Manage project dependencies across languages including npm install, package versioning, dependency conflicts, security scanning, and lock files. Use when dealing with dependencies, version pinning, semantic versioning, or resolving conflicts.
Comprehensive dependency management across JavaScript/Node.js, Python, Ruby, Java, and other ecosystems. Covers version control, conflict resolution, security auditing, and best practices for maintaining healthy dependencies.
# Initialize project
npm init -y
# Install dependencies
npm install express
npm install --save-dev jest
npm install --save-exact lodash # Exact version
# Update dependencies
npm update
npm outdated # Check for outdated packages
# Audit security
npm audit
npm audit fix
# Clean install from lock file
npm ci # Use in CI/CD
# View dependency tree
npm list
npm list --depth=0 # Top-level only
# Using pip
pip install requests
pip install -r requirements.txt
pip freeze > requirements.txt
# Using poetry (recommended)
poetry init
poetry add requests
poetry add --dev pytest
poetry add "django>=3.2,<4.0"
poetry update
poetry show --tree
poetry check # Verify lock file
# Initialize
bundle init
# Install
bundle install
bundle update gem_name
# Audit
bundle audit check --update
# View dependencies
bundle list
bundle viz # Generate dependency graph
Format: MAJOR.MINOR.PATCH (e.g., 2.4.1)
// package.json version ranges
{
"dependencies": {
"exact": "1.2.3", // Exactly 1.2.3
"patch": "~1.2.3", // >=1.2.3 <1.3.0
"minor": "^1.2.3", // >=1.2.3 <2.0.0
"major": "*", // Any version (avoid!)
"range": ">=1.2.3 <2.0.0", // Explicit range
"latest": "latest" // Always latest (dangerous!)
}
}
Best Practices:
^ for libraries: allows backward-compatible updates~ for applications: more conservative, patch updates only{
"name": "my-app",
"version": "1.0.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"node_modules/express": {
"version": "4.18.2",
"resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
"integrity": "sha512-...",
"dependencies": {
"body-parser": "1.20.1"
}
}
}
}
Lock File Rules:
npm ci in CI/CD (faster, more reliable)npm install[[package]]
name = "requests"
version = "2.28.1"
description = "HTTP library"
category = "main"
optional = false
python-versions = ">=3.7"
[package.dependencies]
certifi = ">=2017.4.17"
charset-normalizer = ">=2,<3"
# Problem: Two packages require different versions
# package-a requires lodash@^4.17.0
# package-b requires lodash@^3.10.0
# Solution 1: Check if newer versions are compatible
npm update lodash
# Solution 2: Use resolutions (yarn/package.json)
{
"resolutions": {
"lodash": "^4.17.21"
}
}
# Solution 3: Use overrides (npm 8.3+)
{
"overrides": {
"lodash": "^4.17.21"
}
}
# Solution 4: Fork and patch
npm install patch-package
npx patch-package some-package
# Find conflicts
pip check
# Using pip-tools for constraint resolution
pip install pip-tools
pip-compile requirements.in # Generates locked requirements.txt
# Poetry automatically resolves conflicts
poetry add package-a package-b # Will find compatible versions
# Audit current dependencies
npm audit
# Show detailed report
npm audit --json
# Fix automatically (may introduce breaking changes)
npm audit fix
# Fix only non-breaking changes
npm audit fix --production --audit-level=moderate
# Audit in CI/CD
npm audit --audit-level=high # Fail if high vulnerabilities
# Install Snyk CLI
npm install -g snyk
# Authenticate
snyk auth
# Test for vulnerabilities
snyk test
# Monitor project
snyk monitor
# Fix vulnerabilities interactively
snyk wizard
# Using safety
pip install safety
safety check
safety check --json
# Using pip-audit (official tool)
pip install pip-audit
pip-audit
// package.json (root)
{
"name": "my-monorepo",
"private": true,
"workspaces": ["packages/*", "apps/*"]
}
# Install all dependencies
npm install
# Add dependency to specific workspace
npm install lodash --workspace=@myorg/package-a
# Run script in workspace
npm run test --workspace=@myorg/package-a
# Run script in all workspaces
npm run test --workspaces
# Initialize lerna
npx lerna init
# Bootstrap (install + link)
lerna bootstrap
# Add dependency to all packages
lerna add lodash
# Version and publish
lerna version
lerna publish
// library package.json
{
"name": "my-react-library",
"peerDependencies": {
"react": ">=16.8.0",
"react-dom": ">=16.8.0"
},
"peerDependenciesMeta": {
"react-dom": {
"optional": true // Makes peer dependency optional
}
}
}
When to Use Peer Dependencies:
# Analyze bundle size
npm install -g bundle-buddy
npm install --save-dev webpack-bundle-analyzer
# Use production build
npm install --production
# Prune unused dependencies
npm prune
# Find duplicate packages
npm dedupe
npx yarn-deduplicate # For yarn
{
"dependencies": {
// ❌ Don't install entire lodash
"lodash": "^4.17.21",
// ✅ Install only what you need
"lodash.debounce": "^4.0.8",
"lodash.throttle": "^4.1.1"
}
}
# .github/workflows/ci.yml