| name | dependency-management-principles |
| description | Dependency management: version pinning, vulnerability scanning, dependency hygiene. go.mod, package.json, Cargo.toml, pubspec.yaml. |
| user-invocable | false |
Dependency Management
Version Pinning
Production: exact versions (1.2.3, not ^1.2.0). Prevents supply chain attacks, unexpected breakage. Reproducible builds.
Lock files: package-lock.json, pnpm-lock.yaml, yarn.lock, Cargo.lock, go.sum, pubspec.lock, poetry.lock.
Minimize
Every dep = liability (security, build time, maintenance). Before adding: "50 lines to implement?" "Critical?" "Actively maintained?" "Latest stable?"
Organize Imports
- Standard library → 2. External deps → 3. Internal modules. Alphabetical within groups. Remove unused.
Checklist
Related
- Security Mandate @.gemini/rules/security-mandate.md
- Security Principles @.gemini/rules/security-principles.md