| name | dependency-management |
| description | 依存関係管理ガイド。Swift Package Manager、CocoaPods、npm、pip等のパッケージマネージャー運用、バージョン管理、セキュリティアップデート、ライセンス管理など、依存関係の効率的な管理方法。 |
| status | high |
| completion | 100% |
| guides | 3 |
Dependency Management Skill
Status
🟢 High (100% completion, 3/3 comprehensive guides)
Overview
依存関係管理は、現代のソフトウェア開発において最も重要な要素の一つです。適切な依存関係管理により、セキュリティリスクの最小化、予測可能なビルド、効率的なメンテナンスが実現します。
Statistics:
- 平均的なNode.jsプロジェクト: 1,200+ の依存関係
- セキュリティ脆弱性の70%: サードパーティ依存関係から発生
- 適切な依存関係管理により、年間$500K-$5Mのコスト削減が可能
What This Skill Covers
1. Comprehensive Dependency Management
- Package manager comparison and selection (npm, yarn, pnpm, Poetry, SPM, CocoaPods)
- Lock file strategies and best practices
- Semantic Versioning deep dive
- Dependency resolution algorithms
- Monorepo dependency management
- Private package registries
- Dependency auditing workflows
- License compliance
2. Security & Vulnerability Management
- Understanding security vulnerabilities (CVE, CVSS)
- Vulnerability scanning tools (npm audit, Snyk, Dependabot, OWASP)
- Automated security updates
- Dependency pinning strategies
- Supply chain attack prevention
- SBOM (Software Bill of Materials)
- Security policies and workflows
- Incident response procedures
- Real-world security case studies
3. Dependency Optimization & Maintenance
- Bundle size optimization techniques
- Tree shaking and dead code elimination
- Dependency update strategies
- Breaking change management
- Automated dependency updates (Renovate, Dependabot)
- Deprecation handling
- Technical debt management
- Migration guides for major updates
- Performance monitoring
Quick Start
Daily Tasks (Automated)
# Security monitoring
npm audit
snyk test
# Review automated PRs
# - Dependabot security alerts
# - Renovate update PRs
Weekly Tasks
# Update patch versions
npm update
# Review outdated packages
npm outdated
# Clean unused dependencies
npx depcheck
Monthly Tasks
# Update minor versions
npm update --save
# Generate reports
npm audit --json > reports/audit.json
npx @cyclonedx/cyclonedx-npm --output-file sbom.json
# License compliance
npx license-checker --failOn "GPL;AGPL"
Quarterly Tasks
# Major version updates (planned)
npm outdated
# Review migration guides
# Plan updates
# Technical debt assessment
# Dependency health report
Comprehensive Guides
Guide 1: Comprehensive Dependency Management
38,206 characters - Complete guide covering:
- Package manager deep dive (npm, yarn, pnpm, SPM, CocoaPods, Poetry, Go)
- Lock file strategies
- Semantic Versioning mastery
- Dependency resolution algorithms
- Monorepo dependency management
- Private package registries
- Dependency auditing
- License compliance
- Real-world case studies (left-pad, event-stream, etc.)
Guide 2: Security & Vulnerability Management
47,074 characters - Security-focused guide covering:
- Understanding security vulnerabilities (RCE, XSS, Prototype Pollution, etc.)
- CVE scoring system (CVSS)
- Vulnerability scanning tools (npm audit, Snyk, GitHub Dependabot, OWASP)
- Automated security updates
- Dependency pinning strategies
- Supply chain attack prevention
- SBOM generation and management
- Security policies and workflows
- Incident response playbooks
- Real-world security case studies (Log4Shell, event-stream, colors/faker, ua-parser-js)
Guide 3: Dependency Optimization & Maintenance
39,758 characters - Optimization guide covering:
- Bundle size optimization (webpack-bundle-analyzer, code splitting)
- Tree shaking and dead code elimination
- Dependency update strategies
- Breaking change management
- Automated dependency updates (Renovate advanced configuration)
- Deprecation handling and migration
- Technical debt management
- Migration guides (React 17→18, Next.js 13→14, Webpack 4→5)
- Performance monitoring
Templates & Configurations
Automation Templates
- Dependabot Configuration - Complete
.github/dependabot.ymltemplate with all ecosystems - Renovate Configuration - Advanced Renovate Bot configuration
- Auto-Merge Workflow - GitHub Actions for automatic PR merging
- npm Configuration - Production-ready
.npmrcwith security settings
Checklists
- Dependency Audit Checklist - Before adding dependencies, weekly/monthly/quarterly reviews
- Security Checklist - Daily/weekly/monthly security tasks, incident response
Best Practices Summary
Package Manager Selection
JavaScript/TypeScript:
- 🥇 pnpm - Best performance, strict dependency resolution, disk efficiency
- 🥈 npm - Default, stable, widely supported
- 🥉 yarn - Good for monorepos, Plug'n'Play mode
iOS/Swift:
- 🥇 Swift Package Manager - Official, modern, Xcode integrated
- 🥈 CocoaPods - Mature, legacy support
Python:
- 🥇 Poetry - Modern, excellent dependency resolution
- 🥈 pip - Simple, traditional approach
Version Pinning Strategy
{
"dependencies": {
// Critical packages: exact versions
"react": "18.2.0",
// Important packages: patch updates only
"lodash": "~4.17.21",
// Low-risk packages: minor updates allowed
"axios": "^1.6.0"
},
"devDependencies": {
// Dev tools: flexible updates
"typescript": "^5.3.0"
}
}
Security Best Practices
Enable Automated Scanning
- GitHub Dependabot
- Snyk
- npm audit in CI/CD
Response Times
- Critical vulnerabilities: < 24 hours
- High vulnerabilities: < 48 hours
- Medium vulnerabilities: < 1 week
Supply Chain Protection
- Use lock files (always commit)
- Private registry proxy
- Package verification
- SBOM generation
Update Strategy
| Update Type | Frequency | Automation | Review |
|---|---|---|---|
| Security patches | Immediate | ✅ Auto-merge | Minimal |
| Patch (x.x.PATCH) | Weekly | ✅ Auto-merge | CI only |
| Minor (x.MINOR.x) | Monthly | ⚠️ Manual merge | Code review |
| Major (MAJOR.x.x) | Quarterly | ❌ Manual | Full review |
Essential Tools
Security
- npm audit (built-in)
- Snyk (comprehensive)
- GitHub Dependabot (native)
- Socket.dev (supply chain)
- OWASP Dependency-Check
Automation
- Renovate (advanced features)
- Dependabot (GitHub native)
Analysis
- webpack-bundle-analyzer
- bundlephobia.com
- depcheck
- npm-check-updates
Compliance
- license-checker
- SBOM generators (CycloneDX, SPDX)
- Dependency-Track
Metrics & KPIs
Track these metrics for dependency health:
Security Metrics
- Vulnerability count (Critical/High/Medium/Low)
- Mean time to detect (MTTD)
- Mean time to remediate (MTTR)
- Security scan success rate
Target: 0 critical/high vulnerabilities, MTTR < 7 days
Dependency Metrics
- Total dependency count
- Outdated percentage
- Average dependency age
- Deprecated package count
Target: < 5% outdated, < 200 total dependencies
Performance Metrics
- Bundle size (gzipped)
- Build time
- Install time
Target: < 200KB initial bundle, < 2min builds
Process Metrics
- Automated update success rate
- Manual review time
- Breaking change incidents
Target: > 80% auto-merge, < 1 incident/month
Common Patterns
Pattern 1: Security-First Approach
# Immediate security updates
- Daily vulnerability scans
- Auto-merge security patches
- 24-hour response for critical CVEs
- Monthly security audit reports
Pattern 2: Stability-First Approach
# Controlled updates
- Lock all production dependencies
- Manual review for all updates
- Staging deployment before production
- Quarterly update cycles
Pattern 3: Innovation-First Approach
# Stay current
- Daily dependency updates
- Auto-merge minor updates
- Beta testing of new versions
- Monthly major version evaluations
Troubleshooting
Problem: Build Failures After Update
Symptoms: Tests fail, TypeScript errors, runtime errors
Solutions:
- Check breaking changes in changelog
- Review migration guide
- Use codemod tools for automated migration
- Rollback and plan migration
- Pin problematic dependency temporarily
Problem: Security Vulnerabilities in Transitive Dependencies
Symptoms: npm audit shows vulnerabilities you don't directly use
Solutions:
- Update parent dependency
- Use
npm audit fix --force(carefully) - Use
overrides(npm 8.3+) orresolutions(yarn) - Contact package maintainer
- Find alternative package
Problem: Dependency Conflicts
Symptoms: "Cannot resolve dependency", version conflicts
Solutions:
- Use
npm ls <package>to see dependency tree - Use
overrides/resolutionsto force version - Update conflicting packages
- Consider alternative packages
Related Skills
- ios-project-setup - Project initialization
- ci-cd-automation - CI/CD pipelines
- ios-security - Security practices
- web-development - Web development
- react-development - React patterns
- nextjs-development - Next.js patterns
Quick Reference Commands
npm
npm install # Install dependencies
npm ci # Clean install (CI/CD)
npm update # Update patch versions
npm outdated # Show outdated packages
npm audit # Security audit
npm audit fix # Auto-fix vulnerabilities
npx depcheck # Find unused dependencies
npx npm-check-updates # Check all updates
Yarn
yarn install # Install
yarn upgrade # Update
yarn audit # Security audit
yarn outdated # Check outdated
yarn install --frozen-lockfile # CI/CD
pnpm
pnpm install # Install
pnpm update # Update
pnpm audit # Security audit
pnpm outdated # Check outdated
pnpm install --frozen-lockfile # CI/CD
Security Tools
snyk test # Snyk security scan
npx socket-cli audit # Socket.dev scan
npx @cyclonedx/cyclonedx-npm # Generate SBOM
npx license-checker # License check
Version History
2025-01-03: Complete overhaul to 🟢 High status
- Added 3 comprehensive guides (125,000+ total characters)
- Created automation templates (Dependabot, Renovate, CI/CD)
- Added comprehensive checklists
- Expanded to cover all major package managers
- Added real-world case studies
- Included security best practices
- Added performance optimization techniques
2024-12-24: Initial version (📝 Basic status)
- Basic package manager coverage
- Simple version management guidelines
Maintained by: Development Team Last Updated: 2025-01-03 Status: 🟢 High (100% complete)