dependency-resolver
Identify, analyze, and manage software dependencies before deployment. Use this skill when preparing applications for deployment, resolving dependency conflicts, updating dependencies, auditing security vulnerabilities, managing package versions, or troubleshooting dependency-related issues. Supports multiple package managers (npm, pip, maven, cargo, go mod, composer) and provides actionable recommendations for dependency management.
git clone --depth 1 https://github.com/ArabelaTso/Skills-4-SE /tmp/dependency-resolver && cp -r /tmp/dependency-resolver/skills/dependency-resolver ~/.claude/skills/dependency-resolverSKILL.md
# Dependency Resolver
Analyze, manage, and resolve software dependencies to ensure safe and successful deployments. Identifies conflicts, security vulnerabilities, version mismatches, and missing dependencies.
## Core Capabilities
### 1. Dependency Analysis
Examine project dependencies:
- **Direct dependencies** - Packages explicitly required
- **Transitive dependencies** - Dependencies of dependencies
- **Dev dependencies** - Development-only packages
- **Peer dependencies** - Required by packages but not auto-installed
- **Optional dependencies** - Non-critical packages
### 2. Conflict Detection
Identify dependency issues:
- **Version conflicts** - Multiple versions of same package
- **Missing dependencies** - Required but not installed
- **Incompatible versions** - Version constraints that can't be satisfied
- **Circular dependencies** - Packages depending on each other
- **Platform incompatibility** - OS or architecture mismatches
### 3. Security Auditing
Check for vulnerabilities:
- **Known CVEs** - Common Vulnerabilities and Exposures
- **Outdated packages** - Old versions with security patches available
- **Malicious packages** - Typosquatting or compromised packages
- **License issues** - Incompatible or restrictive licenses
### 4. Dependency Resolution
Provide solutions:
- **Version pinning** - Lock compatible versions
- **Conflict resolution** - Strategies to resolve version conflicts
- **Dependency updates** - Safe upgrade paths
- **Alternative packages** - Replacement suggestions
- **Minimal installations** - Remove unnecessary dependencies
## Dependency Resolution Workflow
### Step 1: Identify Package Manager
Detect which dependency system is in use:
**Package manager files:**
```
npm/yarn: package.json, package-lock.json, yarn.lock
pip: requirements.txt, Pipfile, setup.py, pyproject.toml
maven: pom.xml
gradle: build.gradle, build.gradle.kts
cargo: Cargo.toml, Cargo.lock
go: go.mod, go.sum
composer: composer.json, composer.lock
bundler: Gemfile, Gemfile.lock
nuget: *.csproj, packages.config
```
### Step 2: Parse Dependency Manifest
Read and understand dependency declarations:
**npm (package.json):**
```json
{
"dependencies": {
"express": "^4.18.0",
"lodash": "~4.17.21"
},
"devDependencies": {
"jest": "^29.0.0"
},
"peerDependencies": {
"react": ">=16.0.0"
}
}
```
**Python (requirements.txt):**
```
django>=4.0,<5.0
requests==2.28.1
numpy>=1.20.0
pytest # No version specified
```
**Maven (pom.xml):**
```xml
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>5.3.23</version>
</dependency>
</dependencies>
```
### Step 3: Analyze Dependency Tree
Build complete dependency graph:
```
my-app
├── express@4.18.2
│ ├── body-parser@1.20.1
│ │ └── bytes@3.1.2
│ ├── cookie@0.5.0
│ └── debug@2.6.9
│ └── ms@2.0.0
└── lodash@4.17.21
```
**Check for:**
- Multiple versions of same package
- Deeply nested dependencies
- Large dependency trees
- Unmaintained packages
### Step 4: Detect Issues
Identify problems:
**Version conflicts:**
```
app requires:
- package-a@1.0.0 (depends on shared@^1.0.0)
- package-b@2.0.0 (depends on shared@^2.0.0)
Conflict: shared@1.x vs shared@2.x
```
**Missing dependencies:**
```
Error: Cannot find module 'missing-package'
Cause: Listed in package.json but not installed
```
**Security vulnerabilities:**
```
lodash@4.17.20 has known vulnerability CVE-2020-8203
Severity: High
Fix available: Upgrade to lodash@4.17.21
```
### Step 5: Propose Solutions
Recommend fixes:
**For version conflicts:**
- Use compatible versions
- Update conflicting packages
- Use resolutions/overrides
- Consider alternatives
**For missing dependencies:**
- Install missing packages
- Add to manifest file
- Check for typos
**For security issues:**
- Update vulnerable packages
- Apply security patches
- Replace with secure alternatives
## Dependency Management Patterns
### Pattern 1: Version Conflict Resolution
**Issue:**
```json
// package.json
{
"dependencies": {
"package-a": "^1.0.0", // requires lodash@^3.0.0
"package-b": "^2.0.0" // requires lodash@^4.0.0
}
}
```
**Analysis:**
```
Dependency tree:
├── package-a@1.0.0
│ └── lodash@3.10.1
└── package-b@2.0.0
└── lodash@4.17.21
Conflict: Two versions of lodash (3.10.1 and 4.17.21)
```
**Solution 1: Update package-a**
```json
{
"dependencies": {
"package-a": "^2.0.0", // Updated version uses lodash@^4.0.0
"package-b": "^2.0.0"
}
}
```
**Solution 2: Use resolutions (npm/yarn)**
```json
{
"dependencies": {
"package-a": "^1.0.0",
"package-b": "^2.0.0"
},
"resolutions": {
"lodash": "^4.17.21"
}
}
```
**Solution 3: Find alternative**
```json
{
"dependencies": {
"alternative-package-a": "^1.0.0", // Doesn't depend on lodash
"package-b": "^2.0.0"
}
}
```
### Pattern 2: Security Vulnerability Fix
**Audit result:**
```bash
$ npm audit
found 3 vulnerabilities (1 moderate, 2 high)
High: Prototype Pollution
Package: lodash
Dependency of: express
Path: express > lodash
More info: https://npmjs.com/advisories/1065
```
**Solution:**
```bash
# Check if update fixes it
npm audit fix
# Force update if needed
npm audit fix --force
# Or manually update
npm install lodash@latest
```
**Verify fix:**
```bash
npm audit
# 0 vulnerabilities
```
### Pattern 3: Missing Peer Dependency
**Error:**
```
npm WARN package-b@1.0.0 requires a peer of react@>=16.0.0 but none is installed.
```
**Analysis:**
```json
// package-b requires react but doesn't install it
{
"peerDependencies": {
"react": ">=16.0.0"
}
}
```
**Solution:**
```bash
npm install react@^18.0.0
```
**Update package.json:**
```json
{
"dependencies": {
"react": "^18.0.0",
"package-b": "^1.0.0"
}
}
```
### Pattern 4: Outdated Dependencies
**Check for updates:**
```bash
npm outdated
Package CuApplies abstract interpretation using different abstract domains (intervals, octagons, polyhedra, sign, congruence) to statically analyze program variables and infer invariants, value ranges, and relationships. Use when analyzing program properties, inferring loop invariants, detecting potential errors, or understanding variable relationships through static analysis.
Uses abstract interpretation to automatically infer loop invariants, function preconditions, and postconditions for formal verification. Generates invariants that capture program behavior and support correctness proofs in Dafny, Isabelle, Coq, and other verification systems. Use when adding formal specifications to code, generating verification conditions, inferring contracts for functions, or discovering loop invariants for proofs.
Performs abstract interpretation over source code to infer possible program states, variable ranges, and data properties without executing the program. Reports potential runtime errors including out-of-bounds accesses, null dereferences, type inconsistencies, division by zero, and integer overflows. Use when analyzing code for potential runtime errors, performing static analysis, checking safety properties, or verifying program behavior without execution.
Performs abstract interpretation to produce summarized execution traces and high-level program behavior representations. Highlights key control flow paths, variable relationships, loop invariants, function summaries, and potential runtime states using abstract domains (intervals, signs, nullness, etc.). Use when analyzing program behavior, understanding execution paths, computing loop invariants, tracking variable ranges, detecting potential runtime errors, or generating program summaries without concrete execution.
Create ACSL (ANSI/ISO C Specification Language) formal annotations for C/C++ programs. Use this skill when working with formal verification, adding function contracts (requires/ensures), loop invariants, assertions, memory safety annotations, or any ACSL specifications. Supports Frama-C verification and generates comprehensive formal specifications for C/C++ code.
CLI-based browser automation with persistent page state using ref-based element interaction. Use when users ask to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.
Detects and analyzes ambiguous language in software requirements and user stories. Use when reviewing requirements documents, user stories, specifications, or any software requirement text to identify vague quantifiers, unclear scope, undefined terms, missing edge cases, subjective language, and incomplete specifications. Provides detailed analysis with clarifying questions and suggested improvements.
Design and review APIs with suggestions for endpoints, parameters, return types, and best practices. Use when designing new APIs from requirements, reviewing existing API designs, generating API documentation, or getting implementation guidance. Supports REST APIs with focus on endpoint structure, request/response schemas, authentication, pagination, filtering, versioning, and OpenAPI specifications. Triggers when users ask to design, review, document, or improve APIs.