| name | dependency-management-principles |
| description | Apply dependency management best practices when adding, updating, or auditing project dependencies in go.mod, package.json, Cargo.toml, pubspec.yaml, or requirements.txt. Covers version pinning, vulnerability scanning, and dependency hygiene. |
| user-invocable | false |
Dependency Management Principles
Version Pinning
Production: Pin exact versions (1.2.3, not ^1.2.0)
- Prevents supply chain attacks
- Prevents unexpected breakage from patch updates
- Ensures reproducible builds
Use lock files:
package-lock.json (Node.js / npm)
pnpm-lock.yaml (Node.js / pnpm)
yarn.lock (Node.js / yarn)
Cargo.lock (Rust)
go.sum (Go)
pubspec.lock (Flutter / Dart)
requirements.txt / poetry.lock (Python)
Minimize Dependencies
Every dependency is a liability:
- Potential security vulnerability
- Increased build time and artifact size
- Maintenance burden (updates, compatibility)
Ask before adding dependency:
- "Can I implement this in 50 lines?"
- "Is this functionality critical?"
- "Is this dependency actively maintained?"
- "Is this the latest stable version?"
Organize Imports
Grouping:
- Standard library
- External dependencies
- Internal modules
Sorting: Alphabetical within groups
Cleanup: Remove unused imports (use linter/formatter)
Dependency Management Checklist
Related Principles
- Security Mandate @.claude/rules/security-mandate.md
- Security Principles @.claude/rules/security-principles.md