dev-dependency-management

Dependency Management — Production Patterns

Modern Best Practices (2025): Lockfile-first workflows, automated security scanning (Dependabot, Snyk), semantic versioning, minimal dependencies principle, monorepo workspaces (pnpm, Nx), supply chain security (SBOM, signatures), and reproducible builds.

---

When to Use This Skill

Claude should invoke this skill when a user requests:

• Adding new dependencies to a project
• Updating existing dependencies safely
• Resolving dependency conflicts or version mismatches
• Auditing dependencies for security vulnerabilities
• Understanding lockfile management and reproducible builds
• Setting up monorepo workspaces (pnpm, npm, yarn)
• Managing transitive dependencies and overrides
• Choosing between similar packages (bundle size, maintenance, security)
• Dependency version constraints and semantic versioning
• Dependency security best practices and supply chain security
• Troubleshooting "dependency hell" scenarios
• Package manager configuration and optimization
• Creating reproducible builds across environments

---

Quick Reference

Task	Tool/Command	Key Action	When to Use
Install from lockfile	npm ci, poetry install, cargo build	Clean install, reproducible	CI/CD, production deployments
Add dependency	npm install <pkg>, poetry add <pkg>	Updates lockfile automatically	New feature needs library
Update dependencies	npm update, poetry update, cargo update	Updates within version constraints	Monthly/quarterly maintenance
Check for vulnerabilities	npm audit, pip-audit, cargo audit	Scans for known CVEs	Before releases, weekly
View dependency tree	npm ls, pnpm why, pipdeptree	Shows transitive dependencies	Debugging conflicts
Override transitive dep	overrides (npm), pnpm.overrides	Force specific version	Security patch, conflict resolution
Monorepo setup	pnpm workspaces, npm workspaces	Shared dependencies, cross-linking	Multi-package projects
Check outdated	npm outdated, poetry show --outdated	Lists available updates	Planning update sprints

---

Decision Tree: Dependency Management

User needs: [Dependency Task]
    ├─ Adding new dependency?
    │   ├─ Check: Do I really need this? (Can implement in <100 LOC?)
    │   ├─ Check: Is it well-maintained? (Last commit <6 months, >10k downloads/week)
    │   ├─ Check: Bundle size impact? (Use Bundlephobia for JS)
    │   ├─ Check: Security risks? (`npm audit`, Snyk)
    │   └─ If all checks pass → Add with `npm install <pkg>` → Commit lockfile
    │
    ├─ Updating dependencies?
    │   ├─ Security vulnerability? → `npm audit fix` → Test → Deploy immediately
    │   ├─ Routine update?
    │       ├─ Patch versions → `npm update` → Safe, do frequently
    │       ├─ Minor/major → Check CHANGELOG → Test in staging → Update gradually
    │       └─ All at once → ❌ RISKY → Update in batches instead
    │
    ├─ Dependency conflict?
    │   ├─ Transitive dependency issue?
    │       ├─ View tree: `npm ls <package>`
    │       ├─ Use overrides sparingly: `overrides` in package.json
    │       └─ Document why override is needed
    │   └─ Peer dependency mismatch?
    │       └─ Check version compatibility → Update parent or child
    │
    ├─ Monorepo project?
    │   ├─ Use pnpm workspaces (fastest, best)
    │   ├─ Shared deps → Root package.json
    │   ├─ Package-specific → Package directories
    │   └─ Use Nx or Turborepo for task caching
    │
    └─ Choosing package manager?
        ├─ New project → **pnpm** (3x faster, 1/3 disk space)
        ├─ Existing npm project → Migrate or stay (check team preference)
        ├─ Python → **Poetry** (apps), pip+venv (simple)
        └─ Data science → **conda** (environment management)

---

Navigation: Core Patterns

Lockfile Management

resources/lockfile-management.md

Lockfiles ensure reproducible builds by recording exact versions of all dependencies (direct + transitive). Essential for preventing "works on my machine" issues.

• Golden rules (always commit, never edit manually, regenerate on changes)
• Commands by ecosystem (npm ci, poetry install, cargo build)
• Troubleshooting lockfile conflicts
• CI/CD integration patterns

Semantic Versioning (SemVer)

resources/semver-guide.md

Understanding version constraints (^, ~, exact) and how to specify dependency ranges safely.

• SemVer format (MAJOR.MINOR.PATCH)
• Version constraint syntax (caret, tilde, exact)
• Recommended strategies by project type
• Cross-ecosystem version management

Dependency Security Auditing

resources/security-scanning.md

Automated security scanning, vulnerability management, and supply chain security best practices.

• Automated tools (Dependabot, Snyk, GitHub Advanced Security)
• Running audits (npm audit, pip-audit, cargo audit)
• CI integration and alert configuration
• Incident response workflows

Dependency Selection

resources/dependency-selection-guide.md

Deciding whether to add a new dependency and choosing between similar packages.

• Minimal dependencies principle (best dependency is the one you don't add)
• Evaluation checklist (maintenance, bundle size, security, alternatives)
• Choosing between similar packages (comparison matrix)
• When to reject a dependency

Update Strategies

resources/update-strategies.md

Keeping dependencies up to date safely while minimizing breaking changes and security risks.

• Update strategies (continuous, scheduled, security-only)
• Safe update workflow (check outdated, categorize risk, test, deploy)
• Automated update tools (Dependabot, Renovate, npm-check-updates)
• Handling breaking changes and rollback plans

Monorepo Management

resources/monorepo-patterns.md

Managing multiple related packages in a single repository with shared dependencies.

• Workspace tools (pnpm, npm, yarn workspaces)
• Monorepo structure and organization
• Build optimization (Nx, Turborepo)
• Versioning and publishing strategies

Transitive Dependencies

resources/transitive-dependencies.md

Dealing with dependencies of your dependencies (indirect dependencies).

• Viewing dependency trees (npm ls, pnpm why, pipdeptree)
• Resolving transitive conflicts (overrides, resolutions, constraints)
• Security risks and version conflicts
• Best practices (use sparingly, document, test)

Ecosystem-Specific Guides

resources/ecosystem-guides.md

Language and package-manager-specific best practices.

• Node.js (npm, yarn, pnpm comparison and best practices)
• Python (pip, poetry, conda)
• Rust (cargo), Go (go mod), Java (maven, gradle)
• PHP (composer), .NET (nuget)

Anti-Patterns

resources/anti-patterns.md

Common mistakes to avoid when managing dependencies.

• Critical anti-patterns (not committing lockfiles, wildcards, ignoring audits)
• Dangerous anti-patterns (never updating, deprecated packages)
• Moderate anti-patterns (overusing overrides, ignoring peer deps)

---

Navigation: Templates

Node.js

templates/nodejs/

• package-json-template.json - Production-ready package.json with best practices
• npmrc-template.txt - Team configuration for npm
• pnpm-workspace-template.yaml - Monorepo workspace setup

Python

templates/python/

• pyproject-toml-template.toml - Poetry configuration with best practices

Automation

templates/automation/

• dependabot-config.yml - GitHub Dependabot configuration
• renovate-config.json - Renovate Bot configuration
• audit-checklist.md - Security audit workflow

---

Quick Decision Matrix

Scenario	Recommendation
Adding new dependency	Check Bundlephobia, npm audit, weekly downloads, last commit
Updating dependencies	Use npm outdated, update in batches, test in staging
Security vulnerability found	Use npm audit fix, review CHANGELOG, test, deploy immediately
Monorepo setup	Use pnpm workspaces or Nx/Turborepo for build caching
Transitive conflict	Use overrides sparingly, document why, test thoroughly
Choosing package manager	pnpm (fastest), npm (most compatible), yarn (good middle)
Python environment	Poetry (apps), pip+venv (simple), conda (data science)

---

Core Principles

1. Always Commit Lockfiles

Lockfiles ensure reproducible builds across environments. Never add them to .gitignore.

Exception: Don't commit Cargo.lock for Rust libraries (only for applications).

2. Use Semantic Versioning

Use caret (^) for most dependencies, exact versions for mission-critical, avoid wildcards (*).

{
  "dependencies": {
    "express": "^4.18.0",  // Allows patches and minors
    "critical-lib": "1.2.3"  // Exact for critical
  }
}

3. Audit Dependencies Regularly

Run security audits weekly, fix critical vulnerabilities immediately.

npm audit
npm audit fix

4. Minimize Dependencies

The best dependency is the one you don't add. Ask: Can I implement this in <100 LOC?

5. Update Regularly

Update monthly or quarterly. Don't let technical debt accumulate.

npm outdated
npm update

6. Use Overrides Sparingly

Only override transitive dependencies for security patches or conflicts. Document why.

{
  "overrides": {
    "axios": "1.6.0"  // CVE-2023-xxxxx fix
  }
}

---

Related Skills

For complementary workflows and deeper dives:

• dev-api-design - API versioning strategies, dependency injection patterns
• git-workflow - Git workflows for managing lockfile conflicts, branching strategies
• testing-automation - Testing strategies for dependency updates, integration testing
• software-security-appsec - OWASP Top 10, cryptography standards, authentication patterns
• ops-devops-platform - CI/CD pipelines, Docker containerization, DevSecOps, deployment automation
• docs-technical-writing - Documenting dependency choices, ADRs, changelogs

---

External Resources

See data/sources.json for 82 curated resources:

• Package managers: npm, pnpm, Yarn, pip, Poetry, Cargo, Go modules, Maven, Composer
• Semantic versioning: SemVer spec, version calculators, constraint references
• Security tools: Snyk, Dependabot, GitHub Advanced Security, OWASP Dependency-Check, pip-audit, cargo-audit, Socket.dev, Renovate
• Lockfile management: Official docs for package-lock.json, poetry.lock, Cargo.lock, pnpm-lock.yaml
• Monorepo tools: pnpm workspaces, npm workspaces, Yarn workspaces, Nx, Turborepo, Lerna, Bazel
• Analysis tools: Bundlephobia, npm-check-updates, depcheck, pipdeptree, cargo tree
• Supply chain security: SLSA framework, SBOM (CISA), Sigstore, npm provenance, OpenSSF Scorecard
• Best practices: npm/Poetry/Cargo guides, ACM Queue articles, dependency hell references
• Version management: nvm, pyenv, rustup, asdf
• Learning resources: npm guides, Python Packaging User Guide, Rust Book, Monorepo.tools

---

Usage Notes

For Claude:

• Use this skill when users need dependency management guidance
• Reference specific resources based on the task (lockfiles, security, updates)
• Provide ecosystem-specific guidance (Node.js, Python, Rust)
• Always recommend security audits and reproducible builds
• Encourage minimal dependencies and regular updates
• Link to templates for common configurations

Best Practices:

• Always commit lockfiles (except Cargo.lock for libraries)
• Use semantic versioning (caret for most deps, exact for critical)
• Audit dependencies weekly (npm audit, pip-audit, cargo audit)
• Update dependencies monthly or quarterly (not all at once)
• Choose package manager based on project needs (pnpm for speed, Poetry for Python apps)
• Document dependency choices in ADRs (Architecture Decision Records)

---

Success Criteria: Dependencies are minimal, well-maintained, secure, reproducible across environments, and regularly audited for vulnerabilities.