Run any Skill in Manus with one click

dependency-management

Stars0

Forks0

UpdatedJune 24, 2026 at 03:26

Use when someone wants to add, upgrade, or vendor a third-party package and the org requires approval first — or when a PR adds a dependency that has not been license- and CVE-checked. Runs the request through the approval workflow: license compatibility, known-CVE scan (including transitive deps), sign-off, then a properly regenerated lockfile. Blocks copyleft licenses in proprietary services and refuses hand-edited lockfiles.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

az9713

az9713/skill-best-practices

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

File Explorer

2 files

SKILL.md

readonly

name

dependency-management

description

Dependency Approval Workflow

Overview

Every new dependency is new attack surface, new license obligation, and new code the org now maintains by proxy. This skill runs a dependency request through the organization's approval gate before it lands: license check, known-CVE check (covering the transitive tree, not just the named package), human sign-off, and a lockfile regenerated by the package manager rather than hand-edited. The goal is that nothing reaches the lockfile without passing the gate.

When to Use

Use this skill when you see symptoms like:

A request to add, upgrade, or vendor a third-party package.
A PR introduces a new dependency that has not been reviewed.
A package.json / requirements.txt / go.mod change pulls in unfamiliar packages.
Someone asks "can we use library X?" or "is this dependency approved?"
A security scan flags a dependency and you need to decide whether to keep it.

Do NOT use this skill when:

You are only updating application code with no dependency change.
The package is already approved and you are pinning to the same vetted version.
The task is debugging runtime behavior, not vetting a new dependency.

Approval flow

Request. Capture the package(s), the requested version(s), and why they are needed. A specific reason makes the rest of the review tractable.
Resolve the full tree. Approval is meaningless without the transitive deps, because that is where unreviewed packages hide. Produce a resolved tree (npm ls --json, pip download + inspect, go mod graph, etc.) so every indirect dependency is in scope.

License + CVE check. Run scripts/check_deps.py against the resolved tree. It flags copyleft/incompatible licenses (including transitively) and queries OSV.dev for known-CVE versions.

# check the resolved tree under a proprietary-service license policy
python scripts/check_deps.py --tree resolved.json --policy proprietary --ecosystem npm

# check explicit packages
python scripts/check_deps.py --pkg some-lib@2.1.0 --pkg helper@0.4.0

# offline (license check only, skip the CVE network call)
python scripts/check_deps.py --tree resolved.json --no-network

The script exits non-zero if anything blocks approval, so it can gate CI.

Approval / sign-off. If the gate is clean, get the required approver to sign off. If it is not clean, resolve each finding first: pick a permissively-licensed alternative, bump past the CVE, or get an explicit exception.
Regenerate the lockfile. Add the dependency through the package manager and let it regenerate the lockfile (npm install, poetry lock, go mod tidy). Never hand-edit lockfile hashes or versions.

Gotchas

ALWAYS resolve and check the transitive tree. Approving only the named package lets it drag in dozens of unreviewed transitive dependencies. The license or CVE problem is usually three levels down, not in the package you were asked about.
ALWAYS enforce license compatibility for the service type. A copyleft license (GPL/AGPL) inside a proprietary service can create an obligation to release source. Permissive (MIT/Apache/BSD) is generally fine; copyleft and "unknown" need explicit review. The check script blocks copyleft under the proprietary policy.
ALWAYS reject known-CVE versions. A package can be fine in general but pinned to a version with a published advisory. Check the exact requested version, and bump past the fix rather than approving the vulnerable pin.
ALWAYS regenerate the lockfile — never hand-edit it. Hand-editing a lockfile desyncs the integrity hashes from what the resolver would produce, defeats reproducible installs, and can silently reintroduce a version the gate rejected. Let the package manager write it.

Files

SKILL.md — this file; the approval workflow and dependency gotchas.
scripts/check_deps.py — license + known-CVE gate over a resolved dependency tree (covers transitive deps); queries OSV.dev with an offline fallback. Advisory only — never installs or edits the lockfile.

More from this repository

same repository

adversarial-review

az9713/skill-best-practices

Use when a change is written and "looks done" but has not had a hostile second pass before merge — especially diffs touching auth, money, migrations, concurrency, or anything the author is quietly unsure about. Spawns a fresh-eyes reviewer subagent that sees ONLY the diff and the spec, collects findings, drives fixes, and re-dispatches until findings degrade to nitpicks. Reach for this instead of self-reviewing; the author is the worst reviewer of their own diff.

2026-06-240

babysit-pr

az9713/skill-best-practices

Use when a PR is open and green-but-blocked, or red on CI for reasons that smell like flake — a timed-out test runner, a transient network 500 in a setup step, a check that passed locally but failed in CI. Reach for this whenever someone says "this PR keeps failing CI but the test is flaky", "can you babysit this PR to merge", "it's just a flaky check, retry it", or wants a PR shepherded through retries, conflict resolution, and auto-merge without sitting on it manually. Prefer this over hand-clicking "Re-run failed jobs" in the GitHub UI, which gives up no signal on flaky-vs-real and forgets to enable auto-merge.

2026-06-240

billing-lib

az9713/skill-best-practices

Use when writing or reviewing code that meters API token usage, bills accounts, issues invoices, applies credit grants, or computes balances with the internal `billing` library — especially around retries, mid-cycle plan changes, cache-read vs cache-write token pricing, or any place where double-billing or rounding drift would be a problem.

2026-06-240

checkout-verifier

az9713/skill-best-practices

Use when an API-credits checkout or paid-plan upgrade needs to be proven end-to-end against Stripe test mode — confirming a card charge actually creates the invoice and subscription in the right state, reproducing a "I paid but my credits didn't show up" report, checking that a declined or 3DS card fails the way the UI claims, or wiring a billing smoke test into CI so a checkout regression is caught before a customer's money is.

2026-06-240

cherry-pick-prod

az9713/skill-best-practices

Use when a specific fix that's already on main needs to land on a production/release branch without dragging along everything else — a hotfix to backport, a "cherry-pick this commit onto release-2.4", a "we need just that one PR on prod" request. Reach for this whenever someone wants to port one or a few commits to a release branch and open a PR for it, especially before doing it by hand in their main checkout, which pollutes their working tree and routinely leaves conflict markers committed or loses the original commit's provenance.

2026-06-240

code-style

az9713/skill-best-practices

Use when writing or editing code in this org's Python or JS/TS, especially before committing or opening a PR — and proactively the moment a diff adds an import, an except/catch, or any logging. Enforces the style rules Claude gets wrong by default: import grouping, error-wrapping (no bare except / empty catch), no leftover debug prints, explicit over clever. Runs scripts/check_style.sh (ruff, mypy --strict, eslint + grep guards) which exits nonzero so it drops into a pre-commit hook or CI.

2026-06-240

name

dependency-management

description

Dependency Approval Workflow

Overview

When to Use

Use this skill when you see symptoms like:

A request to add, upgrade, or vendor a third-party package.
A PR introduces a new dependency that has not been reviewed.
A package.json / requirements.txt / go.mod change pulls in unfamiliar packages.
Someone asks "can we use library X?" or "is this dependency approved?"
A security scan flags a dependency and you need to decide whether to keep it.

Do NOT use this skill when:

You are only updating application code with no dependency change.
The package is already approved and you are pinning to the same vetted version.
The task is debugging runtime behavior, not vetting a new dependency.

Approval flow

Request. Capture the package(s), the requested version(s), and why they are needed. A specific reason makes the rest of the review tractable.
Resolve the full tree. Approval is meaningless without the transitive deps, because that is where unreviewed packages hide. Produce a resolved tree (npm ls --json, pip download + inspect, go mod graph, etc.) so every indirect dependency is in scope.

License + CVE check. Run scripts/check_deps.py against the resolved tree. It flags copyleft/incompatible licenses (including transitively) and queries OSV.dev for known-CVE versions.

# check the resolved tree under a proprietary-service license policy
python scripts/check_deps.py --tree resolved.json --policy proprietary --ecosystem npm

# check explicit packages
python scripts/check_deps.py --pkg some-lib@2.1.0 --pkg helper@0.4.0

# offline (license check only, skip the CVE network call)
python scripts/check_deps.py --tree resolved.json --no-network

The script exits non-zero if anything blocks approval, so it can gate CI.

Approval / sign-off. If the gate is clean, get the required approver to sign off. If it is not clean, resolve each finding first: pick a permissively-licensed alternative, bump past the CVE, or get an explicit exception.
Regenerate the lockfile. Add the dependency through the package manager and let it regenerate the lockfile (npm install, poetry lock, go mod tidy). Never hand-edit lockfile hashes or versions.

Gotchas

ALWAYS resolve and check the transitive tree. Approving only the named package lets it drag in dozens of unreviewed transitive dependencies. The license or CVE problem is usually three levels down, not in the package you were asked about.
ALWAYS enforce license compatibility for the service type. A copyleft license (GPL/AGPL) inside a proprietary service can create an obligation to release source. Permissive (MIT/Apache/BSD) is generally fine; copyleft and "unknown" need explicit review. The check script blocks copyleft under the proprietary policy.
ALWAYS reject known-CVE versions. A package can be fine in general but pinned to a version with a published advisory. Check the exact requested version, and bump past the fix rather than approving the vulnerable pin.
ALWAYS regenerate the lockfile — never hand-edit it. Hand-editing a lockfile desyncs the integrity hashes from what the resolver would produce, defeats reproducible installs, and can silently reintroduce a version the gate rejected. Let the package manager write it.

Files

SKILL.md — this file; the approval workflow and dependency gotchas.
scripts/check_deps.py — license + known-CVE gate over a resolved dependency tree (covers transitive deps); queries OSV.dev with an offline fallback. Advisory only — never installs or edits the lockfile.