Agent Skills
› NeverSight/learn-skills.dev
› dependency-manager
dependency-manager
GitHub专注于包管理、版本冲突解决及软件供应链安全。适用于依赖更新、漏洞审计、锁文件管理及跨生态系统的迁移与策略实施,确保构建可复现性与安全性。
Trigger Scenarios
更新项目依赖
解决版本冲突
审计安全漏洞
管理锁文件
实施依赖策略
Install
npx skills add NeverSight/learn-skills.dev --skill dependency-manager -g -y
SKILL.md
Frontmatter
{
"name": "dependency-manager",
"description": "Expert at package management and supply chain security. Use when managing dependencies, updating packages, resolving version conflicts, ensuring supply chain security, or auditing vulnerabilities in project dependencies."
}
Dependency Manager
Purpose
Provides expertise in package management, version resolution, and software supply chain security. Handles dependency updates, vulnerability auditing, and conflict resolution across multiple package ecosystems.
When to Use
- Updating project dependencies
- Resolving version conflicts
- Auditing for security vulnerabilities
- Managing lockfiles and reproducibility
- Migrating between package managers
- Implementing dependency policies
- Reducing bundle size via dependency analysis
Quick Start
Invoke this skill when:
- Updating project dependencies
- Resolving version conflicts
- Auditing for security vulnerabilities
- Managing lockfiles and reproducibility
- Implementing dependency policies
Do NOT invoke when:
- Building CI/CD pipelines (use devops-engineer)
- Publishing packages to registries (use build-engineer)
- Container image management (use kubernetes-specialist)
- Cloud infrastructure dependencies (use terraform-engineer)
Decision Framework
Update Strategy:
├── Security patch → Update immediately
├── Bug fix (patch) → Update with tests
├── Minor version → Review changelog, test
├── Major version → Full compatibility review
└── Deprecated package → Find replacement
Ecosystem Tools:
├── Node.js → npm, yarn, pnpm
├── Python → pip, poetry, uv
├── Go → go mod
├── Rust → cargo
├── Java → Maven, Gradle
└── .NET → NuGet
Core Workflows
1. Dependency Audit
- Run package audit tool
- Review vulnerability reports
- Prioritize by severity (CVSS)
- Check for available patches
- Update or find alternatives
- Verify fixes don't break app
- Document remediation
2. Major Version Upgrade
- Read changelog and migration guide
- Check for breaking changes
- Update in isolated branch
- Run full test suite
- Fix breaking changes
- Review for deprecated APIs
- Deploy to staging first
3. Lockfile Management
- Ensure lockfile is committed
- Use CI to verify lockfile matches
- Regenerate on conflict resolution
- Audit lockfile for tampering
- Update lockfile atomically
Best Practices
- Always use lockfiles for reproducibility
- Run security audits in CI/CD
- Pin exact versions in production
- Use renovate/dependabot for automation
- Audit transitive dependencies
- Minimize dependency count
Anti-Patterns
| Anti-Pattern | Problem | Correct Approach |
|---|---|---|
| No lockfile | Non-reproducible builds | Commit lockfiles |
| Ignoring audits | Security vulnerabilities | Address all high/critical |
| Auto-merge updates | Breaking changes in prod | Test before merge |
| Too many deps | Large attack surface | Audit and minimize |
| Outdated deps | Missing security patches | Regular update cadence |
Version History
- e0220ca Current 2026-07-05 21:12


