Agent Skills
› NeverSight/learn-skills.dev
› dependency-governance
dependency-governance
GitHub提供依赖治理指南,涵盖添加、更新、审计和移除依赖。强调优先使用现有能力、保持锁文件一致性、谨慎选择包及最小化版本变更。包含漏洞处理、清理残留代码等规范,以及检查清单、风险警示和验证流程,确保供应链安全与项目稳定性。
Trigger Scenarios
添加新的项目依赖
更新现有依赖版本
移除不再使用的依赖
修复依赖相关的安全漏洞
执行依赖审计
Install
npx skills add NeverSight/learn-skills.dev --skill dependency-governance -g -y
SKILL.md
Frontmatter
{
"name": "dependency-governance",
"description": "Guidelines for adding, updating, auditing, and removing dependencies while preserving lockfile integrity and supply chain safety"
}
Instructions
- Use Existing Capabilities First: Check the current standard library, framework utilities, and installed dependencies before adding a package.
- Lockfile Alignment: Use the package manager implied by the lockfile. Never mix npm, yarn, pnpm, and bun in the same project unless the repo already documents that strategy.
- Package Selection Criteria: Prefer actively maintained packages with recent releases, clear licenses, strong TypeScript support where relevant, low transitive dependency count, and documented security practices.
- Minimal Version Changes: Add or update only the dependency needed for the task. Avoid broad package upgrades unless the user requested a dependency refresh.
- Vulnerability Handling: For security updates, inspect whether the vulnerable path is reachable, apply the narrowest safe fix, and run the project test/build commands afterward.
- Removal Hygiene: When removing a dependency, delete unused imports, configuration, types, scripts, and documentation references.
Gotchas
- Transitive Risk: A small package can pull in a large dependency tree. Inspect dependency impact before adopting it.
- License Drift: New packages can introduce licenses that are incompatible with the project or organization.
- Install Script Risk: Packages with postinstall scripts can execute code during installation. Treat them as higher risk.
- Lockfile Churn: Reinstalling with the wrong package manager can rewrite the lockfile and create noisy, risky diffs.
Validation Loops
- Manifest Check: Confirm
package.jsonand the relevant lockfile changed consistently. - Audit Check: Run the project-appropriate audit command and document unresolved findings.
- Build/Test Check: Run the affected test, type, lint, and build commands.
- Usage Check: Search for old imports or stale docs after upgrades/removals.
Version History
- e0220ca Current 2026-07-05 23:23


