dsivov/dependency-management
.claude/skills/dependency-management/SKILL.md
Use when the Integrator is managing project dependencies, updating packages, resolving version conflicts, auditing for vulnerabilities, or maintaining lock files. Activates when working with package.json, requirements.txt, Cargo.toml, or any dependency configuration.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add dsivov/ai_development_team dependency-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:51 PM8.1s1 file scanned
SKILL.md
- name:
- dependency-management
- description:
- Use when the Integrator is managing project dependencies, updating packages, resolving version conflicts, auditing for vulnerabilities, or maintaining lock files. Activates when working with package.json, requirements.txt, Cargo.toml, or any dependency configuration.
- version:
- 1.0.0
Dependency Management Expertise
When This Applies
Apply this guidance when:
- Adding, updating, or removing project dependencies
- Resolving version conflicts between packages
- Auditing dependencies for security vulnerabilities
- Maintaining lock files
- Evaluating new dependencies
Evaluating New Dependencies
Before adding a dependency, check:
| Criteria | Check | |----------|-------| | Necessity | Can this be done in 20 lines of code instead? | | Maintenance | Last commit < 6 months ago? Active maintainer? | | Popularity | Downloads/stars indicate community trust | | License | Compatible with project license? | | Size | Reasonable bundle/install size? | | Security | Known vulnerabilities? | | Dependencies | How many transitive deps does it bring? |
Decision Framework
- Add it if: Well-maintained, widely used, saves significant work
- Skip it if: Unmaintained, huge dependency tree, simple to implement yourself
- Ask Architect if: Major new framework, changes the architecture
Version Management
Semantic Versioning
^1.2.3— Allow minor and patch updates (recommended for most deps)~1.2.3— Allow only patch updates (for stability-critical deps)1.2.3— Exact version (for known-fragile deps only)
Update Strategy
- Patch updates (1.2.x): Apply regularly, low risk
- Minor updates (1.x.0): Test thoroughly, check changelogs
- Major updates (x.0.0): Plan carefully, may have breaking changes — create a task for it
Lock File Management
- Always commit lock files (
package-lock.json,poetry.lock,Cargo.lock) - Never manually edit lock files
- Regenerate if corrupted: delete and reinstall
- Review lock file diffs in commits — large changes deserve scrutiny
Security Auditing
Run security audits regularly:
- npm:
npm audit - Python:
pip-auditorsafety check - Rust:
cargo audit - Go:
govulncheck
Vulnerability Response
| Severity | Action | |----------|--------| | Critical | Update immediately, create hotfix task | | High | Update within current sprint | | Medium | Schedule for next update cycle | | Low | Track, update at convenience |
Dependency Conflicts
When two packages require incompatible versions:
- Check if either can be updated to resolve the conflict
- Check if an alternative package exists without the conflict
- If unavoidable, document the constraint and workaround
- Notify Architect if the conflict affects architecture decisions
Related Skills
dsivov/test-engineering
development
VerifiedTrustedCommunity
Use when the Integrator is writing unit tests, e2e tests, designing test strategies, improving test coverage, creating test fixtures, or mocking dependencies. Activates for any testing-related work including TDD, test refactoring, or test debugging.
SKILL.mdUpdated Apr 16, 2026
dsivov/task-decomposition
development
VerifiedTrustedCommunity
Use when the Architect is breaking down change requests into implementable tasks, defining acceptance criteria, estimating task size, mapping dependencies, or creating technical sub-tasks for Developer and Integrator.
SKILL.mdUpdated Apr 16, 2026
dsivov/system-design
development
VerifiedTrustedCommunity
Use when the Architect is designing system architecture, choosing technology stacks, defining data models, designing APIs, making scalability decisions, or updating ARCHITECTURE.md. Activates for any architecture design, technology evaluation, or system structure discussion.
SKILL.mdUpdated Apr 16, 2026
dsivov/stakeholder-communication
documentation
VerifiedTrustedCommunity
Use when the Manager is writing status updates, daily reports, queue messages to team members, escalation notices, or cross-role coordination messages. Activates when composing any team communication, reports, or documentation updates.
SKILL.mdUpdated Apr 16, 2026