{"id":"483f4781-7501-426e-a0b9-dc9ea5668f1f","shortId":"3EbxeT","kind":"skill","title":"evaluate-dependency","tagline":"Use when adding or evaluating a project dependency in any language, phrases like \"should I use X library\", \"evaluate <package>\", \"what library for Y\", or when reviewing a PR that touches a manifest (go.mod, package.json, requirements.txt, pyproject.toml, Cargo.toml, Gemfile, mix.","description":"# Evaluate Dependency\n\nDual-purpose: upfront selection when adding a new dep, and review when a PR adds or bumps one. Same evaluation criteria either way, with per-language addenda for ecosystem-specific quirks.\n\n## When to use\n\n| Mode | Triggers |\n|---|---|\n| **Selection** | Considering adding a dep, asks \"should I use X\", compares alternatives, before `go get` / `npm install` / `pip install` / `cargo add` |\n| **Review** | PR diff touches a manifest, or `review-security` / `review-code` sees a new dep in scope |\n\n## Language-specific quirks (read first)\n\nThe canonical package coordinate usually has ecosystem-specific gotchas that override the general criteria. The wrong coordinate is the wrong dep, no matter how good the package is.\n\n- **Go**: [references/go.md](references/go.md). Semantic import versioning (`/v2`, `/v3` paths), `+incompatible` smell, `pkg.go.dev` / `vuln.go.dev`, `govulncheck`.\n- Other ecosystems: not yet covered here. Run the [general checklist](#evaluation-criteria) and flag uncertainty about the canonical coordinate with `unsure:` (per `terse-output`) rather than guessing.\n\nFuture addenda: npm (scoped vs unscoped, deprecated packages, ESM/CJS), Python (package vs distribution name, wheel/sdist, ABI compatibility), Rust (pre-1.0 churn, crate renames), Ruby (transitive native-extension hazards). Add when a real evaluation surfaces the need.\n\n## Evaluation criteria\n\nRun through these. Cite specific data: no hand-waving, no `I think`.\n\n1. **License.** Detect via the ecosystem's registry or the repo's `LICENSE` / `LICENSE.md` / `COPYING`. Permissive (MIT, BSD, Apache-2.0, ISC, MPL-2.0) is generally fine. Copyleft (GPL, AGPL, LGPL) needs an explicit compatibility check against the user's project license. **No license = no use.** Note relicense history; relicenses are a red flag.\n\n2. **Popularity / community signal.** Stars (rough proxy), the ecosystem's \"depended by\" / \"imported by\" count, Sourcegraph importer search if available. Popularity without recent maintenance is a trap, not validation.\n\n3. **Maintenance / activity.** Last commit date: `<12 months` = active, `12–24` = stale, `>24` = abandoned. Last release vs last commit (releases lagging commits = pre-release work or maintainer absent). Open issues / PRs ratio; unanswered bug reports older than 6 months; \"looking for maintainers\" signals.\n\n4. **Vulnerability history.** Check the ecosystem's vuln DB ([vuln.go.dev](https://vuln.go.dev/) for Go, [GitHub Advisory DB](https://github.com/advisories), [OSV](https://osv.dev/), `npm audit`, `pip-audit`, [RustSec](https://rustsec.org/)). Pattern of repeat CVEs in the same subsystem = avoid.\n\n5. **API stability.** Semver discipline. Major-version bump cadence: every six months is chaotic. `v0.x.y` after years signals unstable surface. Look for a documented breaking-changes / release-notes practice.\n\n6. **Surface and transitive cost.** Each dep brings its own deps. Count transitive deps; smaller is better when alternatives are comparable. Note pulled-in transitive risk (e.g. a Go module that quietly pulls in a deprecated logger).\n\n7. **Fit.** Does it do what's needed with minimal surface? A library doing 10× what's needed brings 10× the risk. **Check the language's standard library / built-ins first.** Many ecosystems' stdlib covers what third-party libs once owned (e.g. Go's `slices`, `maps`, `cmp`, `errors`; Python's `pathlib`, `dataclasses`; JS's modern `URL`, `fetch`, `structuredClone`).\n\n8. **Footguns.** Ecosystem-specific (init-time side effects, monkey-patching, peer-dep churn, global mutable state, unbounded goroutines/threads). Check the language reference for known patterns; surface anything weird in the README or top-level types.\n\n## Workflow\n\n1. **Confirm scope** (per `confirm-before-implementing`): selection (prospective add) or review (PR touched manifest). Identify the language and the candidate package.\n\n2. **Resolve canonical coordinate.** Read the per-language reference if one exists; apply its rules **first**. This is non-negotiable. Examples: Go's `/vN` path probe, npm's scope check, Python's distribution-name lookup.\n\n3. **Survey alternatives** (selection mode, optional). When multiple candidates are in the running, delegate per-candidate data lookups to `Explore` subagents (`model: haiku` per `subagent-model-routing` — mechanical lookup across 8 fixed criteria; per `parallelize-subagents` and `delegate-investigation`). Each subagent returns one verdict table prefixed with `Status:` per `subagent-prompt-contract`. Parent merges and applies the final verdict synthesis (`model: opus` per `subagent-model-routing` — hard reasoning combining multiple criteria across candidates).\n\n4. **Run the 8 criteria** against the resolved coordinate. Cite specific numbers, dates, license names.\n\n5. **Produce verdict**: GO / CAUTION / NO-GO. Always include the **coordinate to use** explicitly (so the user doesn't import the wrong major / wrong scope / wrong distribution).\n\n6. **Review mode**: output as a finding row suitable for `review-code` or `review-security` finding tables, wrapped per the existing `path:line` deep-link convention if `pr_url` is set. Severity prefix per `terse-comments`: `risk:` (CAUTION) or `bug:` (NO-GO).\n\n## Output format\n\n```markdown\n## Dependency Evaluation: `<canonical coordinate>`\n\n**Verdict:** GO | CAUTION | NO-GO\n**Coordinate to use:** `<canonical coordinate>` (note any path/scope/name gotcha the user might miss)\n\n| Criterion | Finding |\n|---|---|\n| Language-specific path/coordinate | (e.g. v2 is current; root path is at v1.4.7, 2022) |\n| License | (e.g. Apache-2.0) |\n| Popularity | (e.g. 12.4k stars, ~3200 importers) |\n| Last commit | (e.g. 2026-04-29, active) |\n| Vulnerabilities | (e.g. None at v2.1.0; govulncheck clean) |\n| API stability | (e.g. v2 released 2023-06, no major bumps since) |\n| Surface | (e.g. 4 transitive deps, all common) |\n| Fit | (e.g. Covers HTTP-client retry; no stdlib equivalent) |\n\n**Mitigations** (CAUTION only): pin to specific minor; vendor; wrap behind an internal interface.\n**Alternatives** (NO-GO only): `<alt-1>` — brief reason; `<alt-2>` — brief reason.\n```\n\n## Cross-references\n\n- `delegate-investigation`: surveying alternatives belongs in `Explore` subagents.\n- `subagent-prompt-contract`: when fanning out per-candidate evaluation.\n- `terse-output`: verdict tables; use `unsure:` when a criterion can't be confirmed.\n- `terse-comments`: review-mode findings follow the review-comment shape with severity prefix.\n- `review-security` and `review-code`: this skill is their natural delegation target when a new dep appears in scope.\n\n## Anti-patterns\n\n- Skipping the per-language reference. The wrong coordinate is the wrong dep.\n- Verdict without a recommended coordinate. Always name the exact import path / package name / scope to use.\n- Recommending an older major because docs are better. Name a *hard* reason (missing feature, breaking change incompatible with caller) or recommend current.\n- Accepting \"X is popular\" as sufficient. Popularity without recent maintenance is a trap.\n- Hand-waving with hedge words instead of citing numbers (\"seems active\", \"I think it's maintained\"). Use `unsure:` when you don't know.\n- Auto-running `go get` / `npm install` / `pip install`. Out of scope; the skill recommends, the user applies.\n- Per `~/.claude/rules/probe-not-assume.md`: confirm via tool/command before recommending; do not infer.","tags":["evaluate","dependency","skill","issue","paultyng","agent-skills","ai-tools","claude-code","cursor","dotfiles"],"capabilities":["skill","source-paultyng","skill-evaluate-dependency","topic-agent-skills","topic-ai-tools","topic-claude-code","topic-cursor","topic-dotfiles"],"categories":["skill-issue"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/paultyng/skill-issue/evaluate-dependency","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add paultyng/skill-issue","source_repo":"https://github.com/paultyng/skill-issue","install_from":"skills.sh"}},"qualityScore":"0.454","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (7,432 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:09:00.898Z","embedding":null,"createdAt":"2026-05-18T13:21:25.827Z","updatedAt":"2026-05-18T19:09:00.898Z","lastSeenAt":"2026-05-18T19:09:00.898Z","tsv":"'-04':877 '-06':893 '-1.0':221 '-2.0':273,276,865 '-29':878 '/)':392 '/)).':413 '/),':404 '/.claude/rules/probe-not-assume.md':1121 '/advisories),':400 '/v2':165 '/v3':166 '/vn':642 '1':254,594 '10':507,512 '12':342,345 '12.4':868 '2':307,617 '2022':861 '2023':892 '2026':876 '24':346,348 '3':336,655 '3200':871 '4':380,734,900 '5':423,749 '6':374,455,777 '7':493 '8':553,687,737 'abandon':349 'abi':217 'absent':364 'accept':1065 'across':686,732 'activ':338,344,879,1089 'ad':6,51,86 'add':60,104,231,604 'addenda':73,203 'advisori':396 'agpl':282 'altern':95,473,657,928,944 'alway':757,1032 'anti':1012 'anti-pattern':1011 'anyth':583 'apach':272,864 'api':424,887 'appear':1008 'appli':630,715,1119 'ask':89 'audit':406,409 'auto':1103 'auto-run':1102 'avail':326 'avoid':422 'behind':924 'belong':945 'better':471,1050 'break':449,1057 'breaking-chang':448 'brief':933,935 'bring':462,511 'bsd':271 'bug':370,820 'built':522 'built-in':521 'bump':62,431,896 'cadenc':432 'caller':1061 'candid':615,663,671,733,958 'canon':131,191,619 'cargo':103 'cargo.toml':40 'caution':753,818,831,916 'chang':450,1058 'chaotic':437 'check':288,383,515,575,648 'checklist':182 'churn':222,569 'cite':244,743,1086 'clean':886 'client':910 'cmp':541 'code':117,789,996 'combin':729 'comment':816,976,985 'commit':340,354,357,874 'common':904 'communiti':309 'compar':94,475 'compat':218,287 'confirm':595,599,973,1122 'confirm-before-impl':598 'consid':85 'contract':711,952 'convent':805 'coordin':133,147,192,620,742,760,835,1022,1031 'copi':268 'copyleft':280 'cost':459 'count':321,466 'cover':177,528,907 'crate':223 'criteria':66,144,185,240,689,731,738 'criterion':846,969 'cross':938 'cross-refer':937 'current':855,1064 'cves':417 'data':246,672 'dataclass':546 'date':341,746 'db':388,397 'deep':803 'deep-link':802 'deleg':668,696,941,1002 'delegate-investig':695,940 'dep':54,88,121,151,461,465,468,568,902,1007,1026 'depend':3,11,44,317,827 'deprec':208,491 'detect':256 'diff':107 'disciplin':427 'distribut':214,652,776 'distribution-nam':651 'doc':1048 'document':447 'doesn':767 'dual':46 'dual-purpos':45 'e.g':482,536,852,863,867,875,881,889,899,906 'ecosystem':76,137,174,259,315,385,526,556 'ecosystem-specif':75,136,555 'effect':562 'either':67 'equival':914 'error':542 'esm/cjs':210 'evalu':2,8,22,43,65,184,235,239,828,959 'evaluate-depend':1 'evaluation-criteria':183 'everi':433 'exact':1035 'exampl':639 'exist':629,799 'explicit':286,763 'explor':675,947 'extens':229 'fan':954 'featur':1056 'fetch':551 'final':717 'find':783,794,847,980 'fine':279 'first':129,524,633 'fit':494,905 'fix':688 'flag':187,306 'follow':981 'footgun':554 'format':825 'futur':202 'gemfil':41 'general':143,181,278 'get':98,1106 'github':395 'github.com':399 'github.com/advisories),':398 'global':570 'go':97,159,394,484,537,640,752,756,823,830,834,931,1105 'go.mod':36 'good':155 'goroutines/threads':574 'gotcha':139,841 'govulncheck':172,885 'gpl':281 'guess':201 'haiku':678 'hand':249,1079 'hand-wav':248,1078 'hard':727,1053 'hazard':230 'hedg':1082 'histori':301,382 'http':909 'http-client':908 'identifi':610 'implement':601 'import':163,319,323,769,872,1036 'in':523 'includ':758 'incompat':168,1059 'infer':1129 'init':559 'init-tim':558 'instal':100,102,1108,1110 'instead':1084 'interfac':927 'intern':926 'investig':697,942 'isc':274 'issu':366 'js':547 'k':869 'know':1101 'known':580 'lag':356 'languag':14,72,125,517,577,612,625,849,1018 'language-specif':124,848 'last':339,350,353,873 'level':591 'lgpl':283 'lib':533 'librari':21,24,505,520 'licens':255,266,294,296,747,862 'license.md':267 'like':16 'line':801 'link':804 'logger':492 'look':376,444 'lookup':654,673,685 'maintain':363,378,1094 'mainten':330,337,1074 'major':429,772,895,1046 'major-vers':428 'mani':525 'manifest':35,110,609 'map':540 'markdown':826 'matter':153 'mechan':684 'merg':713 'might':844 'minim':502 'minor':921 'miss':845,1055 'mit':270 'mitig':915 'mix':42 'mode':82,659,779,979 'model':677,682,720,725 'modern':549 'modul':485 'monkey':564 'monkey-patch':563 'month':343,375,435 'mpl':275 'multipl':662,730 'mutabl':571 'name':215,653,748,1033,1039,1051 'nativ':228 'native-extens':227 'natur':1001 'need':238,284,500,510 'negoti':638 'new':53,120,1006 'no-go':754,821,832,929 'non':637 'non-negoti':636 'none':882 'note':299,453,476,838 'npm':99,204,405,645,1107 'number':745,1087 'older':372,1045 'one':63,628,701 'open':365 'option':660 'opus':721 'osv':401 'osv.dev':403 'osv.dev/),':402 'output':198,780,824,962 'overrid':141 'own':535 'packag':132,157,209,212,616,1038 'package.json':37 'parallel':692 'parallelize-subag':691 'parent':712 'parti':532 'patch':565 'path':167,643,800,857,1037 'path/coordinate':851 'path/scope/name':840 'pathlib':545 'pattern':414,581,1013 'peer':567 'peer-dep':566 'per':71,195,597,624,670,679,690,707,722,797,813,957,1017,1120 'per-candid':669,956 'per-languag':70,623,1016 'permiss':269 'phrase':15 'pin':918 'pip':101,408,1109 'pip-audit':407 'pkg.go.dev':170 'popular':308,327,866,1068,1071 'pr':31,59,106,607,807 'practic':454 'pre':220,359 'pre-releas':358 'prefix':704,812,989 'probe':644 'produc':750 'project':10,293 'prompt':710,951 'prospect':603 'proxi':313 'prs':367 'pull':478,488 'pulled-in':477 'purpos':47 'pyproject.toml':39 'python':211,543,649 'quiet':487 'quirk':78,127 'rather':199 'ratio':368 'read':128,621 'readm':587 'real':234 'reason':728,934,936,1054 'recent':329,1073 'recommend':1030,1043,1063,1116,1126 'red':305 'refer':578,626,939,1019 'references/go.md':160,161 'registri':261 'releas':351,355,360,452,891 'release-not':451 'relicens':300,302 'renam':224 'repeat':416 'repo':264 'report':371 'requirements.txt':38 'resolv':618,741 'retri':911 'return':700 'review':29,56,105,113,116,606,778,788,792,978,984,991,995 'review-cod':115,787,994 'review-com':983 'review-mod':977 'review-secur':112,791,990 'risk':481,514,817 'root':856 'rough':312 'rout':683,726 'row':784 'rubi':225 'rule':632 'run':179,241,667,735,1104 'rust':219 'rustsec':410 'rustsec.org':412 'rustsec.org/)).':411 'scope':123,205,596,647,774,1010,1040,1113 'search':324 'secur':114,793,992 'see':118 'seem':1088 'select':49,84,602,658 'semant':162 'semver':426 'set':810 'sever':811,988 'shape':986 'side':561 'signal':310,379,441 'sinc':897 'six':434 'skill':998,1115 'skill-evaluate-dependency' 'skip':1014 'slice':539 'smaller':469 'smell':169 'source-paultyng' 'sourcegraph':322 'specif':77,126,138,245,557,744,850,920 'stabil':425,888 'stale':347 'standard':519 'star':311,870 'state':572 'status':706 'stdlib':527,913 'structuredclon':552 'subag':676,681,693,699,709,724,948,950 'subagent-model-rout':680,723 'subagent-prompt-contract':708,949 'subsystem':421 'suffici':1070 'suitabl':785 'surfac':236,443,456,503,582,898 'survey':656,943 'synthesi':719 'tabl':703,795,964 'target':1003 'ters':197,815,961,975 'terse-com':814,974 'terse-output':196,960 'think':253,1091 'third':531 'third-parti':530 'time':560 'tool/command':1124 'top':590 'top-level':589 'topic-agent-skills' 'topic-ai-tools' 'topic-claude-code' 'topic-cursor' 'topic-dotfiles' 'touch':33,108,608 'transit':226,458,467,480,901 'trap':333,1077 'trigger':83 'type':592 'unansw':369 'unbound':573 'uncertainti':188 'unscop':207 'unstabl':442 'unsur':194,966,1096 'upfront':48 'url':550,808 'use':4,19,81,92,298,762,837,965,1042,1095 'user':291,766,843,1118 'usual':134 'v0.x.y':438 'v1.4.7':860 'v2':853,890 'v2.1.0':884 'valid':335 'vendor':922 'verdict':702,718,751,829,963,1027 'version':164,430 'via':257,1123 'vs':206,213,352 'vuln':387 'vuln.go.dev':171,389,391 'vuln.go.dev/)':390 'vulner':381,880 'wave':250,1080 'way':68 'weird':584 'wheel/sdist':216 'without':328,1028,1072 'word':1083 'work':361 'workflow':593 'wrap':796,923 'wrong':146,150,771,773,775,1021,1025 'x':20,93,1066 'y':26 'year':440 'yet':176","prices":[{"id":"fefd6038-a0f8-4497-9e37-a5d62e88c59b","listingId":"483f4781-7501-426e-a0b9-dc9ea5668f1f","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"paultyng","category":"skill-issue","install_from":"skills.sh"},"createdAt":"2026-05-18T13:21:25.827Z"}],"sources":[{"listingId":"483f4781-7501-426e-a0b9-dc9ea5668f1f","source":"github","sourceId":"paultyng/skill-issue/evaluate-dependency","sourceUrl":"https://github.com/paultyng/skill-issue/tree/main/skills/evaluate-dependency","isPrimary":false,"firstSeenAt":"2026-05-18T13:21:25.827Z","lastSeenAt":"2026-05-18T19:09:00.898Z"}],"details":{"listingId":"483f4781-7501-426e-a0b9-dc9ea5668f1f","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"paultyng","slug":"evaluate-dependency","github":{"repo":"paultyng/skill-issue","stars":8,"topics":["agent-skills","ai-tools","claude-code","cursor","dotfiles"],"license":"mit","html_url":"https://github.com/paultyng/skill-issue","pushed_at":"2026-05-18T18:26:54Z","description":"Personal Claude Code / Cursor agent skills, rules, and config","skill_md_sha":"f1b4d9f0a13487c60bdd909e951eca69ba9e2e65","skill_md_path":"skills/evaluate-dependency/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/paultyng/skill-issue/tree/main/skills/evaluate-dependency"},"layout":"multi","source":"github","category":"skill-issue","frontmatter":{"name":"evaluate-dependency","description":"Use when adding or evaluating a project dependency in any language, phrases like \"should I use X library\", \"evaluate <package>\", \"what library for Y\", or when reviewing a PR that touches a manifest (go.mod, package.json, requirements.txt, pyproject.toml, Cargo.toml, Gemfile, mix.exs, composer.json). Also use when comparing alternatives, choosing between major versions of the same package, or when review-security / review-code encounters a new dep in scope. Produces a GO/CAUTION/NO-GO verdict with the canonical package coordinate to use. Language-specific quirks (Go's semantic import versioning /v2 paths, npm scoping, etc.) live in references/."},"skills_sh_url":"https://skills.sh/paultyng/skill-issue/evaluate-dependency"},"updatedAt":"2026-05-18T19:09:00.898Z"}}