{"id":"201bfa2a-e2f7-480e-8a78-16d960da2ae2","shortId":"hHqqv8","kind":"skill","title":"managing-dependencies","tagline":"Evaluates packages, manages dependencies, and addresses supply chain security. Use when adding npm/pip/cargo/bundler/go dependencies, auditing packages, reviewing lockfile changes, checking for vulnerabilities, comparing package alternatives, or assessing package trustworthiness.","description":"# Package Management\n\n**Before suggesting any package, verify it exists on the registry.** Check that the name, maintainer, and purpose match expectations. Do not hallucinate package names.\n\n**Decline to:**\n- Suggest a package that cannot be verified to exist\n- Add a dependency when stdlib provides equivalent functionality\n- Run install scripts without explicit user approval\n- Auto-merge updates that violate the safety criteria below\n\n**If verification fails** (registry unreachable, metadata incomplete, provenance missing), default to refusal and explain why.\n\n## Before Adding a Dependency\n\nCheck in order:\n\n1. **Standard library** - Does the language already provide this? (e.g., date parsing, HTTP, JSON)\n2. **Transitive cost** - How many dependencies does it bring? Check with `npm ls`, `pip show`, `bundle info`, `cargo tree`\n3. **Smaller alternative** - Is there a focused package that does just what's needed?\n4. **Inline it** - Can you write 20-50 lines instead of adding a dependency?\n\nWhen in doubt, don't add. PRs that only remove dependencies are usually good PRs.\n\nAlways clarify if a dependency is for development only (`--save-dev`, `group :development`, `[tool.poetry.group.dev.dependencies]`) to minimize the production attack surface.\n\n## Evaluating a Package\n\nFor quick checks, visit the package's registry page and repo. When you need depth:\n\n```bash\n# Any ecosystem via ecosyste.ms\ncurl -s \"https://packages.ecosyste.ms/api/v1/registries//packages/\" | jq '{\n dependent_repos: .dependent_repos_count,\n dependent_packages: .dependent_packages_count,\n latest: .latest_release_number,\n latest_release: .latest_release_published_at,\n created: .first_release_published_at,\n maintainers: (.maintainers | length),\n repo: .repository_url,\n license: .normalized_licenses,\n advisories: (.advisories | length),\n archived: .repo_metadata.archived\n}'\n# See API Reference below for full registry list\n```\n\n**Good signals:**\n- High dependent count (other packages trust it)\n- Few direct dependencies\n- Responsive issue tracker\n- Multiple maintainers\n- OSI-approved license\n- Provenance attestation (see below)\n\n**Less reliable signals:**\n- GitHub stars (gameable)\n- Download counts (gameable)\n- Commit frequency (stable packages don't need commits)\n- Contributor count\n\n**Red flags:**\n- Package less than 90 days old\n- Maintainer account created recently\n- Name similar to popular package (typosquatting)\n- No license or non-OSI license\n- Vendors copies of common dependencies\n- Very few downloads for claimed purpose\n- Runs code on install (postinstall scripts, setup.py)\n\n**OpenSSF Scorecard** - check project security practices:\n```bash\nscorecard --repo=github.com/owner/repo\n# Or visit: https://securityscorecards.dev\n```\nScore below 5 warrants a closer look, though small or mature projects often score lower without being risky. If `Maintained` or `Dangerous-Workflow` scores are below 3, flag as higher risk.\n\n## Typosquatting Patterns\n\nWatch for these when verifying package names:\n\n- **Character substitution**: `djang0` vs `django`, `requets` vs `requests`\n- **Character omission**: `loadsh` vs `lodash`, `electon` vs `electron`\n- **Homoglyphs**: `pyp1` (one) vs `pypi` (letter i), Cyrillic `а` vs Latin `a`\n- **Delimiter variation**: `cross-env` vs `crossenv` vs `cross_env`\n- **Scope confusion**: `@angular-devkit/core` vs `@angulardevkit/core`\n- **Combosquatting**: `lodash-js`, `axios-api`, `express-utils`\n- **Namespace confusion** (Maven): `org.fasterxml` vs `com.fasterxml`\n\nAlways copy package names from official docs rather than typing from memory.\n\n## AI-Suggested Packages (Slopsquatting)\n\nAI coding assistants hallucinate package names regularly. Attackers register these names with malicious code.\n\nBefore installing any AI-suggested package:\n\n1. **Verify it exists**: `npm view ` or `pip index versions `\n2. **Check age and downloads**: Very new + few downloads = suspect\n3. **Cross-reference docs**: Does the framework's official docs mention it?\n4. **Check for typosquatting**: See patterns above\n\nHallucinated names are often repeatable across sessions, making them predictable targets for attackers.\n\n## Dependency Confusion\n\nWhen using both public and private registries, attackers can publish public packages matching your internal package names with high version numbers.\n\n**Defenses:**\n\nUse scoped/namespaced packages for internal code:\n```bash\n# npm - attackers can't register under your scope\n@yourcompany/internal-utils\n\n# Configure scope to route to private registry\n# .npmrc\n@yourcompany:registry=https://your-internal-registry.com\n```\n\nFor pip, use `--index-url` for private registry, `--extra-index-url` for PyPI:\n```bash\n# Correct - private registry checked first\npip install --index-url https://private.example.com/simple \\\n --extra-index-url https://pypi.org/simple \\\n mypackage\n```\n\nDefensively register your internal package names on public registries with placeholder packages.\n\n## Provenance and Attestation\n\nCheck if a package has verified build provenance:\n\n```bash\n# npm - check for attestation\nnpm audit signatures\n\n# PyPI - check for Sigstore attestation\ncurl -s \"https://pypi.org/pypi//json\" | jq '.urls[0].digests'\n# Look for attestation bundle in release assets\n\n# GitHub Actions - verify with gh\ngh attestation verify --owner \n```\n\n**Trusted publishing** means the package was published directly from CI (GitHub Actions, GitLab CI) without maintainer credentials. The registry verifies the source via OIDC. npm, PyPI, and RubyGems support this.\n\nIf a package has provenance, you can verify the published artifact matches the source repo and commit. Support varies by ecosystem; absence of attestation doesn't mean insecure.\n\n## Version Constraints\n\n**Applications:** Use ranges in manifest, pin via lockfile.\n\n**Libraries:** Use wide ranges. Don't force consumers to upgrade.\n\n| Ecosystem | Exact | Flexible | Patch only |\n|-----------|-------|----------|------------|\n| npm/Cargo | `1.0.0` | `^1.0.0` | `~1.0.0` |\n| Bundler | `= 1.0.0` | `~> 1.0` | `~> 1.0.0` |\n| pip | `==1.0.0` | `~=1.0` | |\n| Go | `v1.2.3` | MVS | MVS |\n\nBundler's `~>` is commonly misread: `~> 1.0` allows `1.x` (minor updates), `~> 1.0.0` allows `1.0.x` (patch only).\n\nGo uses minimal version selection - it picks the minimum version satisfying all requirements. Don't vendor specific versions or use replace directives to simulate ranges.\n\n## Lockfiles\n\nAlways commit lockfiles.\n\n**Detect ecosystem:**\n- `package-lock.json` / `yarn.lock` / `pnpm-lock.yaml` / `bun.lock` → npm\n- `Gemfile.lock` → Bundler\n- `Cargo.lock` → Cargo\n- `poetry.lock` / `uv.lock` / `requirements.txt` with hashes → Python\n- `go.sum` → Go\n\n**In CI, install from lockfile** (don't regenerate):\n```bash\nnpm ci # not npm install\npip install --require-hashes -r requirements.txt\nbundle install --frozen\ncargo build --locked\nuv sync --frozen\ngo mod verify\n```\n\n**Review lockfile changes in PRs:**\n- Watch for changes to `resolved` URLs (lockfile injection attack)\n- Large diffs can hide malicious additions\n- Unexpected registry URL changes are red flags\n\n**Regenerate on conflict** rather than manually merging:\n```bash\n# npm\nrm package-lock.json && npm install\n\n# Bundler\nrm Gemfile.lock && bundle install\n\n# Cargo\nrm Cargo.lock && cargo generate-lockfile\n\n# Poetry\nrm poetry.lock && poetry lock\n\n# uv\nrm uv.lock && uv lock\n```\n\n## Security Audits\n\nRun in CI and before adding dependencies:\n\n```bash\n# npm\nnpm audit\n\n# Bundler (install bundler-audit gem first)\nbundle audit check --update\n\n# pip (install pip-audit first)\npip-audit\n\n# Cargo (install cargo-audit first)\ncargo audit\n\n# Go\ngovulncheck ./...\n```\n\n## When Vulnerability Has No Patch\n\nFirst check reachability: is the vulnerable code path actually called by your usage? Many CVEs affect features you don't use.\n\nOptions in order of preference:\n\n1. **Override transitive** - Force newer version of vulnerable transitive dependency\n2. **Fork and patch** - Apply security fix to fork, reference fork in manifest\n3. **Remove dependency** - Find alternative or inline the functionality\n4. **Accept risk** - Document why it's not exploitable in your context\n\n## Vendoring\n\nCopy dependencies into your repo for airgapped environments, auditing, or when you need to patch upstream:\n\n```bash\n# Go - built-in\ngo mod vendor\ngo build -mod=vendor\n\n# Ruby\nbundle package --all\nbundle install --local\n\n# Python (pip download, then install offline)\npip download -r requirements.txt -d ./vendor\npip install --no-index --find-links=./vendor -r requirements.txt\n\n# npm (less common, use npm-pack-all or similar)\n```\n\nVendoring trades registry availability risk for increased repo size and manual update burden. Justified for airgapped builds, audited security-critical code, or long-term forks you maintain.\n\n## Check Licenses\n\n```bash\n# npm\nnpx license-checker --summary\n\n# pip\npip-licenses\n\n# Bundler\nbundle licenses\n\n# Cargo\ncargo license\n```\n\n**Safe:** MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense\n\n**Review needed:** LGPL, MPL-2.0\n\n**Copyleft (affects distribution):** GPL, AGPL\n\n**No license = not open source** - do not use.\n\n## Install Scripts\n\nPackage managers execute code during install - a common attack vector:\n\n- npm: `preinstall`, `postinstall` in package.json\n- pip: `setup.py` runs during install\n- Ruby: `extconf.rb` for native extensions\n\n**Audit before allowing scripts:**\n\n```bash\n# npm - install without running scripts, then review\nnpm install --ignore-scripts\n# After reviewing, run scripts explicitly\nnpm rebuild\n```\n\nFor high-security environments, consider disabling install scripts globally and allowlisting specific packages.\n\n## GitHub Actions\n\nActions are dependencies too. Pin to commit SHA, not tags:\n\n```yaml\n# Bad - tag can be moved\n- uses: actions/checkout@v4\n\n# Good - immutable reference\n- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\n```\n\nUse Dependabot or Renovate to keep pinned SHAs updated.\n\n## Automated Updates\n\n| Tool | Platform | Best for |\n|------|----------|----------|\n| Dependabot | GitHub only | Simple needs, free |\n| Renovate | Multi-platform | Complex configs, monorepos |\n| Snyk | Multi-platform | Security-first, vulnerability focus |\n\n**Safe auto-merge criteria** (all must apply):\n\n- Patch updates only (not minor/major)\n- Dev dependencies only\n- Established, trusted packages\n- All CI checks pass\n- Package available 3+ days (catches quick reverts of bad releases)\n\n**Never auto-merge:**\n\n- Major version updates\n- Production dependencies\n- New packages not yet in your codebase\n- Security-sensitive packages (crypto, auth)\n\nExample Renovate config for conservative auto-merge:\n\n```json\n{\n \"packageRules\": [\n {\n \"matchUpdateTypes\": [\"patch\"],\n \"matchDepTypes\": [\"devDependencies\"],\n \"automerge\": true,\n \"minimumReleaseAge\": \"3 days\"\n }\n ]\n}\n```\n\n---\n\n# API Reference\n\n## ecosyste.ms\n\n```bash\ncurl -s \"https://packages.ecosyste.ms/api/v1/registries//packages/\" | jq\n```\n\n**Registries:** `npmjs.org`, `pypi.org`, `rubygems.org`, `crates.io`, `proxy.golang.org`, `nuget.org`, `repo1.maven.org`, `cocoapods.org`, `hub.docker.com`\n\n### Risk Thresholds\n\n| Field | Threshold | Risk |\n|-------|-----------|------|\n| `latest_release_published_at` | >2 years ago | Possibly abandoned |\n| `dependent_repos_count` | <500 | Low adoption |\n| `first_release_published_at` | <90 days ago | Too new |\n| `maintainers` (length) | <2 | Bus factor risk |\n| `versions_count` | =1 | Immature |\n| `repo_metadata.archived` | true | Abandoned |\n| `advisories` | non-empty | Known vulnerabilities |\n\n### Development Distribution Score\n\nFound at `.repo_metadata.metadata.development_distribution_score`. Measures commit distribution across contributors (0-1).\n\n- **<0.15** - Single contributor dominance (high bus factor)\n- **0.15-0.5** - Moderate distribution\n- **>0.5** - Well distributed\n\n## OpenSSF Scorecard API\n\n```bash\ncurl -s \"https://api.scorecard.dev/projects/github.com//\" | jq '{\n score: .score,\n maintained: (.checks[] | select(.name == \"Maintained\") | .score),\n dangerous_workflow: (.checks[] | select(.name == \"Dangerous-Workflow\") | .score),\n code_review: (.checks[] | select(.name == \"Code-Review\") | .score)\n}'\n```\n\nHuman-readable: `https://ossf.github.io/scorecard-visualizer/#/projects/github.com//`\n\n## deps.dev API\n\nAlternative for dependency graph analysis:\n\n```bash\ncurl -s \"https://api.deps.dev/v3/systems//packages/\" | jq\n```\n\n**Ecosystems:** `npm`, `pypi`, `cargo`, `go`, `maven`, `nuget`\n\n---\n\n# About This Skill\n\n- **Repository:** https://github.com/andrew/managing-dependencies\n- **Author:** Andrew Nesbitt (https://nesbitt.io)\n- **License:** CC0-1.0","tags":["managing","dependencies","andrew","agent-skills","claude-code","dependency-management","package-management","skill"],"capabilities":["skill","source-andrew","skill-managing-dependencies","topic-agent-skills","topic-claude-code","topic-dependency-management","topic-package-management","topic-skill"],"categories":["managing-dependencies"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/andrew/managing-dependencies/managing-dependencies","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add andrew/managing-dependencies","source_repo":"https://github.com/andrew/managing-dependencies","install_from":"skills.sh"}},"qualityScore":"0.457","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 14 github stars · SKILL.md body (12,818 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T13:03:21.148Z","embedding":null,"createdAt":"2026-04-19T00:40:36.535Z","updatedAt":"2026-04-22T13:03:21.148Z","lastSeenAt":"2026-04-22T13:03:21.148Z","tsv":"'-0.5':1556 '-1':1547 '-1.0':1639 '-2':1235 '-2.0':1233,1246 '-3':1238 '-50':171 '/andrew/managing-dependencies':1632 '/api/v1/registries/':241,1472 '/core':477 '/json':716 '/owner/repo':389 '/packages':242,1473,1617 '/projects/github.com/':1570 '/pypi/':715 '/scorecard-visualizer/#/projects/github.com/':1603 '/simple':666,673 '/v3/systems/':1616 '/vendor':1160,1169 '0':719,1546 '0.15':1548,1555 '0.5':1559 '1':117,534,842,1069,1522 '1.0':826,830,840,848 '1.0.0':821,822,823,825,827,829,846 '2':131,544,1079,1494,1516 '20':170 '3':150,420,554,1092,1415,1462 '4':164,567,1101 '5':395 '500':1502 '90':340,1509 'abandon':1498,1526 'absenc':788 'accept':1102 'account':344 'across':579,1544 'action':729,748,1326,1327 'actions/checkout':1344,1350 'actual':1051 'ad':15,111,175,1002 'add':70,183 'addit':952 'address':9 'adopt':1504 'advisori':278,279,1527 'affect':1058,1248 'age':546 'ago':1496,1511 'agpl':1251 'ai':509,513,531 'ai-suggest':508,530 'airgap':1120,1197 'allow':841,847,1289 'allowlist':1322 'alreadi':123 'altern':28,152,1096,1606 'alway':193,496,878 'analysi':1610 'andrew':1634 'angular':475 'angular-devkit':474 'angulardevkit/core':479 'apach':1232 'api':284,486,1464,1564,1605 'api.deps.dev':1615 'api.deps.dev/v3/systems/':1614 'api.scorecard.dev':1569 'api.scorecard.dev/projects/github.com/':1568 'appli':1083,1397 'applic':797 'approv':84,310 'archiv':281 'artifact':777 'assess':30 'asset':727 'assist':515 'attack':212,520,586,596,619,946,1270 'attest':313,689,702,710,723,734,790 'audit':18,704,996,1007,1012,1016,1023,1027,1032,1035,1122,1199,1287 'auth':1444 'author':1633 'auto':86,1392,1425,1451 'auto-merg':85,1391,1424,1450 'autom':1362 'automerg':1459 'avail':1185,1414 'axio':485 'axios-api':484 'b4ffde65f46336ab88eb53be808477a3936bae11':1351 'bad':1338,1421 'bash':232,384,617,653,698,908,967,1004,1130,1213,1291,1467,1565,1611 'best':1366 'bring':139 'bsd':1234,1237 'build':696,925,1139,1198 'built':1133 'built-in':1132 'bun.lock':886 'bundl':146,724,921,976,1015,1143,1146,1225 'bundler':824,835,889,973,1008,1011,1224 'bundler-audit':1010 'burden':1194 'bus':1517,1553 'call':1052 'cannot':65 'cargo':148,891,924,978,981,1028,1031,1034,1227,1228,1622 'cargo-audit':1030 'cargo.lock':890,980 'catch':1417 'cc0':1638 'chain':11 'chang':22,935,940,956 'charact':434,442 'check':23,45,114,140,219,380,545,568,657,690,700,707,1017,1044,1211,1411,1575,1582,1591 'checker':1218 'ci':746,750,901,910,999,1410 'claim':369 'clarifi':194 'claus':1236,1239 'closer':398 'cocoapods.org':1483 'code':372,514,526,616,1049,1203,1265,1589,1595 'code-review':1594 'codebas':1438 'com.fasterxml':495 'combosquat':480 'commit':325,332,783,879,1333,1542 'common':363,838,1174,1269 'compar':26 'complex':1378 'config':1379,1447 'configur':627 'conflict':962 'confus':473,491,588 'conserv':1449 'consid':1316 'constraint':796 'consum':812 'context':1112 'contributor':333,1545,1550 'copi':361,497,1114 'copyleft':1247 'correct':654 'cost':133 'count':248,253,295,323,334,1501,1521 'crates.io':1479 'creat':264,345 'credenti':753 'criteria':93,1394 'critic':1202 'cross':465,470,556 'cross-env':464 'cross-refer':555 'crossenv':468 'crypto':1443 'curl':237,711,1468,1566,1612 'cves':1057 'cyril':457 'd':1159 'danger':415,1580,1586 'dangerous-workflow':414,1585 'date':127 'day':341,1416,1463,1510 'declin':59 'default':104 'defens':610,675 'delimit':462 'depend':3,7,17,72,113,136,177,188,197,244,246,249,251,294,302,364,587,1003,1078,1094,1115,1329,1404,1431,1499,1608 'dependabot':1354,1368 'deps.dev':1604 'depth':231 'detect':881 'dev':204,1403 'devdepend':1458 'develop':200,206,1533 'devkit':476 'diff':948 'digest':720 'direct':301,744,873 'disabl':1317 'distribut':1249,1534,1539,1543,1558,1561 'djang0':436 'django':438 'doc':502,558,564 'document':1104 'doesn':791 'domin':1551 'doubt':180 'download':322,367,548,552,1151,1156 'e.g':126 'ecosyste.ms':236,1466 'ecosystem':234,787,815,882,1619 'electon':447 'electron':449 'empti':1530 'env':466,471 'environ':1121,1315 'equival':76 'establish':1406 'evalu':4,214 'exact':816 'exampl':1445 'execut':1264 'exist':41,69,537 'expect':53 'explain':108 'explicit':82,1308 'exploit':1109 'express':488 'express-util':487 'extconf.rb':1283 'extens':1286 'extra':648,668 'extra-index-url':647,667 'factor':1518,1554 'fail':97 'featur':1059 'field':1487 'find':1095,1167 'find-link':1166 'first':265,658,1014,1024,1033,1043,1387,1505 'fix':1085 'flag':336,421,959 'flexibl':817 'focus':156,1389 'forc':811,1072 'fork':1080,1087,1089,1208 'found':1536 'framework':561 'free':1373 'frequenc':326 'frozen':923,929 'full':288 'function':77,1100 'gameabl':321,324 'gem':1013 'gemfile.lock':888,975 'generat':983 'generate-lockfil':982 'gh':732,733 'github':319,728,747,1325,1369 'github.com':388,1631 'github.com/andrew/managing-dependencies':1630 'github.com/owner/repo':387 'gitlab':749 'global':1320 'go':831,852,899,930,1036,1131,1135,1138,1623 'go.sum':898 'good':191,291,1346 'govulncheck':1037 'gpl':1250 'graph':1609 'group':205 'hallucin':56,516,574 'hash':896,918 'hide':950 'high':293,607,1313,1552 'high-secur':1312 'higher':423 'homoglyph':450 'http':129 'hub.docker.com':1484 'human':1599 'human-read':1598 'ignor':1302 'ignore-script':1301 'immatur':1523 'immut':1347 'incomplet':101 'increas':1188 'index':542,642,649,662,669,1165 'index-url':641,661 'info':147 'inject':945 'inlin':165,1098 'insecur':794 'instal':79,374,528,660,902,913,915,922,972,977,1009,1020,1029,1147,1153,1162,1260,1267,1281,1293,1300,1318 'instead':173 'intern':603,615,678 'isc':1240 'issu':304 'jq':243,717,1474,1571,1618 'js':483 'json':130,1453 'justifi':1195 'keep':1358 'known':1531 'languag':122 'larg':947 'latest':254,255,258,260,1490 'latin':460 'length':271,280,1515 'less':316,338,1173 'letter':455 'lgpl':1244 'librari':119,805 'licens':275,277,311,354,359,1212,1217,1223,1226,1229,1253,1637 'license-check':1216 'line':172 'link':1168 'list':290 'loadsh':444 'local':1148 'lock':926,989,994 'lockfil':21,804,877,880,904,934,944,984 'lodash':446,482 'lodash-j':481 'long':1206 'long-term':1205 'look':399,721 'low':1503 'lower':407 'ls':143 'maintain':49,269,270,307,343,412,752,1210,1514,1574,1578 'major':1427 'make':581 'malici':525,951 'manag':2,6,34,1263 'managing-depend':1 'mani':135,1056 'manifest':801,1091 'manual':965,1192 'match':52,601,778 'matchdeptyp':1457 'matchupdatetyp':1455 'matur':403 'maven':492,1624 'mean':739,793 'measur':1541 'memori':507 'mention':565 'merg':87,966,1393,1426,1452 'metadata':100 'minim':209,854 'minimum':860 'minimumreleaseag':1461 'minor':844 'minor/major':1402 'misread':839 'miss':103 'mit':1231 'mod':931,1136,1140 'moder':1557 'monorepo':1380 'move':1342 'mpl':1245 'multi':1376,1383 'multi-platform':1375,1382 'multipl':306 'must':1396 'mvs':833,834 'mypackag':674 'name':48,58,347,433,499,518,523,575,605,680,1577,1584,1593 'namespac':490 'nativ':1285 'need':163,230,331,1126,1243,1372 'nesbitt':1635 'nesbitt.io':1636 'never':1423 'new':550,1432,1513 'newer':1073 'no-index':1163 'non':357,1529 'non-empti':1528 'non-osi':356 'normal':276 'npm':142,538,618,699,703,761,887,909,912,968,971,1005,1006,1172,1177,1214,1272,1292,1299,1309,1620 'npm-pack-al':1176 'npm/cargo':820 'npm/pip/cargo/bundler/go':16 'npmjs.org':1476 'npmrc':634 'npx':1215 'nuget':1625 'nuget.org':1481 'number':257,609 'offici':501,563 'offlin':1154 'often':405,577 'oidc':760 'old':342 'omiss':443 'one':452 'open':1255 'openssf':378,1562 'option':1064 'order':116,1066 'org.fasterxml':493 'osi':309,358 'osi-approv':308 'ossf.github.io':1602 'ossf.github.io/scorecard-visualizer/#/projects/github.com/':1601 'overrid':1070 'owner':736 'pack':1178 'packag':5,19,27,31,33,38,57,63,157,216,222,250,252,297,328,337,351,432,498,511,517,533,600,604,613,679,686,693,741,769,1144,1262,1324,1408,1413,1433,1442 'package-lock.json':883,970 'package.json':1276 'packagerul':1454 'packages.ecosyste.ms':240,1471 'packages.ecosyste.ms/api/v1/registries/':239,1470 'page':225 'pars':128 'pass':1412 'patch':818,850,1042,1082,1128,1398,1456 'path':1050 'pattern':426,572 'pick':858 'pin':802,1331,1359 'pip':144,541,639,659,828,914,1019,1022,1026,1150,1155,1161,1220,1222,1277 'pip-audit':1021,1025 'pip-licens':1221 'placehold':685 'platform':1365,1377,1384 'pnpm-lock.yaml':885 'poetri':985,988 'poetry.lock':892,987 'popular':350 'possibl':1497 'postinstal':375,1274 'practic':383 'predict':583 'prefer':1068 'preinstal':1273 'privat':594,632,645,655 'private.example.com':665 'private.example.com/simple':664 'product':211,1430 'project':381,404 'proven':102,312,687,697,771 'provid':75,124 'proxy.golang.org':1480 'prs':184,192,937 'public':592,599,682 'publish':262,267,598,738,743,776,1492,1507 'purpos':51,370 'pyp1':451 'pypi':454,652,706,762,1621 'pypi.org':672,714,1477 'pypi.org/pypi/':713 'pypi.org/simple':671 'python':897,1149 'quick':218,1418 'r':919,1157,1170 'rang':799,808,876 'rather':503,963 'reachabl':1045 'readabl':1600 'rebuild':1310 'recent':346 'red':335,958 'refer':285,557,1088,1348,1465 'refus':106 'regener':907,960 'regist':521,622,676 'registri':44,98,224,289,595,633,636,646,656,683,755,954,1184,1475 'regular':519 'releas':256,259,261,266,726,1422,1491,1506 'reliabl':317 'remov':187,1093 'renov':1356,1374,1446 'repeat':578 'replac':872 'repo':227,245,247,272,386,781,1118,1189,1500 'repo1.maven.org':1482 'repo_metadata.archived':282,1524 'repo_metadata.metadata.development':1538 'repositori':273,1629 'request':441 'requet':439 'requir':864,917 'require-hash':916 'requirements.txt':894,920,1158,1171 'resolv':942 'respons':303 'revert':1419 'review':20,933,1242,1298,1305,1590,1596 'risk':424,1103,1186,1485,1489,1519 'riski':410 'rm':969,974,979,986,991 'rout':630 'rubi':1142,1282 'rubygem':764 'rubygems.org':1478 'run':78,371,997,1279,1295,1306 'safe':1230,1390 'safeti':92 'satisfi':862 'save':203 'save-dev':202 'scope':472,625,628 'scoped/namespaced':612 'score':393,406,417,1535,1540,1572,1573,1579,1588,1597 'scorecard':379,385,1563 'script':80,376,1261,1290,1296,1303,1307,1319 'secur':12,382,995,1084,1201,1314,1386,1440 'security-crit':1200 'security-first':1385 'security-sensit':1439 'securityscorecards.dev':392 'see':283,314,571 'select':856,1576,1583,1592 'sensit':1441 'session':580 'setup.py':377,1278 'sha':1334 'shas':1360 'show':145 'signal':292,318 'signatur':705 'sigstor':709 'similar':348,1181 'simpl':1371 'simul':875 'singl':1549 'size':1190 'skill':1628 'skill-managing-dependencies' 'slopsquat':512 'small':401 'smaller':151 'snyk':1381 'sourc':758,780,1256 'source-andrew' 'specif':868,1323 'stabl':327 'standard':118 'star':320 'stdlib':74 'substitut':435 'suggest':36,61,510,532 'summari':1219 'suppli':10 'support':765,784 'surfac':213 'suspect':553 'sync':928 'tag':1336,1339 'target':584 'term':1207 'though':400 'threshold':1486,1488 'tool':1364 'tool.poetry.group.dev.dependencies':207 'topic-agent-skills' 'topic-claude-code' 'topic-dependency-management' 'topic-package-management' 'topic-skill' 'tracker':305 'trade':1183 'transit':132,1071,1077 'tree':149 'true':1460,1525 'trust':298,737,1407 'trustworthi':32 'type':505 'typosquat':352,425,570 'unexpect':953 'unlicens':1241 'unreach':99 'updat':88,845,1018,1193,1361,1363,1399,1429 'upgrad':814 'upstream':1129 'url':274,643,650,663,670,718,943,955 'usag':1055 'use':13,590,611,640,798,806,853,871,1063,1175,1259,1343,1349,1353 'user':83 'usual':190 'util':489 'uv':927,990,993 'uv.lock':893,992 'v1.2.3':832 'v4':1345 'v4.1.1':1352 'vari':785 'variat':463 'vector':1271 'vendor':360,867,1113,1137,1141,1182 'verif':96 'verifi':39,67,431,535,695,730,735,756,774,932 'version':543,608,795,855,861,869,1074,1428,1520 'via':235,759,803 'view':539 'violat':90 'visit':220,391 'vs':437,440,445,448,453,459,467,469,478,494 'vulner':25,1039,1048,1076,1388,1532 'warrant':396 'watch':427,938 'well':1560 'wide':807 'without':81,408,751,1294 'workflow':416,1581,1587 'write':169 'x':843,849 'yaml':1337 'yarn.lock':884 'year':1495 'yet':1435 'your-internal-registry.com':637 'yourcompani':635 'yourcompany/internal-utils':626 'а':458","prices":[{"id":"05f512fa-b0cb-4332-b2b2-f7df562425ca","listingId":"201bfa2a-e2f7-480e-8a78-16d960da2ae2","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"andrew","category":"managing-dependencies","install_from":"skills.sh"},"createdAt":"2026-04-19T00:40:36.535Z"}],"sources":[{"listingId":"201bfa2a-e2f7-480e-8a78-16d960da2ae2","source":"github","sourceId":"andrew/managing-dependencies/managing-dependencies","sourceUrl":"https://github.com/andrew/managing-dependencies/tree/main/skills/managing-dependencies","isPrimary":false,"firstSeenAt":"2026-04-19T00:40:36.535Z","lastSeenAt":"2026-04-22T13:03:21.148Z"}],"details":{"listingId":"201bfa2a-e2f7-480e-8a78-16d960da2ae2","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"andrew","slug":"managing-dependencies","github":{"repo":"andrew/managing-dependencies","stars":14,"topics":["agent-skills","claude-code","dependency-management","package-management","skill"],"license":"cc0-1.0","html_url":"https://github.com/andrew/managing-dependencies","pushed_at":"2026-03-08T09:10:11Z","description":"Claude Code skill for evaluating packages and managing dependencies securely","skill_md_sha":"2f7e0b477b0cc42acf3ee2b1f0f136312166d6b7","skill_md_path":"skills/managing-dependencies/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/andrew/managing-dependencies/tree/main/skills/managing-dependencies"},"layout":"multi","source":"github","category":"managing-dependencies","frontmatter":{"name":"managing-dependencies","license":"CC0-1.0","description":"Evaluates packages, manages dependencies, and addresses supply chain security. Use when adding npm/pip/cargo/bundler/go dependencies, auditing packages, reviewing lockfile changes, checking for vulnerabilities, comparing package alternatives, or assessing package trustworthiness.","compatibility":"Claude Code, Codex CLI, or any agent with bash and network access"},"skills_sh_url":"https://skills.sh/andrew/managing-dependencies/managing-dependencies"},"updatedAt":"2026-04-22T13:03:21.148Z"}}