maestria-co/dependency-management
skills/dependency-management/SKILL.md
Update, audit, and manage project dependencies safely. Use whenever someone says "update dependencies", "we have a security vulnerability", "this package is outdated", "fix the npm audit warnings", "upgrade [library] to latest", "check for outdated packages", or when a dependency audit reveals CVEs. Works across all package ecosystems (npm, pip, Maven, NuGet, Cargo, Go modules).
development
Updated Apr 26, 2026
$ install --global
skillsauthnpx skillsauth add maestria-co/ai-playbook dependency-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 26, 2026, 7:10 AM405.6s1 file scanned
SKILL.md
- name:
- dependency-management
- description:
- >
Skill: Dependency Management
Purpose
Update and manage project dependencies safely, one at a time, with testing at each step.
Process
1. Identify outdated or vulnerable dependencies
- npm:
npm outdatedandnpm audit - Python:
pip list --outdatedandpip-audit - Maven:
mvn versions:display-dependency-updates - .NET:
dotnet outdated
2. Categorize updates
- Security patch (CVE): do immediately, highest priority
- Minor version bump (x.Y.z): low risk, batch if same library family
- Major version bump (X.y.z): breaking changes possible, treat individually
3. Update strategy — one at a time
a. Update the dependency in manifest (package.json, pom.xml, etc.)
b. Update the lock file
c. Run the full test suite
d. Check for deprecation warnings in output
e. If tests pass → commit that single update
f. If tests fail → diagnose before moving to the next dependency
4. For major version bumps
- Read the migration guide / CHANGELOG
- Search codebase for deprecated API usage
- Update all call sites before running tests
5. Verify compatibility matrix
Check all direct dependencies are mutually compatible
6. Final verification
Full test suite + build + lint clean
Risk Levels
| Type | Risk | Action | |------------------------|----------|----------------------------------| | CVE security patch | Critical | Fix immediately | | Minor patch (z) | Low | Batch updates OK | | Minor feature (y) | Medium | Test individually | | Major (x) | High | Read migration guide; test thoroughly |
Rollback Plan
Before updating, commit the current lock file to a branch. To revert to the pre-update state:
# Restore the lock file and reinstall
git checkout [branch] -- [lock-file]
[install command] # npm ci / pip install / dotnet restore / etc.
Replace [lock-file] with the appropriate file: package-lock.json, yarn.lock, Pipfile.lock, poetry.lock, packages.lock.json, go.sum, etc.
Constraints
- Never update multiple major-version dependencies in a single commit
- Always run the full test suite after each update
- Do not skip lock file updates
Related Skills
maestria-co/writing-tests
development
VerifiedTrustedCommunity
Writes and runs a test suite for a piece of code, covering happy path, edge cases, error cases, and security cases. Use when: implementation is complete and needs test coverage, a bug needs a reproduction test and fix validation, or code needs coverage before a refactor. Do not use when: the code under test is not yet implemented, or the spec is still unclear.
SKILL.mdUpdated Apr 26, 2026
maestria-co/writing-skills
testing
VerifiedTrustedCommunity
Use when creating a new skill, editing an existing skill, or helping a user author a skill for this system. Covers structure, discoverability, quality, and discipline hardening.
SKILL.mdUpdated Apr 26, 2026
maestria-co/verification-checklist
development
VerifiedTrustedCommunity
Evidence-based verification process to run before marking any task complete. Use this skill every time you're about to report that work is done — for features, bug fixes, refactoring, or any code change. This catches the most common failure mode: declaring "done" without proof. If you're finishing up and about to tell the user the task is complete, run this checklist first.
SKILL.mdUpdated Apr 26, 2026
maestria-co/using-skills
development
VerifiedTrustedCommunity
Teaches agents how to discover, select, and invoke skills from the skill library. Use this skill whenever you're uncertain which skill applies to a task, when composing multiple skills for complex work, or when you need to understand what skills are available. This is your go-to when facing an ambiguous task and need to figure out the right approach before diving into implementation.
SKILL.mdUpdated Apr 26, 2026