Back to Details

dependency-management

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Management

依赖管理

This skill manages project dependencies including updates, vulnerability scanning, license compliance, and dependency tree optimization.
本技能可管理项目依赖项,包括更新、漏洞扫描、许可证合规性检查及依赖树优化。

When to Use This Skill

适用场景

  • When updating project dependencies
  • When scanning for security vulnerabilities
  • When analyzing dependency trees
  • When ensuring license compliance
  • When resolving version conflicts
  • When optimizing dependency usage
  • 更新项目依赖项时
  • 扫描安全漏洞时
  • 分析依赖树时
  • 确保许可证合规性时
  • 解决版本冲突时
  • 优化依赖使用时

What This Skill Does

技能功能

  1. Dependency Analysis: Identifies unused dependencies and version conflicts
  2. Vulnerability Scanning: Finds and fixes known security vulnerabilities
  3. License Compliance: Verifies dependency licenses are compatible
  4. Safe Updates: Updates dependencies with testing and validation
  5. Tree Optimization: Optimizes dependency trees and reduces bloat
  6. Version Management: Resolves version conflicts and updates
  1. 依赖分析:识别未使用的依赖项和版本冲突
  2. 漏洞扫描:发现并修复已知安全漏洞
  3. 许可证合规性:验证依赖项许可证的兼容性
  4. 安全更新:通过测试和验证更新依赖项
  5. 树优化:优化依赖树并减少冗余
  6. 版本管理:解决版本冲突并进行更新

Helper Scripts

辅助脚本

This skill includes Python helper scripts in 
scripts/
:
  • parse_dependencies.py
    : Parses dependency files (package.json, requirements.txt, pyproject.toml). Outputs JSON with parsed dependencies and metadata.
    bash
    python scripts/parse_dependencies.py package.json requirements.txt
本技能在
scripts/
目录下包含Python辅助脚本:
  • parse_dependencies.py
    :解析依赖文件(package.json、requirements.txt、pyproject.toml)。输出包含已解析依赖项和元数据的JSON。
    bash
    python scripts/parse_dependencies.py package.json requirements.txt

How to Use

使用方法

Manage Dependencies

管理依赖项

Update all dependencies and check for vulnerabilities
Scan dependencies for security issues
更新所有依赖项并检查漏洞
扫描依赖项的安全问题

Specific Tasks

特定任务

Check license compatibility for all dependencies
检查所有依赖项的许可证兼容性

Management Process

管理流程

1. Analyze Dependencies

1. 分析依赖项

Using Helper Script:
The skill includes a Python helper script for parsing dependency files:
bash
undefined
使用辅助脚本:
本技能包含用于解析依赖文件的Python辅助脚本:
bash
undefined

Parse dependency files

解析依赖文件

python scripts/parse_dependencies.py package.json requirements.txt pyproject.toml

**Package Manager Tools:**

- npm: `npm outdated`, `npm list`
- pip: `pip list --outdated`
- maven: `mvn versions:display-dependency-updates`
- gradle: `gradle dependencyUpdates`
python scripts/parse_dependencies.py package.json requirements.txt pyproject.toml

**包管理器工具:**

- npm: `npm outdated`, `npm list`
- pip: `pip list --outdated`
- maven: `mvn versions:display-dependency-updates`
- gradle: `gradle dependencyUpdates`

2. Scan for Vulnerabilities

2. 扫描漏洞

Tools:
  • npm: 
    npm audit
  • pip: 
    pip-audit
  • maven: OWASP Dependency Check
  • gradle: Dependency Check plugin
工具:
  • npm: 
    npm audit
  • pip: 
    pip-audit
  • maven: OWASP Dependency Check
  • gradle: Dependency Check plugin

3. Check Licenses

3. 许可证检查

Process:
  • List all dependency licenses
  • Check compatibility with project license
  • Identify any incompatible licenses
  • Provide license report
流程:
  • 列出所有依赖项的许可证
  • 检查与项目许可证的兼容性
  • 识别不兼容的许可证
  • 生成许可证报告

4. Update Dependencies

4. 更新依赖项

Safe Update Process:
  1. Check for updates
  2. Review changelogs
  3. Update incrementally
  4. Run tests after each update
  5. Verify functionality
安全更新流程:
  1. 检查更新
  2. 查看变更日志
  3. 增量更新
  4. 每次更新后运行测试
  5. 验证功能

Examples

示例

Example 1: Vulnerability Scan

示例1:漏洞扫描

Input: Scan for vulnerabilities
Output:
markdown
undefined
输入:扫描漏洞
输出
markdown
undefined

Dependency Vulnerability Scan

依赖项漏洞扫描

Critical Vulnerabilities

严重漏洞

1. lodash (4.17.20)
  • Severity: High
  • Issue: Prototype Pollution
  • Fix: Update to 4.17.21
bash
npm update lodash
2. express (4.16.4)
  • Severity: Medium
  • Issue: Path Traversal
  • Fix: Update to 4.18.2
bash
npm update express
1. lodash (4.17.20)
  • 严重程度:高
  • 问题:原型污染
  • 修复方案:更新至4.17.21
bash
npm update lodash
2. express (4.16.4)
  • 严重程度:中
  • 问题:路径遍历
  • 修复方案:更新至4.18.2
bash
npm update express

Summary

总结

  • Total vulnerabilities: 5
  • Critical: 1
  • High: 2
  • Medium: 2
undefined
  • 总漏洞数:5
  • 严重:1
  • 高风险:2
  • 中风险:2
undefined

Reference Files

参考文件

For package manager-specific commands and patterns, load reference files as needed:
  • references/package_managers.md
     - Commands and patterns for npm, pip, Poetry, Maven, Gradle, Cargo, and common dependency management patterns
  • references/DEPENDENCY_AUDIT.template.md
     - Dependency audit report template with vulnerabilities, outdated packages, license compliance
When working with specific package managers, load 
references/package_managers.md
and refer to the relevant package manager section.
如需特定包管理器的命令和模式,可按需加载参考文件:
  • references/package_managers.md
     - npm、pip、Poetry、Maven、Gradle、Cargo的命令及常见依赖管理模式
  • references/DEPENDENCY_AUDIT.template.md
     - 包含漏洞、过时包、许可证合规性的依赖项审计报告模板
处理特定包管理器时,可加载
references/package_managers.md
并参考相应包管理器的章节。

Best Practices

最佳实践

Dependency Management

依赖管理

  1. Regular Updates: Update dependencies regularly
  2. Security First: Prioritize security updates
  3. Test After Updates: Always test after updating
  4. Lock Files: Use lock files (package-lock.json, yarn.lock)
  5. Version Pinning: Pin critical dependencies
  1. 定期更新:定期更新依赖项
  2. 安全优先:优先处理安全更新
  3. 更新后测试:更新后务必进行测试
  4. 锁定文件:使用锁定文件(package-lock.json、yarn.lock)
  5. 版本固定:固定关键依赖项的版本

Related Use Cases

相关用例

  • Dependency updates
  • Security vulnerability scanning
  • License compliance
  • Dependency tree optimization
  • Version conflict resolution
  • 依赖项更新
  • 安全漏洞扫描
  • 许可证合规性检查
  • 依赖树优化
  • 版本冲突解决