless required (npm/pip)
- ❌ Ignore security vulnerabilities
- ❌ Update during feature development
- ❌ Force major updates without reviewing changes
Lockfile Management
Purpose of lockfiles:
- Ensure reproducible builds
- Lock transitive dependency versions
- Enable reliable CI/CD
When to commit lockfiles:
- ✅ Always commit: package-lock.json (npm), Cargo.lock (Rust), go.sum (Go), Gemfile.lock (Ruby)
- ⚠️ Libraries only: Don't commit lockfiles for libraries (let consumers choose versions)
- ✅ Applications always: Always commit lockfiles for applications
Troubleshooting
Issue: Tests Fail After Update
- Read test output carefully
- Check updated package changelogs for breaking changes
- Search GitHub issues for the package
- Update code to match new API
- If unfixable, rollback and plan migration
Issue: Dependency Conflicts
JavaScript:
npm install --legacy-peer-deps
npm ls package-name
Python:
pip install package --no-deps
pipdeptree
Rust:
cargo tree
Issue: Build Breaks After Update
-
Clear caches and rebuild:
npm ci
cargo clean
go clean -modcache
-
Check for deprecated APIs in changelog
-
Update code to use new APIs
-
Verify toolchain compatibility (Node.js version, Rust version, etc.)
Related Skills
This skill is framework-agnostic. Patterns apply to JavaScript, Python, Rust, Go, Ruby, Java, C#, or any language with a package manager.