Dependency Management — Production Patterns

Modern Best Practices (January 2026): Lockfile-first workflows, automated security scanning (Dependabot, Snyk, Socket.dev), semantic versioning, minimal dependencies principle, monorepo workspaces (pnpm, Nx, Turborepo), supply chain security (SBOM, AI BOM, Sigstore), reproducible builds, and AI-generated code validation.

When to Use This Skill

The agent should invoke this skill when a user requests:

• Adding new dependencies to a project

• Updating existing dependencies safely

• Resolving dependency conflicts or version mismatches

• Auditing dependencies for security vulnerabilities

• Understanding lockfile management and reproducible builds

• Setting up monorepo workspaces (pnpm, npm, yarn)

• Managing transitive dependencies and overrides

• Choosing between similar packages (bundle size, maintenance, security)

• Dependency version constraints and semantic versioning

• Dependency security best practices and supply chain security

• Troubleshooting "dependency hell" scenarios

• Package manager configuration and optimization

• Creating reproducible builds across environments

Quick Reference

Task Tool/Command Key Action When to Use

Install from lockfile npm ci , poetry install , cargo build

Clean install, reproducible CI/CD, production deployments

Add dependency npm install <pkg> , poetry add <pkg>

Updates lockfile automatically New feature needs library

Update dependencies npm update , poetry update , cargo update

Updates within version constraints Monthly/quarterly maintenance

Check for vulnerabilities npm audit , pip-audit , cargo audit

Scans for known CVEs Before releases, weekly

View dependency tree npm ls , pnpm why , pipdeptree

Shows transitive dependencies Debugging conflicts

Override transitive dep overrides (npm), pnpm.overrides

Force specific version Security patch, conflict resolution

Monorepo setup pnpm workspaces , npm workspaces

Shared dependencies, cross-linking Multi-package projects

Check outdated npm outdated , poetry show --outdated

Lists available updates Planning update sprints

Decision Tree: Dependency Management

User needs: [Dependency Task] ├─ Adding new dependency? │ ├─ Check: Do I really need this? (Can implement in <100 LOC?) │ ├─ Check: Is it well-maintained? (Last commit <6 months, >10k downloads/week) │ ├─ Check: Bundle size impact? (Use Bundlephobia for JS) │ ├─ Check: Security risks? (npm audit, Snyk) │ └─ If all checks pass → Add with npm install <pkg> → Commit lockfile │ ├─ Updating dependencies? │ ├─ Security vulnerability? → npm audit fix → Test → Deploy immediately │ ├─ Routine update? │ ├─ Patch versions → npm update → Safe, do frequently │ ├─ Minor/major → Check CHANGELOG → Test in staging → Update gradually │ └─ All at once → [FAIL] RISKY → Update in batches instead │ ├─ Dependency conflict? │ ├─ Transitive dependency issue? │ ├─ View tree: npm ls <package> │ ├─ Use overrides sparingly: overrides in package.json │ └─ Document why override is needed │ └─ Peer dependency mismatch? │ └─ Check version compatibility → Update parent or child │ ├─ Monorepo project? │ ├─ Use pnpm workspaces (recommended default) │ ├─ Shared deps → Root package.json │ ├─ Package-specific → Package directories │ └─ Use Nx or Turborepo for task caching │ └─ Choosing package manager? ├─ New JS project → pnpm (recommended default) or Bun (often faster; verify ecosystem maturity) ├─ Enterprise monorepo → pnpm (mature workspace support) ├─ Speed-focused experimentation → Bun (verify ecosystem maturity) ├─ Existing npm project → Migrate to pnpm or stay (check team preference) ├─ Python → uv (fast), Poetry (mature), pip+venv (simple) └─ Data science → conda or uv (faster environment setup)

Navigation: Core Patterns

Lockfile Management

references/lockfile-management.md

Lockfiles ensure reproducible builds by recording exact versions of all dependencies (direct + transitive). Essential for preventing "works on my machine" issues.

• Golden rules (always commit, never edit manually, regenerate on changes)

• Commands by ecosystem (npm ci, poetry install, cargo build)

• Troubleshooting lockfile conflicts

• CI/CD integration patterns

Semantic Versioning (SemVer)

references/semver-guide.md

Understanding version constraints (^ , ~ , exact) and how to specify dependency ranges safely.

• SemVer format (MAJOR.MINOR.PATCH)

• Version constraint syntax (caret, tilde, exact)

• Recommended strategies by project type

• Cross-ecosystem version management

Dependency Security Auditing

references/security-scanning.md

Automated security scanning, vulnerability management, and supply chain security best practices.

• Automated tools (Dependabot, Snyk, GitHub Advanced Security)

• Running audits (npm audit, pip-audit, cargo audit)

• CI integration and alert configuration

• Incident response workflows

Dependency Selection

references/dependency-selection-guide.md

Deciding whether to add a new dependency and choosing between similar packages.

• Minimal dependencies principle (best dependency is the one you don't add)

• Evaluation checklist (maintenance, bundle size, security, alternatives)

• Choosing between similar packages (comparison matrix)

• When to reject a dependency

Update Strategies

references/update-strategies.md

Keeping dependencies up to date safely while minimizing breaking changes and security risks.

• Update strategies (continuous, scheduled, security-only)

• Safe update workflow (check outdated, categorize risk, test, deploy)

• Automated update tools (Dependabot, Renovate, npm-check-updates)

• Handling breaking changes and rollback plans

Monorepo Management

references/monorepo-patterns.md

Managing multiple related packages in a single repository with shared dependencies.

• Workspace tools (pnpm, npm, yarn workspaces)

• Monorepo structure and organization

• Build optimization (Nx, Turborepo)

• Versioning and publishing strategies

Transitive Dependencies

references/transitive-dependencies.md

Dealing with dependencies of your dependencies (indirect dependencies).

• Viewing dependency trees (npm ls, pnpm why, pipdeptree)

• Resolving transitive conflicts (overrides, resolutions, constraints)

• Security risks and version conflicts

• Best practices (use sparingly, document, test)

Ecosystem-Specific Guides

references/ecosystem-guides.md

Language and package-manager-specific best practices.

• Node.js (npm, yarn, pnpm comparison and best practices)

• Python (pip, poetry, conda)

• Rust (cargo), Go (go mod), Java (maven, gradle)

• PHP (composer), .NET (nuget)

Anti-Patterns

references/anti-patterns.md

Common mistakes to avoid when managing dependencies.

• Critical anti-patterns (not committing lockfiles, wildcards, ignoring audits)

• Dangerous anti-patterns (never updating, deprecated packages)

• Moderate anti-patterns (overusing overrides, ignoring peer deps)

Container Dependency Patterns

references/container-dependency-patterns.md

Managing dependencies in containerized environments (Docker, OCI).

• Multi-stage builds, layer caching, base image selection

• Runtime vs build dependencies, image scanning, reproducible images

Version Conflict Resolution

references/version-conflict-resolution.md

Systematic approaches to resolving dependency version conflicts.

• Diamond dependency problems, resolution algorithms by ecosystem

• Override strategies, compatibility matrices, migration paths

License Compliance

references/license-compliance.md

Open-source license management and compliance automation.

• License compatibility matrix, copyleft vs permissive, SPDX identifiers

• Automated scanning (FOSSA, license-checker), policy enforcement in CI

Navigation: Templates

Node.js

assets/nodejs/

• package-json-template.json

• Production-ready package.json with best practices

• npmrc-template.txt

• Team configuration for npm

• pnpm-workspace-template.yaml

• Monorepo workspace setup

Python

assets/python/

• pyproject-toml-template.toml
• Poetry configuration with best practices

Automation

assets/automation/

• dependabot-config.yml

• GitHub Dependabot configuration

• renovate-config.json

• Renovate Bot configuration

• audit-checklist.md

• Security audit workflow

• template-supply-chain-security.md

• NEW SBOM, provenance, vulnerability management

• template-dependency-upgrade-playbook.md

• Upgrade batching, rollout, rollback

• template-sbom-vuln-triage-checklist.md

• SBOM mapping + vulnerability triage

Supply Chain Security

assets/automation/template-supply-chain-security.md — Production-grade dependency security covering SBOM generation (CycloneDX/SPDX), provenance and attestation (SLSA, Sigstore), vulnerability management SLAs, upgrade playbooks, and EU Cyber Resilience Act requirements.

Key rules: generate SBOM per release, sign artifacts (Sigstore/cosign), run audit scans in CI, fix critical CVEs within 24 hours, use npm ci (never npm install ) in pipelines, batch non-security updates by risk level.

Related templates:

• assets/automation/template-dependency-upgrade-playbook.md

• assets/automation/template-sbom-vuln-triage-checklist.md

AI-Generated Dependency Risks

WARNING: AI coding agents can introduce vulnerable or non-existent packages at scale (Endor Labs, 2025).

The Problem

AI tools accelerate coding but introduce supply chain risks:

• Hallucinated packages — AI suggests packages that don't exist (typosquatting vectors)

• Vulnerable dependencies — AI recommends outdated or CVE-affected versions

• Unnecessary dependencies — AI over-relies on packages for simple tasks

Best Practices

Do Don't

Treat AI-generated code as untrusted third-party input Blindly accept AI dependency suggestions

Enforce same SAST/SCA scanning for AI-generated code Skip security review for "AI-written" code

Verify all AI-suggested packages actually exist Trust AI to know current package versions

Integrate security tools into AI workflows (MCP) Allow AI to add dependencies without review

Vet MCP servers as part of supply chain Use unvetted AI integrations

Validation Checklist

Before accepting AI-suggested dependencies:

• Package exists on registry (npm, PyPI, crates.io)

• Package name is spelled correctly (no typosquatting)

• Version is current and maintained

• npm audit / pip-audit shows no vulnerabilities

• Weekly downloads >1000 (established package)

• Last commit <6 months (actively maintained)

Optional: AI/Automation

Note: AI assists with triage but security decisions need human judgment.

• Automated PR triage — Categorize dependency updates by risk

• Changelog summarization — Summarize breaking changes in updates

• Vulnerability correlation — Link CVEs to affected packages

Bounded Claims

• AI cannot determine business risk acceptance

• Automated fixes require security team review

• Vulnerability severity context needs human validation

Quick Decision Matrix

Scenario Recommendation

Adding new dependency Check Bundlephobia, npm audit, weekly downloads, last commit

Updating dependencies Use npm outdated , update in batches, test in staging

Security vulnerability found Use npm audit fix , review CHANGELOG, test, deploy immediately

Monorepo setup Use pnpm workspaces or Nx/Turborepo for build caching

Transitive conflict Use overrides sparingly, document why, test thoroughly

Choosing JS package manager pnpm (fastest, disk-efficient), Bun (7× faster), npm (most compatible)

Python environment uv (10-100× faster), Poetry (mature), pip+venv (simple), conda (data science)

Core Principles

1. Always Commit Lockfiles

Lockfiles ensure reproducible builds across environments. Never add them to .gitignore .

Exception: Don't commit Cargo.lock for Rust libraries (only for applications).

2. Use Semantic Versioning

Use caret (^ ) for most dependencies, exact versions for mission-critical, avoid wildcards (* ). See references/semver-guide.md for constraint syntax and strategies.

3. Audit Dependencies Regularly

Run npm audit / pip-audit / cargo audit weekly; fix critical vulnerabilities immediately. See references/security-scanning.md .

4. Minimize Dependencies

The best dependency is the one you don't add. Ask: Can I implement this in <100 LOC? See references/dependency-selection-guide.md .

5. Update Regularly

Update monthly or quarterly in batches — do not update all at once. See references/update-strategies.md .

6. Use Overrides Sparingly

Only override transitive dependencies for security patches or conflicts. Document why in a comment (// CVE-2023-xxxxx fix ). See references/transitive-dependencies.md .

Related Skills

For complementary workflows and deeper dives:

• dev-api-design

• API versioning strategies, dependency injection patterns

• dev-git-workflow

• Git workflows for managing lockfile conflicts, branching strategies

• qa-testing-strategy

• Testing strategies for dependency updates, integration testing

• software-security-appsec

• OWASP Top 10, cryptography standards, authentication patterns

• ops-devops-platform

• CI/CD pipelines, Docker containerization, DevSecOps, deployment automation

• docs-codebase

• Documenting dependency choices, ADRs, changelogs

External Resources

See data/sources.json for curated resources:

• Package managers: npm, pnpm, Yarn, pip, Poetry, Cargo, Go modules, Maven, Composer

• Semantic versioning: SemVer spec, version calculators, constraint references

• Security tools: Snyk, Dependabot, GitHub Advanced Security, OWASP Dependency-Check, pip-audit, cargo-audit, Socket.dev, Renovate

• Lockfile management: Official docs for package-lock.json, poetry.lock, Cargo.lock, pnpm-lock.yaml

• Monorepo tools: pnpm workspaces, npm workspaces, Yarn workspaces, Nx, Turborepo, Lerna, Bazel

• Analysis tools: Bundlephobia, npm-check-updates, depcheck, pipdeptree, cargo tree

• Supply chain security: SLSA framework, SBOM (CISA), Sigstore, npm provenance, OpenSSF Scorecard

• Best practices: npm/Poetry/Cargo guides, ACM Queue articles, dependency hell references

• Version management: nvm, pyenv, rustup, asdf

• Learning resources: npm guides, Python Packaging User Guide, Rust Book, Monorepo.tools

Usage Notes

For Codex / Claude Code:

• Use this skill when users need dependency management guidance

• Reference specific resources based on the task (lockfiles, security, updates)

• Provide ecosystem-specific guidance (Node.js, Python, Rust)

• Always recommend security audits and reproducible builds

• Encourage minimal dependencies and regular updates

• Link to templates for common configurations

Best Practices:

• Always commit lockfiles (except Cargo.lock for libraries)

• Use semantic versioning (caret for most deps, exact for critical)

• Audit dependencies weekly (npm audit , pip-audit , cargo audit )

• Update dependencies monthly or quarterly (not all at once)

• Choose package manager based on project needs (pnpm for speed, Poetry for Python apps)

• Document dependency choices in ADRs (Architecture Decision Records)

Success Criteria: Dependencies are minimal, well-maintained, secure, reproducible across environments, and regularly audited for vulnerabilities.

Trend Awareness Protocol

IMPORTANT: When users ask recommendation questions about package managers, dependency tools, or supply chain security, you MUST use WebSearch to check current trends before answering.

Trigger Conditions

• "What's the best package manager for [ecosystem]?"

• "What should I use for [dependency management/security]?"

• "What's the latest in dependency management?"

• "Current best practices for [npm/pnpm/Poetry]?"

• "Is [tool/approach] still relevant in 2026?"

• "[pnpm] vs [npm] vs [yarn]?"

• "Best dependency security scanner?"

Required Searches

• Search: "dependency management best practices 2026"

• Search: "[specific tool] vs alternatives 2026"

• Search: "supply chain security trends January 2026"

• Search: "[package manager] features 2026"

What to Report

After searching, provide:

• Current landscape: What dependency tools are popular NOW

• Emerging trends: New package managers, security tools, or patterns gaining traction

• Deprecated/declining: Tools/approaches losing relevance or support

• Recommendation: Based on fresh data, not just static knowledge

Example Topics (verify with fresh search)

• Package managers (pnpm, npm, yarn, Poetry, uv for Python)

• Security scanning (Snyk, Dependabot, Socket.dev)

• Supply chain security (SBOM, Sigstore, SLSA)

• Monorepo tools (Nx, Turborepo, Bazel)

• Lockfile and reproducibility patterns

• Automated dependency updates (Renovate, Dependabot)

Ops Preflight: Dependency and Toolchain Health (for LLM Agents)

Run this before build/test/edit loops to prevent avoidable churn such as next: command not found .

1) Runtime + package manager sanity

node -v npm -v

2) Lockfile and install mode

ls -1 package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null test -d node_modules || npm ci

3) Verify framework binaries resolve

npx next --version 2>/dev/null || echo "next missing" npx eslint --version 2>/dev/null || echo "eslint missing"

4) Surface dependency graph issues early

npm ls --depth=0

Remediation Rules

• If binary missing: install from lockfile, do not ad-hoc install random versions.

• If lockfile drift detected: re-install using project standard tool (npm ci , pnpm install --frozen-lockfile , etc).

• If peer dependency conflict appears, fix root cause before continuing broad edits.

• Cache these checks at session start for long agent runs.

Fact-Checking

• Use web search/web fetch to verify current external facts, versions, pricing, deadlines, regulations, or platform behavior before final answers.

• Prefer primary sources; report source links and dates for volatile information.

• If web access is unavailable, state the limitation and mark guidance as unverified.