dependency-conflict-resolver

<objective>
Proactively detect and resolve dependency conflicts before package installation to prevent broken builds, security vulnerabilities, and version incompatibilities across JavaScript, Python, Rust, and PHP ecosystems.
</objective>

<quick_start>
<workflow>
**Pre-installation check workflow:**

1. **Detect package manager**: Identify ecosystem from lockfiles (package-lock.json, requirements.txt, Cargo.lock, composer.lock)
2. **Scan for conflicts**: Check peer dependencies, version ranges, transitive dependencies
3. **Security audit**: Run ecosystem-specific audit tools (npm audit, pip-audit, cargo-audit, composer audit)
4. **Analyze severity**: Classify conflicts by risk level (safe auto-fix, manual review, blocking)
5. **Present resolution**: Auto-apply safe fixes, suggest alternatives for breaking changes, block critical vulnerabilities with alternatives
</workflow>

<trigger_detection>
**Auto-invoke when detecting these commands:**
- `npm install`, `npm i`, `yarn add`, `pnpm add`
- `pip install`, `poetry add`
- `cargo add`, `cargo install`
- `composer require`, `composer install`
</trigger_detection>

<quick_example>
```bash
# User attempts: npm install react@18.0.0
# Skill detects: Peer dependency conflict with react-dom@17.0.0

[CONFLICT DETECTED]
Package: react@18.0.0
Conflict: react-dom@17.0.0 requires react ^17.0.0
Risk: MEDIUM (breaking change)

[RECOMMENDED ACTION]
Option 1: Upgrade react-dom to ^18.0.0 (recommended)
  npm install react@18.0.0 react-dom@18.0.0

Option 2: Downgrade react to ^17.0.0
  npm install react@17.0.0

[SECURITY CHECK]
✓ No known vulnerabilities in react@18.0.0
✓ No known vulnerabilities in react-dom@18.0.0
```
</quick_example>
</quick_start>

<workflow>
<detection_phase>
**1. Identify Package Manager and Context**

Scan current directory for lockfiles and package manifests:
- **JavaScript**: package.json + (package-lock.json | yarn.lock | pnpm-lock.yaml)
- **Python**: requirements.txt | Pipfile | pyproject.toml + (Pipfile.lock | poetry.lock)
- **Rust**: Cargo.toml + Cargo.lock
- **PHP**: composer.json + composer.lock

Extract:
- Current dependency versions (from lockfile)
- Requested package and version (from user command)
- Version constraints (from manifest)
</detection_phase>

<conflict_analysis>
**2. Analyze Dependency Conflicts**

Check for conflicts in order of severity:

**A. Peer Dependency Conflicts**
- Compare requested version against peer dependency requirements
- Identify which packages will be incompatible
- Calculate semver compatibility ranges

**B. Transitive Dependency Conflicts**
- Build dependency graph of all transitive dependencies
- Detect duplicate packages with incompatible versions
- Identify shared dependencies requiring specific versions

**C. Version Constraint Violations**
- Validate against existing version constraints in manifest
- Check for semver range compatibility (^, ~, >=, etc.)
- Detect locked versions that prevent resolution

**D. Platform/Runtime Conflicts**
- Check Node.js, Python, PHP version requirements
- Validate feature flags (Rust features)
- Check platform-specific dependencies
</conflict_analysis>

<security_audit>
**3. Security Vulnerability Scan**

Run ecosystem-specific security audits:

**JavaScript (npm/yarn/pnpm):**
```bash
npm audit --json
# Parse output for HIGH/CRITICAL vulnerabilities
# Check: GHSA IDs, CVE numbers, severity scores
```

**Python (pip/poetry):**
```bash
pip-audit --format json
# Or: poetry audit --json
# Parse PyPA Advisory Database results
```

**Rust (cargo):**
```bash
cargo audit --json
# Check RustSec Advisory Database
# Identify RUSTSEC-YYYY-NNNN advisories
```

**PHP (composer):**
```bash
composer audit --format json
# Parse security advisories
# Check for blocked insecure packages
```

For each vulnerability found:
- Extract severity (LOW, MODERATE, HIGH, CRITICAL)
- Identify patched versions
- Find alternative packages if no patch available
- Assess exploitability and context
</security_audit>

<resolution_strategy>
**4. Classify Conflicts and Generate Resolutions**

**Auto-resolve (apply without asking):**
- Patch version updates (1.2.3 → 1.2.4)
- Dev dependency conflicts with no production impact
- Security patches within same minor version
- Compatible semver range adjustments (^1.2.0 allows 1.2.4)

**Suggest manual review (present options):**
- Minor version updates (1.2.x → 1.3.x)
- Production dependency conflicts
- Peer dependency mismatches requiring upgrades
- Multiple resolution paths with tradeoffs

**Block with alternatives (prevent installation):**
- Major version conflicts requiring breaking changes
- Critical/High security vulnerabilities without patches
- Incompatible platform/runtime requirements
- Circular dependency deadlocks

**Resolution output format:**
```
[CONFLICT TYPE] Brief description
Package: package-name@requested-version
Current: package-name@current-version
Conflict: dependency-name requires version-constraint

[IMPACT ASSESSMENT]
Risk: LOW | MEDIUM | HIGH | CRITICAL
Scope: dev-only | production | peer-dependency | transitive

[RECOMMENDED ACTIONS]
1. [Primary recommendation with command]
2. [Alternative approach with tradeoffs]
3. [Fallback option if applicable]

[SECURITY STATUS]
✓ No vulnerabilities | ⚠ Vulnerabilities found (details below)
```
</resolution_strategy>

<execution_phase>
**5. Execute Resolution**

**For auto-resolvable conflicts:**
1. Generate updated install command with resolved versions
2. Execute installation with resolved dependencies
3. Verify lockfile updates
4. Log changes for review

**For manual review conflicts:**
1. Present options with AskUserQuestion tool
2. Explain tradeoffs for each option
3. Execute user-selected resolution
4. Confirm successful installation

**For blocking conflicts:**
1. Prevent installation
2. Display detailed error explanation
3. Suggest alternative packages or version ranges
4. Provide documentation links for further investigation
</execution_phase>
</workflow>

<ecosystem_spe