zhongwei/gh-yaleh-meta-cc-claude
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-yaleh-meta-cc-claude/skills/dependency-health/SKILL.md
Zhongwei Li fab98d059b Initial commit
2025-11-30 09:07:22 +08:00

396 lines
8.9 KiB
Markdown
Raw Permalink Blame History

---
name: Dependency Health
description: Security-first dependency management methodology with batch remediation, policy-driven compliance, and automated enforcement. Use when security vulnerabilities exist in dependencies, dependency freshness low (outdated packages), license compliance needed, or systematic dependency management lacking. Provides security-first prioritization (critical vulnerabilities immediately, high within week, medium within month), batch remediation strategy (group compatible updates, test together, single PR), policy-driven compliance framework (security policies, freshness policies, license policies), and automation tools for vulnerability scanning, update detection, and compliance checking. Validated in meta-cc with 6x speedup (9 hours manual to 1.5 hours systematic), 3 iterations, 88% transferability across package managers (concepts universal, tools vary by ecosystem).
allowed-tools: Read, Write, Edit, Bash
---
# Dependency Health
**Systematic dependency management: security-first, batch remediation, policy-driven.**
> Dependencies are attack surface. Manage them systematically, not reactively.
---
## When to Use This Skill
Use this skill when:
- 🔒 **Security vulnerabilities**: Known CVEs in dependencies
- 📅 **Outdated dependencies**: Packages months/years behind
- ⚖️ **License compliance**: Need to verify license compatibility
- 🎯 **Systematic management**: Ad-hoc updates causing issues
- 🔄 **Frequent breakage**: Dependency updates break builds
- 📊 **No visibility**: Don't know dependency health status
**Don't use when**:
- ❌ Zero dependencies (static binary, no external deps)
- ❌ Dependencies already managed systematically
- ❌ Short-lived projects (throwaway tools, prototypes)
- ❌ Frozen dependencies (legacy systems, no updates allowed)
---
## Quick Start (30 minutes)
### Step 1: Audit Current State (10 min)
```bash
# Go projects
go list -m -u all | grep '\['
# Node.js
npm audit
# Python
pip list --outdated
# Identify:
# - Security vulnerabilities
# - Outdated packages (>6 months old)
# - License issues
```
### Step 2: Prioritize by Security (10 min)
**Severity levels**:
- **Critical**: Actively exploited, RCE, data breach
- **High**: Authentication bypass, privilege escalation
- **Medium**: DoS, information disclosure
- **Low**: Minor issues, limited impact
**Action timeline**:
- Critical: Immediate (same day)
- High: Within 1 week
- Medium: Within 1 month
- Low: Next quarterly update
### Step 3: Batch Remediation (10 min)
```bash
# Group compatible updates
# Test together
# Create single PR with all updates
# Example: Update all patch versions
go get -u=patch ./...
go test ./...
git commit -m "chore(deps): update dependencies (security + freshness)"
```
---
## Security-First Prioritization
### Vulnerability Assessment
**Critical vulnerabilities** (immediate action):
- RCE (Remote Code Execution)
- SQL Injection
- Authentication bypass
- Data breach potential
**High vulnerabilities** (1 week):
- Privilege escalation
- XSS (Cross-Site Scripting)
- CSRF (Cross-Site Request Forgery)
- Sensitive data exposure
**Medium vulnerabilities** (1 month):
- DoS (Denial of Service)
- Information disclosure
- Insecure defaults
- Weak cryptography
**Low vulnerabilities** (quarterly):
- Minor issues
- Informational
- False positives
### Remediation Strategy
```
Priority queue:
1. Critical vulnerabilities (immediate)
2. High vulnerabilities (week)
3. Dependency freshness (monthly)
4. License compliance (quarterly)
5. Medium/low vulnerabilities (quarterly)
```
---
## Batch Remediation Strategy
### Why Batch Updates?
**Problems with one-at-a-time**:
- Update fatigue (100+ dependencies)
- Test overhead (N tests for N updates)
- PR overhead (N reviews)
- Potential conflicts (update A breaks with update B)
**Benefits of batching**:
- Single test run for all updates
- Single PR review
- Detect incompatibilities early
- 6x faster (validated in meta-cc)
### Batching Strategies
**Strategy 1: By Severity**
```bash
# Batch 1: All security patches
# Batch 2: All minor/patch updates
# Batch 3: All major updates (breaking changes)
```
**Strategy 2: By Compatibility**
```bash
# Batch 1: Compatible updates (no breaking changes)
# Batch 2: Breaking changes (one at a time)
```
**Strategy 3: By Timeline**
```bash
# Batch 1: Immediate (critical vulnerabilities)
# Batch 2: Weekly (high vulnerabilities + freshness)
# Batch 3: Monthly (medium vulnerabilities)
# Batch 4: Quarterly (low vulnerabilities + license)
```
---
## Policy-Driven Compliance
### Security Policies
```yaml
# .dependency-policy.yml
security:
critical_vulnerabilities:
action: block_merge
max_age: 0 days
high_vulnerabilities:
action: block_merge
max_age: 7 days
medium_vulnerabilities:
action: warn
max_age: 30 days
```
### Freshness Policies
```yaml
freshness:
max_age:
major: 12 months
minor: 6 months
patch: 3 months
exceptions:
- package: legacy-lib
reason: "No maintained alternative"
```
### License Policies
```yaml
licenses:
allowed:
- MIT
- Apache-2.0
- BSD-3-Clause
denied:
- GPL-3.0 # Copyleft issues
- AGPL-3.0
review_required:
- Custom
- Proprietary
```
---
## Automation Tools
### Vulnerability Scanning
```bash
# Go: govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Node.js: npm audit
npm audit --audit-level=moderate
# Python: safety
pip install safety
safety check
# Rust: cargo-audit
cargo install cargo-audit
cargo audit
```
### Automated Updates
```bash
# Dependabot (GitHub)
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
groups:
security:
patterns:
- "*"
update-types:
- "patch"
- "minor"
```
### License Checking
```bash
# Go: go-licenses
go install github.com/google/go-licenses@latest
go-licenses check ./...
# Node.js: license-checker
npx license-checker --summary
# Python: pip-licenses
pip install pip-licenses
pip-licenses
```
---
## Proven Results
**Validated in bootstrap-010** (meta-cc project):
- ✅ Security-first prioritization implemented
- ✅ Batch remediation (5 dependencies updated together)
- ✅ 6x speedup: 9 hours manual → 1.5 hours systematic
- ✅ 3 iterations (rapid convergence)
- ✅ V_instance: 0.92 (highest among experiments)
- ✅ V_meta: 0.85
**Metrics**:
- Vulnerabilities: 2 critical → 0 (resolved immediately)
- Freshness: 45% outdated → 15% outdated
- License compliance: 100% (all MIT/Apache-2.0/BSD)
**Transferability**:
- Go (gomod): 100% (native)
- Node.js (npm): 90% (npm audit similar)
- Python (pip): 85% (safety similar)
- Rust (cargo): 90% (cargo audit similar)
- Java (Maven): 85% (OWASP dependency-check)
- **Overall**: 88% transferable
---
## Common Patterns
### Pattern 1: Security Update Workflow
```bash
# 1. Scan for vulnerabilities
govulncheck ./...
# 2. Review severity
# Critical/High → immediate
# Medium/Low → batch
# 3. Update dependencies
go get -u github.com/vulnerable/package@latest
# 4. Test
go test ./...
# 5. Commit
git commit -m "fix(deps): resolve CVE-XXXX-XXXXX in package X"
```
### Pattern 2: Monthly Freshness Update
```bash
# 1. Check for updates
go list -m -u all
# 2. Batch updates (patch/minor)
go get -u=patch ./...
# 3. Test
go test ./...
# 4. Commit
git commit -m "chore(deps): monthly dependency freshness update"
```
### Pattern 3: Major Version Upgrade
```bash
# One at a time (breaking changes)
# 1. Update single package
go get package@v2
# 2. Fix breaking changes
# ... code modifications ...
# 3. Test extensively
go test ./...
# 4. Commit
git commit -m "feat(deps): upgrade package to v2"
```
---
## Anti-Patterns
**Ignoring security advisories**: "We'll update later"
**One-at-a-time updates**: 100 separate PRs for 100 dependencies
**Automatic merging**: Dependabot auto-merge without testing
**Dependency pinning forever**: Never updating to avoid breakage
**License ignorance**: Not checking license compatibility
**No testing after updates**: Assuming updates won't break anything
---
## Related Skills
**Parent framework**:
- [methodology-bootstrapping](../methodology-bootstrapping/SKILL.md) - Core OCA cycle
**Complementary**:
- [ci-cd-optimization](../ci-cd-optimization/SKILL.md) - Automated dependency checks in CI
- [error-recovery](../error-recovery/SKILL.md) - Dependency failure handling
**Acceleration**:
- [rapid-convergence](../rapid-convergence/SKILL.md) - 3 iterations achieved
---
## References
**Core guides**:
- Reference materials in experiments/bootstrap-010-dependency-health/
- Security-first prioritization framework
- Batch remediation strategies
- Policy-driven compliance
**Tools**:
- govulncheck (Go)
- npm audit (Node.js)
- safety (Python)
- cargo-audit (Rust)
- go-licenses (license checking)
---
**Status**: ✅ Production-ready | 6x speedup | 88% transferable | V_instance 0.92 (highest)
Reference in New Issue View Git Blame Copy Permalink