devjarus/dependency-evaluation
skills/practices/dependency-evaluation/SKILL.md
Framework for evaluating and selecting npm packages, libraries, and tools. Use when choosing between alternatives (ORMs, auth libs, UI frameworks) or adding new dependencies.
tools
Updated Apr 25, 2026
$ install --global
skillsauthnpx skillsauth add devjarus/coding-agent dependency-evaluationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 7:43 PM135.9s1 file scanned
SKILL.md
- name:
- dependency-evaluation
- description:
- Framework for evaluating and selecting npm packages, libraries, and tools. Use when choosing between alternatives (ORMs, auth libs, UI frameworks) or adding new dependencies.
Solves: "which auth library?", "prisma vs drizzle?", "should we add this dep?"
When to Apply
- Choosing between library alternatives
- Adding a new dependency to the project
- Researcher agent evaluating options
- Planner selecting tech stack components
Evaluation Criteria (priority ordered)
CRITICAL
- DEP-01: Does it solve the actual problem? Don't add a library for something the stdlib/framework handles
- DEP-02: Is it actively maintained? Check: last commit < 6 months, issues being responded to, not deprecated
- DEP-03: Security — run
npm audit/pip audit. Check for known CVEs. Check Snyk/Socket.dev
HIGH
- DEP-04: Bundle size impact — check bundlephobia.com. Is tree-shaking supported?
- DEP-05: TypeScript support — first-class types (not @types/ afterthought)?
- DEP-06: Community adoption — npm weekly downloads, GitHub stars (as a signal, not a metric), used by notable projects?
- DEP-07: API stability — does it follow semver? Frequent breaking changes?
MEDIUM
- DEP-08: Documentation quality — are docs complete, current, with examples?
- DEP-09: Escape hatch — can you replace it later without rewriting everything? Avoid deep lock-in
- DEP-10: License — MIT/Apache/BSD are safe. Check for GPL/AGPL if distributing
Decision Template
Show a structured comparison format agents should use:
## Evaluation: [Category] — [Option A] vs [Option B] vs [Option C]
| Criteria | Option A | Option B | Option C |
|----------|----------|----------|----------|
| Solves problem? | ... | ... | ... |
| Maintained? | ... | ... | ... |
| Security | ... | ... | ... |
| Bundle size | ... | ... | ... |
| TypeScript | ... | ... | ... |
| Community | ... | ... | ... |
| API stability | ... | ... | ... |
| Docs quality | ... | ... | ... |
| Escape hatch | ... | ... | ... |
| License | ... | ... | ... |
Recommendation: [Option] because [reason]
Risk: [what could go wrong]
Rules
- Prefer fewer dependencies — every dep is a maintenance and security liability
- Prefer framework built-ins over third-party (Next.js Image over sharp, etc.)
- Never add a dependency for something achievable in < 20 lines of code
- Check if the project already has a similar dep (don't add axios if fetch is already used)
Related Skills
devjarus/deep-research
testing
VerifiedTrustedCommunity
Multi-source research method — decompose a question, fan out parallel investigators, interleaved-think each result, verify claims adversarially, synthesize a cited answer. Use for breadth-heavy research, stack comparisons, "which approach wins" questions.
SKILL.mdUpdated May 30, 2026
devjarus/test-doubles-strategy
testing
VerifiedTrustedCommunity
Decide when to use unit vs integration vs e2e tests, and when to mock vs use the real thing per dependency. Dependency injection is the enabler — without it you end up monkey-patching imports. Apply when writing tests of any kind.
SKILL.mdUpdated Apr 25, 2026
devjarus/tdd
development
VerifiedTrustedCommunity
Test-driven development process — write failing test, implement to pass, refactor. Use when implementing any feature or fixing bugs.
SKILL.mdUpdated Apr 25, 2026
devjarus/shared-contracts
development
VerifiedTrustedCommunity
Patterns for sharing types, API contracts, and validation schemas between frontend and backend. Use when multiple domains consume the same data shapes to prevent contract drift.
SKILL.mdUpdated Apr 25, 2026