dependency-management
Scannednpx machina-cli add skill aiskillstore/marketplace/dependency-management --openclawDependency Management
This skill manages project dependencies including updates, vulnerability scanning, license compliance, and dependency tree optimization.
When to Use This Skill
- When updating project dependencies
- When scanning for security vulnerabilities
- When analyzing dependency trees
- When ensuring license compliance
- When resolving version conflicts
- When optimizing dependency usage
What This Skill Does
- Dependency Analysis: Identifies unused dependencies and version conflicts
- Vulnerability Scanning: Finds and fixes known security vulnerabilities
- License Compliance: Verifies dependency licenses are compatible
- Safe Updates: Updates dependencies with testing and validation
- Tree Optimization: Optimizes dependency trees and reduces bloat
- Version Management: Resolves version conflicts and updates
Helper Scripts
This skill includes Python helper scripts in scripts/:
-
parse_dependencies.py: Parses dependency files (package.json, requirements.txt, pyproject.toml). Outputs JSON with parsed dependencies and metadata.python scripts/parse_dependencies.py package.json requirements.txt
How to Use
Manage Dependencies
Update all dependencies and check for vulnerabilities
Scan dependencies for security issues
Specific Tasks
Check license compatibility for all dependencies
Management Process
1. Analyze Dependencies
Using Helper Script:
The skill includes a Python helper script for parsing dependency files:
# Parse dependency files
python scripts/parse_dependencies.py package.json requirements.txt pyproject.toml
Package Manager Tools:
- npm:
npm outdated,npm list - pip:
pip list --outdated - maven:
mvn versions:display-dependency-updates - gradle:
gradle dependencyUpdates
2. Scan for Vulnerabilities
Tools:
- npm:
npm audit - pip:
pip-audit - maven: OWASP Dependency Check
- gradle: Dependency Check plugin
3. Check Licenses
Process:
- List all dependency licenses
- Check compatibility with project license
- Identify any incompatible licenses
- Provide license report
4. Update Dependencies
Safe Update Process:
- Check for updates
- Review changelogs
- Update incrementally
- Run tests after each update
- Verify functionality
Examples
Example 1: Vulnerability Scan
Input: Scan for vulnerabilities
Output:
## Dependency Vulnerability Scan
### Critical Vulnerabilities
**1. lodash (4.17.20)**
- **Severity**: High
- **Issue**: Prototype Pollution
- **Fix**: Update to 4.17.21
```bash
npm update lodash
2. express (4.16.4)
- Severity: Medium
- Issue: Path Traversal
- Fix: Update to 4.18.2
npm update express
Summary
- Total vulnerabilities: 5
- Critical: 1
- High: 2
- Medium: 2
## Reference Files
For package manager-specific commands and patterns, load reference files as needed:
- **`references/package_managers.md`** - Commands and patterns for npm, pip, Poetry, Maven, Gradle, Cargo, and common dependency management patterns
- **`references/DEPENDENCY_AUDIT.template.md`** - Dependency audit report template with vulnerabilities, outdated packages, license compliance
When working with specific package managers, load `references/package_managers.md` and refer to the relevant package manager section.
## Best Practices
### Dependency Management
1. **Regular Updates**: Update dependencies regularly
2. **Security First**: Prioritize security updates
3. **Test After Updates**: Always test after updating
4. **Lock Files**: Use lock files (package-lock.json, yarn.lock)
5. **Version Pinning**: Pin critical dependencies
## Related Use Cases
- Dependency updates
- Security vulnerability scanning
- License compliance
- Dependency tree optimization
- Version conflict resolution
Source
git clone https://github.com/aiskillstore/marketplace/blob/main/skills/89jobrien/dependency-management/SKILL.mdView on GitHub Overview
This skill manages project dependencies across major ecosystems, handling updates, vulnerability scanning, license checks, and tree optimization to reduce bloat and avoid version conflicts. It supports npm, pip, maven, and other package managers to keep projects secure and compliant.
How This Skill Works
The skill uses a Python helper (scripts/parse_dependencies.py) to parse dependency files (package.json, requirements.txt, pyproject.toml) and extract metadata. It then runs manager-specific tooling (npm outdated, pip list --outdated, mvn versions:display-dependency-updates, gradle dependencyUpdates) to identify updates, performs vulnerability scans (npm audit, pip-audit, OWASP Dependency Check), verifies licenses, and applies safe, incremental updates with verification tests.
When to Use It
- When updating project dependencies
- When scanning for security vulnerabilities
- When analyzing dependency trees
- When ensuring license compliance
- When resolving version conflicts
Quick Start
- Step 1: Parse dependencies from package.json, requirements.txt, and pyproject.toml using python scripts/parse_dependencies.py
- Step 2: Run vulnerability scans (npm audit, pip-audit, OWASP Dependency Check) and review results
- Step 3: Update dependencies safely (check updates, review changelogs, update incrementally, run tests, verify functionality)
Best Practices
- Parse and inventory dependencies regularly with parse_dependencies.py
- Prioritize security updates (npm audit, pip-audit, Dependency Check)
- Verify licenses for all dependencies
- Update incrementally and run tests after each change
- Document changes and maintain a dependency update log
Example Use Cases
- Vulnerability scan of a Node.js project highlights lodash and express issues and suggests updates
- License compliance check reports incompatible licenses across dependencies
- Incremental updates are applied to a Python project with tests passing after each step
- Dependency tree optimization reduces unused packages and lowers bundle size
- Resolution of conflicting versions between a Java project’s transitive dependencies
