Dependency Management

Third-party dependencies are simultaneously the most powerful and most dangerous part of modern software. A single mismanaged dependency caused log4shell. Left-pad took down thousands of builds in 11 minutes. Supply chain attacks through dependency confusion hit major enterprises. This skill covers the full lifecycle: choosing, pinning, auditing, updating, and removing dependencies with production discipline.

When to Use

Use for:

• Deciding whether to add a new dependency
• Version pinning strategy (exact vs range vs lockfile-only)
• Setting up automated update workflows (Renovate, Dependabot)
• Security auditing with npm audit, pip audit, Snyk, Socket.dev
• License compliance scanning (MIT/Apache/GPL compatibility)
• Generating Software Bills of Materials (SBOM)
• Resolving peer dependency conflicts and npm overrides
• Responding to security advisories and CVEs
• Detecting typosquatting and dependency confusion attacks

NOT for:

• Internal monorepo package management (use monorepo-management)