kienbui1995/dependency-management
skills/dependency-management/SKILL.md
Use when updating packages, auditing vulnerabilities, managing version pinning, or evaluating new dependencies
testing
Updated Apr 23, 2026
$ install --global
skillsauthnpx skillsauth add kienbui1995/magic-powers dependency-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 12:55 AM80.7s1 file scanned
SKILL.md
- name:
- dependency-management
- description:
- Use when updating packages, auditing vulnerabilities, managing version pinning, or evaluating new dependencies
Dependency Management
Overview
Every dependency is a liability — it can break, have vulnerabilities, or become unmaintained. Be deliberate about what you add and keep it updated.
When to Use
- Adding new dependencies to a project
- Running security audits
- Updating outdated packages
- Evaluating whether to add vs. build
Adding Dependencies — Decision Framework
Do I really need this package?
├── Can I write it in <50 lines? → Write it yourself
├── Is it a core utility (lodash for 1 function)? → Import just that function or skip
├── Check: maintained? >1000 weekly downloads? Recent commits? → No? Skip it
└── Yes to all → Add it, pin the version
Version Pinning Strategy
| Environment | Strategy | Example |
|-------------|----------|---------|
| App (deployed) | Pin exact | "express": "4.18.2" |
| Library (published) | Range | "express": "^4.18.0" |
| Lock file | Always commit | package-lock.json, poetry.lock |
Security Audit Workflow
# Node.js
npm audit
npm audit fix
# Python
pip-audit
safety check
# General
snyk test
Schedule: Run npm audit / pip-audit weekly in CI. Block merges on critical/high vulnerabilities.
Update Strategy
- Patch updates (4.18.1 → 4.18.2) — auto-merge via Dependabot/Renovate
- Minor updates (4.18 → 4.19) — review changelog, run tests, merge
- Major updates (4.x → 5.x) — dedicated PR, read migration guide, test thoroughly
Checklist
- [ ] Lock file committed to git
- [ ] No unused dependencies (
depcheck,pip-extra-reqs) - [ ] Security audit passes (no critical/high)
- [ ] Dependabot or Renovate configured
- [ ] License compatibility checked for new deps
Integration
- magic-powers:ci-cd-pipeline — run audit in CI
- magic-powers:security-review — review dependency security posture
Related Skills
kienbui1995/xr-interface-design
content-media
VerifiedTrustedCommunity
Use when designing for XR (AR/VR/MR), choosing interaction modes, or adapting 2D UI patterns for spatial computing
SKILL.mdUpdated Apr 24, 2026
kienbui1995/writing-skills
testing
VerifiedTrustedCommunity
Use when creating new skills, editing existing skills, or verifying skills work before deployment
SKILL.mdUpdated Apr 24, 2026
kienbui1995/writing-plans
development
VerifiedTrustedCommunity
Use when you have a spec or requirements for a multi-step task, before touching code
SKILL.mdUpdated Apr 24, 2026
kienbui1995/workflow-templates
development
VerifiedTrustedCommunity
Use when executing a structured workflow — select and run a feature, bugfix, refactor, research, or incident template with correct agent and model assignments per phase.
SKILL.mdUpdated Apr 24, 2026