// Use when adding new dependencies, deciding whether to update packages, running security audits on dependencies, evaluating library alternatives, or encountering outdated or vulnerable packages
Use when starting any conversation — establishes how to find and use skills, requiring skill check before ANY response including clarifying questions
You MUST use this before any creative work - creating features, building components, adding functionality, or modifying behavior. Explores user intent, requirements and design before implementation.
Use when you have a written implementation plan to execute in a separate session with review checkpoints
Use when you have a spec or requirements for a multi-step task, before touching code
Use when a task requires interacting with a web browser — testing UI flows, verifying web app behavior, clicking through screens, reading live web content, or automating browser workflows in Google Antigravity
Use when executing implementation plans with independent tasks in the current session
| name | dependency-management |
| description | Use when adding new dependencies, deciding whether to update packages, running security audits on dependencies, evaluating library alternatives, or encountering outdated or vulnerable packages |
Every dependency is a commitment -- to its maintenance, security surface, and upgrade path. Add deliberately, update strategically, audit regularly.
Core principle: Every dependency decision should be justified. Don't add what you can write. Don't ignore what you can update. Don't skip what you can audit.
Don't use when:
digraph dependency_decision {
"What dependency decision?" [shape=diamond];
"Add new package" [shape=box];
"Update existing" [shape=box];
"Security alert" [shape=box];
"Remove package" [shape=box];
"Evaluation Criteria" [shape=box, style=filled, fillcolor=lightyellow];
"Update Type?" [shape=diamond];
"Urgency Matrix" [shape=box, style=filled, fillcolor=lightyellow];
"Usage check, remove" [shape=box];
"Patch" [shape=box];
"Minor" [shape=box];
"Major" [shape=box];
"What dependency decision?" -> "Add new package";
"What dependency decision?" -> "Update existing";
"What dependency decision?" -> "Security alert";
"What dependency decision?" -> "Remove package";
"Add new package" -> "Evaluation Criteria";
"Update existing" -> "Update Type?";
"Security alert" -> "Urgency Matrix";
"Remove package" -> "Usage check, remove";
"Update Type?" -> "Patch" [label="x.x.Z"];
"Update Type?" -> "Minor" [label="x.Y.0"];
"Update Type?" -> "Major" [label="X.0.0"];
}
Before adding any dependency, evaluate against all seven criteria:
| Criterion | Question | Red Flag |
|---|---|---|
| Necessity | Can stdlib or existing deps do this? | Adding a package for 10 lines of code |
| Maintenance | Last commit? Issue/PR response time? | 12+ months inactive, unanswered issues |
| Community | Weekly downloads, stars, forks? | Very low usage, single maintainer |
| License | Compatible with project license? | GPL in commercial project (license contamination) |
| Size | Bundle size? Transitive dependency count? | Massive dep tree for a small task |
| Security | Known CVEs? Clean audit? | Active security vulnerabilities |
| Alternatives | Better/lighter alternative available? | Picking the first result without evaluating |
Rule of thumb: If a package fails two or more criteria, find an alternative or write it yourself.
| Update Type | Strategy | Risk |
|---|---|---|
| Patch (x.x.Z) | Update immediately, run test suite | Low |
| Minor (x.Y.0) | Read changelog, update, test | Medium |
| Major (X.0.0) | Breaking change analysis, migration plan, test on separate branch | High |
Workflow for batch updates:
| Severity | Exploit exists? | Action | Timeframe |
|---|---|---|---|
| Critical | Yes | Update immediately or apply workaround | Hours |
| Critical | No | Priority update | 1-2 days |
| High | -- | Update within sprint | 1 week |
| Medium/Low | -- | Add to next update cycle | Planned |
When a security audit reports vulnerabilities:
| Mistake | Reality |
|---|---|
| "Popular package is safe" | Popularity does not equal security. event-stream was hacked at 2M weekly downloads |
| "Lockfile commit is unnecessary" | Without lockfile, builds are not reproducible |
| "Update everything at once" | Batch updates make it impossible to isolate the source of issues |
| "Major update is just a version number" | Breaking change = potential refactoring |
| "Dev dependency security doesn't matter" | Supply chain attacks target build processes |
| "Add a package instead of writing 10 lines" | Every package adds attack surface and maintenance burden |
Before removing a package: