swe-workflow-skills 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +144 -0
- package/VERSION +1 -0
- package/bin/cli.mjs +44 -0
- package/catalog.json +225 -0
- package/commands/role.md +34 -0
- package/hooks/session-start.mjs +118 -0
- package/install.mjs +318 -0
- package/package.json +47 -0
- package/roles.json +194 -0
- package/scripts/resolve.mjs +296 -0
- package/skills/accessibility-design/SKILL.md +128 -0
- package/skills/accessibility-design/evals/evals.json +51 -0
- package/skills/accessibility-design/references/accessibility-patterns.md +321 -0
- package/skills/api-design/SKILL.md +144 -0
- package/skills/api-design/evals/evals.json +48 -0
- package/skills/api-design/references/rest-conventions.md +147 -0
- package/skills/api-design/templates/api-spec.md +156 -0
- package/skills/architecture-design/SKILL.md +86 -0
- package/skills/architecture-design/evals/evals.json +44 -0
- package/skills/architecture-design/references/clean-architecture.md +147 -0
- package/skills/architecture-design/references/component-principles.md +129 -0
- package/skills/architecture-design/references/principles.md +81 -0
- package/skills/architecture-design/references/solid-principles.md +106 -0
- package/skills/architecture-design/templates/adr.md +63 -0
- package/skills/architecture-documentation/SKILL.md +126 -0
- package/skills/architecture-documentation/evals/evals.json +44 -0
- package/skills/architecture-documentation/references/abstraction-levels.md +91 -0
- package/skills/architecture-documentation/references/diagram-tooling.md +141 -0
- package/skills/architecture-documentation/templates/architecture-doc.md +171 -0
- package/skills/bug-investigating/SKILL.md +133 -0
- package/skills/bug-investigating/evals/evals.json +56 -0
- package/skills/bug-investigating/references/common-bugs.md +62 -0
- package/skills/bug-investigating/references/debugging-patterns.md +94 -0
- package/skills/cicd-pipeline/SKILL.md +87 -0
- package/skills/cicd-pipeline/evals/evals.json +34 -0
- package/skills/cicd-pipeline/references/pipeline-patterns.md +206 -0
- package/skills/cicd-pipeline/templates/github-actions.md +206 -0
- package/skills/code-reviewing/SKILL.md +92 -0
- package/skills/code-reviewing/evals/evals.json +62 -0
- package/skills/code-reviewing/references/error-handling.md +108 -0
- package/skills/code-reviewing/references/review-checklist.md +144 -0
- package/skills/configuration-strategy/SKILL.md +109 -0
- package/skills/configuration-strategy/evals/evals.json +41 -0
- package/skills/configuration-strategy/references/config-patterns.md +161 -0
- package/skills/containerization/SKILL.md +90 -0
- package/skills/containerization/evals/evals.json +36 -0
- package/skills/containerization/references/dockerfile-patterns.md +168 -0
- package/skills/containerization/templates/dockerfile.md +154 -0
- package/skills/data-modeling/SKILL.md +83 -0
- package/skills/data-modeling/evals/evals.json +43 -0
- package/skills/data-modeling/references/conventions.md +57 -0
- package/skills/data-modeling/templates/schema.md +120 -0
- package/skills/dependency-impact-analysis/SKILL.md +113 -0
- package/skills/dependency-impact-analysis/evals/evals.json +41 -0
- package/skills/dependency-impact-analysis/references/impact-patterns.md +150 -0
- package/skills/dependency-management/SKILL.md +161 -0
- package/skills/dependency-management/evals/evals.json +48 -0
- package/skills/dependency-management/references/evaluation-checklist.md +127 -0
- package/skills/deployment-checklist/SKILL.md +132 -0
- package/skills/deployment-checklist/evals/evals.json +58 -0
- package/skills/deployment-checklist/references/pre-deploy-gates.md +91 -0
- package/skills/deployment-repo/SKILL.md +190 -0
- package/skills/deployment-repo/evals/evals.json +44 -0
- package/skills/deployment-repo/references/deployment-repo-patterns.md +258 -0
- package/skills/deployment-repo/references/version-compatibility.md +227 -0
- package/skills/deployment-repo/templates/deployment-repo-structure.md +226 -0
- package/skills/effort-estimation/SKILL.md +95 -0
- package/skills/effort-estimation/evals/evals.json +32 -0
- package/skills/effort-estimation/references/estimation-methods.md +154 -0
- package/skills/feature-planning/SKILL.md +84 -0
- package/skills/feature-planning/evals/evals.json +44 -0
- package/skills/feature-planning/templates/plan.md +55 -0
- package/skills/feature-planning/templates/task.md +26 -0
- package/skills/frontend-architecture/SKILL.md +154 -0
- package/skills/frontend-architecture/evals/evals.json +34 -0
- package/skills/frontend-architecture/references/component-patterns.md +264 -0
- package/skills/frontend-architecture/templates/folder-structure.md +203 -0
- package/skills/git-workflow/SKILL.md +127 -0
- package/skills/git-workflow/evals/evals.json +44 -0
- package/skills/git-workflow/references/conventions.md +142 -0
- package/skills/git-workflow/templates/pull-request.md +57 -0
- package/skills/gitops-delivery/SKILL.md +319 -0
- package/skills/gitops-delivery/evals/evals.json +44 -0
- package/skills/gitops-delivery/references/gitops-patterns.md +478 -0
- package/skills/gitops-delivery/templates/gitops-config.md +196 -0
- package/skills/incident-response/SKILL.md +130 -0
- package/skills/incident-response/evals/evals.json +55 -0
- package/skills/incident-response/references/communication-templates.md +134 -0
- package/skills/incident-response/references/severity-levels.md +77 -0
- package/skills/incident-response/templates/incident-timeline.md +57 -0
- package/skills/infrastructure-as-code/SKILL.md +86 -0
- package/skills/infrastructure-as-code/evals/evals.json +33 -0
- package/skills/infrastructure-as-code/references/iac-patterns.md +179 -0
- package/skills/infrastructure-as-code/templates/terraform-module.md +158 -0
- package/skills/metrics-and-okrs/SKILL.md +113 -0
- package/skills/metrics-and-okrs/evals/evals.json +33 -0
- package/skills/metrics-and-okrs/references/metric-catalog.md +90 -0
- package/skills/metrics-and-okrs/templates/okr-document.md +61 -0
- package/skills/ml-experiment-tracking/SKILL.md +96 -0
- package/skills/ml-experiment-tracking/evals/evals.json +32 -0
- package/skills/ml-experiment-tracking/references/tracking-tools.md +127 -0
- package/skills/ml-model-deployment/SKILL.md +106 -0
- package/skills/ml-model-deployment/evals/evals.json +34 -0
- package/skills/ml-model-deployment/references/serving-patterns.md +162 -0
- package/skills/ml-pipeline-design/SKILL.md +162 -0
- package/skills/ml-pipeline-design/evals/evals.json +34 -0
- package/skills/ml-pipeline-design/references/pipeline-components.md +174 -0
- package/skills/observability-design/SKILL.md +162 -0
- package/skills/observability-design/evals/evals.json +52 -0
- package/skills/observability-design/references/logging-patterns.md +229 -0
- package/skills/observability-design/references/slo-framework.md +151 -0
- package/skills/observability-design/templates/slo-document.md +80 -0
- package/skills/performance-optimization/SKILL.md +83 -0
- package/skills/performance-optimization/evals/evals.json +47 -0
- package/skills/performance-optimization/references/bottleneck-patterns.md +256 -0
- package/skills/performance-optimization/references/concurrency.md +101 -0
- package/skills/prd-writing/SKILL.md +109 -0
- package/skills/prd-writing/evals/evals.json +33 -0
- package/skills/prd-writing/references/prd-examples.md +132 -0
- package/skills/prd-writing/templates/prd.md +71 -0
- package/skills/prd-writing/templates/rfc.md +79 -0
- package/skills/project-documentation/SKILL.md +104 -0
- package/skills/project-documentation/evals/evals.json +48 -0
- package/skills/project-documentation/references/contributing-guide.md +100 -0
- package/skills/project-documentation/templates/changelog.md +59 -0
- package/skills/project-documentation/templates/readme.md +121 -0
- package/skills/project-proposal/SKILL.md +90 -0
- package/skills/project-proposal/evals/evals.json +31 -0
- package/skills/project-proposal/references/proposal-examples.md +140 -0
- package/skills/project-proposal/templates/proposal.md +76 -0
- package/skills/project-review/SKILL.md +111 -0
- package/skills/project-review/evals/evals.json +42 -0
- package/skills/refactoring/SKILL.md +90 -0
- package/skills/refactoring/evals/evals.json +44 -0
- package/skills/refactoring/references/transformations.md +132 -0
- package/skills/retrospective/SKILL.md +157 -0
- package/skills/retrospective/evals/evals.json +34 -0
- package/skills/retrospective/references/facilitation-guide.md +130 -0
- package/skills/retrospective/templates/post-mortem.md +121 -0
- package/skills/rollback-strategy/SKILL.md +116 -0
- package/skills/rollback-strategy/evals/evals.json +55 -0
- package/skills/rollback-strategy/references/rollback-patterns.md +125 -0
- package/skills/rollback-strategy/templates/rollback-plan.md +69 -0
- package/skills/security-audit/SKILL.md +146 -0
- package/skills/security-audit/evals/evals.json +66 -0
- package/skills/security-audit/references/owasp-top-10.md +167 -0
- package/skills/security-audit/templates/security-report.md +79 -0
- package/skills/skill-router/SKILL.md +171 -0
- package/skills/skill-router/evals/evals.json +39 -0
- package/skills/strategic-review/SKILL.md +106 -0
- package/skills/strategic-review/evals/evals.json +42 -0
- package/skills/strategic-review/templates/full-review-prompt.md +84 -0
- package/skills/tdd-workflow/SKILL.md +147 -0
- package/skills/tdd-workflow/evals/evals.json +58 -0
- package/skills/tdd-workflow/references/test-quality.md +71 -0
- package/skills/technical-debt-review/SKILL.md +113 -0
- package/skills/technical-debt-review/evals/evals.json +41 -0
- package/skills/technical-debt-review/references/debt-taxonomy.md +124 -0
- package/skills/technical-debt-review/templates/debt-audit.md +85 -0
- package/skills/test-data-strategy/SKILL.md +129 -0
- package/skills/test-data-strategy/evals/evals.json +49 -0
- package/skills/test-data-strategy/references/data-generation-patterns.md +341 -0
- package/skills/test-suite-design/SKILL.md +137 -0
- package/skills/test-suite-design/evals/evals.json +69 -0
- package/skills/test-suite-design/references/test-infrastructure.md +175 -0
- package/skills/test-suite-design/references/testing-pyramid.md +140 -0
- package/skills/ui-ux-design/SKILL.md +117 -0
- package/skills/ui-ux-design/evals/evals.json +35 -0
- package/skills/ui-ux-design/references/interaction-patterns.md +145 -0
- package/skills/ui-ux-design/templates/screen-spec.md +97 -0
- package/skills/verification-before-completion/SKILL.md +85 -0
- package/skills/verification-before-completion/evals/evals.json +53 -0
- package/skills/writing-skills/SKILL.md +87 -0
- package/skills/writing-skills/evals/evals.json +41 -0
- package/skills/writing-skills/references/pressure-testing.md +69 -0
- package/uninstall.mjs +182 -0
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dependency-impact-analysis
|
|
3
|
+
description: "Map the blast radius of a change before implementing — find dependents, classify breaking vs additive, identify coordination needs, produce a propagation plan. Triggers: what will break if I change this, blast radius, impact analysis, breaking change, who depends on this, downstream impact, safe to rename, shared schema change, dependency graph."
|
|
4
|
+
model: opus
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Dependency Impact Analysis
|
|
9
|
+
|
|
10
|
+
Understand what will break before breaking it. Changing a shared component without mapping its dependents leads to cascading failures — often discovered in production.
|
|
11
|
+
|
|
12
|
+
## Step 1: Define the Change
|
|
13
|
+
|
|
14
|
+
Be precise about what is changing:
|
|
15
|
+
|
|
16
|
+
- **What is the component?** (API endpoint, database table/column, library function, event schema, shared module)
|
|
17
|
+
- **What specifically is changing?** (Field renamed, parameter added, type changed, behavior changed, endpoint removed)
|
|
18
|
+
- **What is the deployment boundary?** (Single service, multiple services, public API accessible by external clients)
|
|
19
|
+
|
|
20
|
+
A vague "I'm changing the user model" is too broad. "I'm renaming the `email` field to `email_address` in the users table and the User API response" is specific enough to analyze.
|
|
21
|
+
|
|
22
|
+
## Step 2: Map All Dependents
|
|
23
|
+
|
|
24
|
+
Find everything that depends on the component being changed.
|
|
25
|
+
|
|
26
|
+
**For API endpoints:**
|
|
27
|
+
- Search for the endpoint path across all service repositories
|
|
28
|
+
- Check API gateway logs for callers (especially for public APIs)
|
|
29
|
+
- Review API documentation and SDKs for external consumers
|
|
30
|
+
- Check internal service-to-service call graphs or service mesh metrics
|
|
31
|
+
|
|
32
|
+
**For database tables/columns:**
|
|
33
|
+
- Search all codebases for table name and column name references
|
|
34
|
+
- Check ORM models, raw SQL queries, stored procedures, migration files
|
|
35
|
+
- Look for database views, triggers, or materialized views that reference the column
|
|
36
|
+
- Check reporting tools and data pipelines that read from the table directly
|
|
37
|
+
|
|
38
|
+
**For shared libraries/packages:**
|
|
39
|
+
- Check the package registry or dependency graph for what imports this library
|
|
40
|
+
- Search for the specific function/class/type being changed across all consumers
|
|
41
|
+
- Check version constraints — which consumers would receive this change automatically?
|
|
42
|
+
|
|
43
|
+
**For event schemas:**
|
|
44
|
+
- Find all producers of this event type
|
|
45
|
+
- Find all consumers (subscribers) of this event type
|
|
46
|
+
- Check event replay systems or data warehouses that store these events
|
|
47
|
+
|
|
48
|
+
**For shared modules/types:**
|
|
49
|
+
- Search the codebase for all import statements referencing the module
|
|
50
|
+
- Check generated clients (OpenAPI codegen, gRPC stubs) that depend on the schema
|
|
51
|
+
|
|
52
|
+
## Step 3: Classify Impact by Dependent
|
|
53
|
+
|
|
54
|
+
For each dependent found, classify the impact:
|
|
55
|
+
|
|
56
|
+
| Impact type | Definition | Action required |
|
|
57
|
+
|-------------|-----------|----------------|
|
|
58
|
+
| **Breaking** | Dependent will fail or produce wrong results without modification | Must coordinate: update before or simultaneously |
|
|
59
|
+
| **Additive** | Change adds capability but doesn't break existing behavior | No action required; dependent can opt in |
|
|
60
|
+
| **Internal** | Change is within a single service, no external interface changes | No coordination needed |
|
|
61
|
+
| **Latent** | Dependent doesn't use the changed part yet, but may assume current behavior | Monitor; communicate the change |
|
|
62
|
+
|
|
63
|
+
**Breaking change examples:**
|
|
64
|
+
- Renaming a required request field
|
|
65
|
+
- Changing a field type
|
|
66
|
+
- Removing an endpoint
|
|
67
|
+
- Adding a required (non-nullable, no default) column to a table
|
|
68
|
+
- Changing event schema to remove a field
|
|
69
|
+
|
|
70
|
+
**Additive change examples:**
|
|
71
|
+
- Adding a new optional field to a response
|
|
72
|
+
- Adding a new endpoint
|
|
73
|
+
- Adding a nullable column with a default
|
|
74
|
+
- Deprecating (but not removing) a field
|
|
75
|
+
|
|
76
|
+
## Step 4: Produce the Change Propagation Plan
|
|
77
|
+
|
|
78
|
+
For each breaking change, define the coordination plan:
|
|
79
|
+
|
|
80
|
+
**Option A: Simultaneous deploy** (for small, closely-coupled services under one team)
|
|
81
|
+
- Update all dependents in the same deployment window
|
|
82
|
+
- Risk: all services must be deployed together — failure in one blocks all
|
|
83
|
+
|
|
84
|
+
**Option B: Versioned transition** (recommended for shared APIs)
|
|
85
|
+
1. Deploy v2 of the interface alongside v1 (both exist simultaneously)
|
|
86
|
+
2. Migrate consumers to v2 one by one
|
|
87
|
+
3. Remove v1 once all consumers have migrated
|
|
88
|
+
|
|
89
|
+
**Option C: Expand-contract** (recommended for database and event schema changes)
|
|
90
|
+
1. Expand: add new field/column alongside old (both exist, old still works)
|
|
91
|
+
2. Migrate: update consumers to use new field
|
|
92
|
+
3. Contract: remove old field after all consumers are migrated
|
|
93
|
+
|
|
94
|
+
**Communication plan:**
|
|
95
|
+
- Which teams own dependent services?
|
|
96
|
+
- How will they be notified?
|
|
97
|
+
- What is the migration deadline?
|
|
98
|
+
- Is there a deprecation period?
|
|
99
|
+
|
|
100
|
+
## Principles Applied
|
|
101
|
+
|
|
102
|
+
- **Functional independence**: Minimize blast radius — prefer additive changes over breaking changes when both achieve the same goal
|
|
103
|
+
- **KISS**: The simplest propagation plan is the one with the fewest simultaneous moving parts. Prefer sequential migration over big-bang deploys.
|
|
104
|
+
- **YAGNI**: Don't change more than necessary. If the change can be made additive (old behavior still works), prefer that over a breaking change.
|
|
105
|
+
- **Explicit over implicit**: Undocumented contracts are the most dangerous dependencies — they're discovered when broken, not before
|
|
106
|
+
|
|
107
|
+
## Cross-Skill References
|
|
108
|
+
|
|
109
|
+
- `api-design` — design the new API contract after impact is understood
|
|
110
|
+
- `feature-planning` — incorporate the dependency coordination into the implementation plan
|
|
111
|
+
- `architecture-design` — if analysis reveals excessive coupling, document an ADR for reducing it
|
|
112
|
+
- `data-modeling` — use for schema change design once impact is mapped
|
|
113
|
+
- `deployment-repo` — when impact crosses repo boundaries in a polyrepo, use the deployment repo's compatibility matrix and contract tests to validate migration paths
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "dependency-impact-analysis",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "I want to rename the 'user_id' field to 'account_id' in our REST API response for GET /api/users. We have a mobile app, a web app, and two internal microservices that call this endpoint. What's the impact?",
|
|
7
|
+
"expected_output": "Dependency impact analysis identifying all four consumers, classifying the rename as breaking for all of them, recommending a versioning strategy, and producing a migration plan with coordination steps",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Identifies all four consumers (mobile app, web app, two microservices) as affected",
|
|
10
|
+
"Classifies this as a breaking change for all consumers (field rename, not additive)",
|
|
11
|
+
"Flags mobile app as highest risk (users may not update; old app versions still call the API)",
|
|
12
|
+
"Recommends API versioning (v1 keeps user_id, v2 uses account_id) for the mobile app case",
|
|
13
|
+
"Produces a migration sequence: add v2, migrate internal consumers, migrate web, sunset v1 after mobile migration window",
|
|
14
|
+
"Does not suggest a simultaneous big-bang rename as the only option"
|
|
15
|
+
]
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"id": 2,
|
|
19
|
+
"prompt": "I'm adding a new optional 'metadata' JSON column to the orders table. Is this safe to deploy?",
|
|
20
|
+
"expected_output": "Classifies this as an additive/backwards-compatible change requiring minimal coordination, confirms it's safe to deploy without consumer updates, and notes any edge cases",
|
|
21
|
+
"assertions": [
|
|
22
|
+
"Confirms this is a backwards-compatible (additive) change",
|
|
23
|
+
"Notes that existing code ignores the new column and remains safe",
|
|
24
|
+
"May mention that ORM models should be updated to avoid unexpected behavior when they serialize full rows",
|
|
25
|
+
"Does not require complex coordination or versioning",
|
|
26
|
+
"Gives a clear 'safe to proceed' verdict with any minor caveats"
|
|
27
|
+
]
|
|
28
|
+
},
|
|
29
|
+
{
|
|
30
|
+
"id": 3,
|
|
31
|
+
"prompt": "How do I add authentication to this endpoint?",
|
|
32
|
+
"expected_output": "Recognizes this is an API design or security question, not a dependency impact analysis request — redirects to the appropriate skill",
|
|
33
|
+
"assertions": [
|
|
34
|
+
"Recognizes this is not a dependency impact analysis request",
|
|
35
|
+
"Does not perform a blast radius analysis for adding auth",
|
|
36
|
+
"May note that adding required auth to an existing endpoint is a breaking change for current consumers (brief impact observation)",
|
|
37
|
+
"Directs to security-audit or api-design skill for the actual implementation guidance"
|
|
38
|
+
]
|
|
39
|
+
}
|
|
40
|
+
]
|
|
41
|
+
}
|
|
@@ -0,0 +1,150 @@
|
|
|
1
|
+
# Impact Patterns
|
|
2
|
+
|
|
3
|
+
## API Versioning Strategies
|
|
4
|
+
|
|
5
|
+
### URL versioning
|
|
6
|
+
```
|
|
7
|
+
/api/v1/users/{id}
|
|
8
|
+
/api/v2/users/{id}
|
|
9
|
+
```
|
|
10
|
+
Simplest to implement. Consumers explicitly opt into the new version. Old version remains accessible until deprecated.
|
|
11
|
+
|
|
12
|
+
**When to use**: Public APIs with external consumers. Breaking changes are unavoidable.
|
|
13
|
+
|
|
14
|
+
**Deprecation process**:
|
|
15
|
+
1. Announce deprecation with sunset date (minimum 6 months for external consumers)
|
|
16
|
+
2. Add `Deprecation` header to responses: `Deprecation: Sat, 01 Jan 2026 00:00:00 GMT`
|
|
17
|
+
3. Monitor v1 traffic to track migration progress
|
|
18
|
+
4. Sunset v1 after deadline
|
|
19
|
+
|
|
20
|
+
### Header versioning
|
|
21
|
+
```
|
|
22
|
+
Accept: application/vnd.myapi.v2+json
|
|
23
|
+
```
|
|
24
|
+
Cleaner URLs. More complex routing. Use when URL versioning breaks REST resource semantics.
|
|
25
|
+
|
|
26
|
+
### Query parameter versioning
|
|
27
|
+
```
|
|
28
|
+
GET /api/users/{id}?version=2
|
|
29
|
+
```
|
|
30
|
+
Easy to test in browser. Explicit but verbose. Common for internal APIs with few consumers.
|
|
31
|
+
|
|
32
|
+
### No versioning (evolve in place)
|
|
33
|
+
Only works if all changes are additive. Works well for internal services where you control all consumers and can coordinate deploys.
|
|
34
|
+
|
|
35
|
+
---
|
|
36
|
+
|
|
37
|
+
## Database Migration Coordination
|
|
38
|
+
|
|
39
|
+
### Single-service database
|
|
40
|
+
All reads and writes go through one service that owns the schema. Migration coordination is just within that service.
|
|
41
|
+
|
|
42
|
+
**Safe upgrade sequence**:
|
|
43
|
+
1. Deploy migration (schema change)
|
|
44
|
+
2. Deploy application code that uses new schema
|
|
45
|
+
|
|
46
|
+
**Rollback**: reverse migration + revert code deploy.
|
|
47
|
+
|
|
48
|
+
### Shared database (multiple services read the same tables)
|
|
49
|
+
The most dangerous architecture for migrations. Any schema change can break other services.
|
|
50
|
+
|
|
51
|
+
**Rules for shared database migrations**:
|
|
52
|
+
1. **Never drop a column** without verifying no other service reads it
|
|
53
|
+
2. **Never rename a column** without an expand-contract migration
|
|
54
|
+
3. **Adding NOT NULL constraints** on existing columns requires a default value or coordinated deploy
|
|
55
|
+
4. Always search all service codebases for references to the table/column before migrating
|
|
56
|
+
|
|
57
|
+
**Migrate shared tables using expand-contract**:
|
|
58
|
+
```
|
|
59
|
+
Step 1: Add new_column alongside old_column (both present)
|
|
60
|
+
Step 2: Deploy service A to write to both columns, read from old_column
|
|
61
|
+
Step 3: Deploy all other services to read from new_column
|
|
62
|
+
Step 4: Deploy service A to write only to new_column
|
|
63
|
+
Step 5: Drop old_column
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
### Zero-downtime migrations
|
|
67
|
+
For large tables where schema changes lock the table:
|
|
68
|
+
|
|
69
|
+
**Postgres**: Use `ALTER TABLE ... ADD COLUMN ... DEFAULT NULL` (instant) then backfill asynchronously. Adding a default value to a new column in Postgres 11+ is instant.
|
|
70
|
+
|
|
71
|
+
**Avoid in production**:
|
|
72
|
+
- `ALTER TABLE ... ADD COLUMN ... NOT NULL` (requires table scan + lock pre-Postgres 11)
|
|
73
|
+
- `CREATE INDEX` without `CONCURRENTLY` (locks entire table)
|
|
74
|
+
- `ALTER TABLE ... SET NOT NULL` on a column that may contain nulls
|
|
75
|
+
|
|
76
|
+
---
|
|
77
|
+
|
|
78
|
+
## Event Schema Evolution
|
|
79
|
+
|
|
80
|
+
### Backwards-compatible event changes
|
|
81
|
+
- Adding new optional fields
|
|
82
|
+
- Adding new event types (consumers ignore unknown types)
|
|
83
|
+
- Loosening validation (accepting more values)
|
|
84
|
+
|
|
85
|
+
### Breaking event changes
|
|
86
|
+
- Removing fields consumers depend on
|
|
87
|
+
- Changing field semantics (same name, different meaning)
|
|
88
|
+
- Tightening validation (rejecting previously-valid values)
|
|
89
|
+
- Changing the primary identifier field
|
|
90
|
+
|
|
91
|
+
### Schema registry approach (for Kafka/event streaming)
|
|
92
|
+
Use a schema registry (Confluent Schema Registry, AWS Glue) to enforce compatibility:
|
|
93
|
+
|
|
94
|
+
- **BACKWARD**: New schema can read data written by old schema (consumer can be updated first)
|
|
95
|
+
- **FORWARD**: Old schema can read data written by new schema (producer can be updated first)
|
|
96
|
+
- **FULL**: Both backward and forward compatible (safest; most restrictive)
|
|
97
|
+
|
|
98
|
+
### Consumer-first pattern (no schema registry)
|
|
99
|
+
For breaking changes without a schema registry:
|
|
100
|
+
1. Deploy consumers that handle both old and new schema (check for field presence before using it)
|
|
101
|
+
2. Deploy producers using new schema
|
|
102
|
+
3. Remove old schema handling from consumers once all producers are updated
|
|
103
|
+
|
|
104
|
+
---
|
|
105
|
+
|
|
106
|
+
## Shared Library Change Coordination
|
|
107
|
+
|
|
108
|
+
### Semantic versioning
|
|
109
|
+
- **PATCH** (1.0.x): Bug fixes, no API changes. Consumers upgrade safely.
|
|
110
|
+
- **MINOR** (1.x.0): New additive features. Old code still works. Consumers can upgrade when ready.
|
|
111
|
+
- **MAJOR** (x.0.0): Breaking changes. Consumers must update their code to use the new version.
|
|
112
|
+
|
|
113
|
+
### Monorepo vs. multi-repo impact
|
|
114
|
+
**Monorepo**: All dependents are visible. Tooling (Nx, Turborepo, Bazel) can identify which services are affected. Breaking library change requires updating all consumers in the same PR/release.
|
|
115
|
+
|
|
116
|
+
**Multi-repo**: Consumers are on different release cycles. Use semantic versioning + deprecation period. Old major version must be maintained until all consumers migrate.
|
|
117
|
+
|
|
118
|
+
### Lock files and version pinning
|
|
119
|
+
Consumers with pinned versions won't receive the change automatically. Must explicitly update their dependency. This provides safety (can choose when to migrate) but also means old versions can persist indefinitely.
|
|
120
|
+
|
|
121
|
+
---
|
|
122
|
+
|
|
123
|
+
## Finding Dependents Quickly
|
|
124
|
+
|
|
125
|
+
### Grep patterns for common dependency types
|
|
126
|
+
|
|
127
|
+
**REST endpoint consumers:**
|
|
128
|
+
```bash
|
|
129
|
+
grep -r "GET /api/users" --include="*.{ts,js,py,go,rb}" .
|
|
130
|
+
grep -r "POST /api/orders" --include="*.{ts,js,py,go,rb}" .
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
**Database column references:**
|
|
134
|
+
```bash
|
|
135
|
+
grep -r "\.email\b" --include="*.{ts,js,py,go}" .
|
|
136
|
+
grep -r "\"email\"" --include="*.{ts,js,py,go}" .
|
|
137
|
+
grep -r "users\.email" --include="*.{sql}" .
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
**Function/class references (TypeScript/JavaScript):**
|
|
141
|
+
```bash
|
|
142
|
+
grep -r "import.*UserService" --include="*.ts" .
|
|
143
|
+
grep -r "from.*user-service" --include="*.ts" .
|
|
144
|
+
```
|
|
145
|
+
|
|
146
|
+
**Package imports:**
|
|
147
|
+
```bash
|
|
148
|
+
grep -r "require.*my-shared-lib" --include="*.js" .
|
|
149
|
+
grep -r "from my_shared_lib" --include="*.py" .
|
|
150
|
+
```
|
|
@@ -0,0 +1,161 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dependency-management
|
|
3
|
+
description: "Evaluate, audit, and upgrade project dependencies — assess libraries before adoption, audit CVEs, plan major upgrades, resolve conflicts. Triggers: should I use this library, npm audit, upgrade dependencies, dependency vulnerability, outdated packages, evaluate this package, is this library maintained, dependency conflict, lock file, breaking changes in upgrade."
|
|
4
|
+
model: sonnet
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit, WebFetch, WebSearch
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Dependency Management
|
|
9
|
+
|
|
10
|
+
Help make disciplined decisions about project dependencies. Every dependency is a trade-off: functionality gained vs. maintenance burden, security surface, and coupling accepted.
|
|
11
|
+
|
|
12
|
+
## Core Rule
|
|
13
|
+
|
|
14
|
+
**Every dependency should earn its place.** Before adding a dependency, ask: "Is this worth the ongoing cost of maintaining, updating, and trusting someone else's code in my project?"
|
|
15
|
+
|
|
16
|
+
## Workflow: Evaluating a New Dependency
|
|
17
|
+
|
|
18
|
+
### Step 1: Do You Need It?
|
|
19
|
+
|
|
20
|
+
Before evaluating any library, check if the need can be met without one:
|
|
21
|
+
|
|
22
|
+
- **Is this a few lines of code?** Writing `leftPad` yourself is better than importing it.
|
|
23
|
+
- **Does the language/framework already provide this?** Check built-in APIs first.
|
|
24
|
+
- **Is this a one-time use?** Copy-paste a small utility function instead of adding a dependency.
|
|
25
|
+
|
|
26
|
+
A dependency is justified when it provides substantial, maintained functionality that would be costly and error-prone to build yourself (e.g., cryptography, date handling with timezones, database drivers, authentication).
|
|
27
|
+
|
|
28
|
+
### Step 2: Evaluate the Library
|
|
29
|
+
|
|
30
|
+
For any library under consideration, assess these dimensions:
|
|
31
|
+
|
|
32
|
+
**Maintenance health:**
|
|
33
|
+
- Last commit date (stale > 1 year is a yellow flag)
|
|
34
|
+
- Open issues and PR response time
|
|
35
|
+
- Number of maintainers (bus factor — 1 maintainer is risky)
|
|
36
|
+
- Release frequency and changelog quality
|
|
37
|
+
|
|
38
|
+
**Adoption signals:**
|
|
39
|
+
- Weekly downloads / GitHub stars (not definitive, but signals community trust)
|
|
40
|
+
- Used by known projects (check dependents)
|
|
41
|
+
- Ecosystem maturity (plugins, integrations, documentation)
|
|
42
|
+
|
|
43
|
+
**Technical fit:**
|
|
44
|
+
- TypeScript support (if applicable)
|
|
45
|
+
- Bundle size impact — check on bundlephobia.com or similar
|
|
46
|
+
- API quality — is it intuitive, well-documented, consistent?
|
|
47
|
+
- Compatibility with your runtime, framework version, and other dependencies
|
|
48
|
+
|
|
49
|
+
**Security and legal:**
|
|
50
|
+
- License compatibility with your project (MIT, Apache-2.0 are permissive; GPL is viral)
|
|
51
|
+
- Known vulnerabilities (check npm audit advisory, Snyk, or GitHub advisories)
|
|
52
|
+
- Does it have excessive transitive dependencies?
|
|
53
|
+
|
|
54
|
+
**Alternatives comparison:**
|
|
55
|
+
- Identify 2-3 alternatives and compare on the dimensions above
|
|
56
|
+
- A slightly less popular library that's better maintained may be the better choice
|
|
57
|
+
|
|
58
|
+
See [references/evaluation-checklist.md](references/evaluation-checklist.md) for the structured assessment template.
|
|
59
|
+
|
|
60
|
+
### Step 3: Present the Recommendation
|
|
61
|
+
|
|
62
|
+
For the user, summarize:
|
|
63
|
+
- **Recommendation**: Use / Don't use / Consider alternative
|
|
64
|
+
- **Primary reason**: The most compelling argument
|
|
65
|
+
- **Risks accepted**: What you're trading off
|
|
66
|
+
- **Alternatives considered**: Brief comparison
|
|
67
|
+
|
|
68
|
+
## Workflow: Auditing Existing Dependencies
|
|
69
|
+
|
|
70
|
+
### Step 1: Run Vulnerability Scanners
|
|
71
|
+
|
|
72
|
+
```bash
|
|
73
|
+
# JavaScript/TypeScript
|
|
74
|
+
npm audit
|
|
75
|
+
# For more detail:
|
|
76
|
+
npx better-npm-audit audit
|
|
77
|
+
|
|
78
|
+
# Python
|
|
79
|
+
pip audit
|
|
80
|
+
# or
|
|
81
|
+
safety check
|
|
82
|
+
|
|
83
|
+
# Go
|
|
84
|
+
govulncheck ./...
|
|
85
|
+
|
|
86
|
+
# Ruby
|
|
87
|
+
bundle audit check --update
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
### Step 2: Triage Results
|
|
91
|
+
|
|
92
|
+
Not all vulnerabilities require action. For each finding:
|
|
93
|
+
|
|
94
|
+
1. **Is the vulnerable code path actually used in your project?** Many CVEs affect specific features you may not use.
|
|
95
|
+
2. **What's the severity?** Critical and High need immediate action. Medium within a sprint. Low can be tracked.
|
|
96
|
+
3. **Is a patched version available?** If yes, upgrade. If no, assess mitigation or replacement.
|
|
97
|
+
4. **Is it a transitive dependency?** You may need to upgrade the parent package, or use overrides/resolutions.
|
|
98
|
+
|
|
99
|
+
### Step 3: Find Unused Dependencies
|
|
100
|
+
|
|
101
|
+
Dead dependencies add attack surface and bloat for zero value.
|
|
102
|
+
|
|
103
|
+
```bash
|
|
104
|
+
# JavaScript — find unused packages
|
|
105
|
+
npx depcheck
|
|
106
|
+
|
|
107
|
+
# Python — find unused imports (suggests unused packages)
|
|
108
|
+
pip install vulture
|
|
109
|
+
vulture src/ --min-confidence 80
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
Remove unused dependencies. If unsure, comment it out, run tests, and deploy to staging.
|
|
113
|
+
|
|
114
|
+
### Step 4: Produce the Report
|
|
115
|
+
|
|
116
|
+
Summarize: N vulnerabilities found (X critical, Y high), N unused packages, N significantly outdated.
|
|
117
|
+
|
|
118
|
+
## Workflow: Major Version Upgrades
|
|
119
|
+
|
|
120
|
+
### Step 1: Read the Changelog
|
|
121
|
+
|
|
122
|
+
Read the changelog and migration guide for the new major version. Identify:
|
|
123
|
+
- **Breaking changes**: What will break in your code?
|
|
124
|
+
- **Deprecations resolved**: What deprecated APIs were removed?
|
|
125
|
+
- **New features**: Anything that simplifies your code?
|
|
126
|
+
- **Peer dependency changes**: Does this force other upgrades?
|
|
127
|
+
|
|
128
|
+
### Step 2: Plan the Upgrade
|
|
129
|
+
|
|
130
|
+
For low-risk upgrades (well-documented, small surface area):
|
|
131
|
+
- Create a branch, bump the version, run tests, fix failures.
|
|
132
|
+
|
|
133
|
+
For high-risk upgrades (framework major version, ORM, auth library):
|
|
134
|
+
- Create a detailed task list of changes needed
|
|
135
|
+
- Test in isolation first if possible
|
|
136
|
+
- Consider running old and new versions in parallel temporarily (expand-contract)
|
|
137
|
+
- Suggest using the `feature-planning` skill to break the upgrade into tasks
|
|
138
|
+
|
|
139
|
+
### Step 3: Validate
|
|
140
|
+
|
|
141
|
+
- [ ] All tests pass
|
|
142
|
+
- [ ] No deprecation warnings from the upgraded package
|
|
143
|
+
- [ ] No new vulnerabilities introduced by the upgrade
|
|
144
|
+
- [ ] Lock file is committed and clean
|
|
145
|
+
- [ ] Bundle size has not increased unexpectedly
|
|
146
|
+
|
|
147
|
+
## Quick Reference: Lock File Hygiene
|
|
148
|
+
|
|
149
|
+
- **Always commit lock files** (`package-lock.json`, `yarn.lock`, `poetry.lock`, `go.sum`)
|
|
150
|
+
- **Never edit lock files manually** — let the package manager manage them
|
|
151
|
+
- **Use `npm ci` (not `npm install`) in CI** — installs from lock file exactly
|
|
152
|
+
- **Review lock file diffs in PRs** — large unexpected changes signal problems
|
|
153
|
+
- **Regenerate periodically** if the lock file becomes stale or conflicted
|
|
154
|
+
|
|
155
|
+
## Principles Applied
|
|
156
|
+
|
|
157
|
+
- **YAGNI**: Don't add a library for a feature you *might* need. Add it when the need is real and proven.
|
|
158
|
+
- **KISS**: Prefer libraries with small, focused APIs over Swiss-army-knife frameworks.
|
|
159
|
+
- **DRY**: A well-chosen dependency eliminates duplication across projects — but a bad choice creates maintenance debt across projects.
|
|
160
|
+
- **Functional Independence**: Prefer libraries that don't deeply couple to your application architecture. You should be able to swap them out.
|
|
161
|
+
- **Boundaries**: Wrap third-party APIs with thin adapter layers — depend on your own abstractions, not on library specifics. This limits blast radius when a dependency changes or is replaced, and keeps your business logic free of third-party types. Only skip wrapping for pervasive infrastructure (e.g., your web framework, your ORM) where the cost of wrapping exceeds the cost of coupling.
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "dependency-management",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "I'm building a Node.js API and need a validation library. I'm considering zod, joi, yup, and ajv. Which should I use? Our stack is TypeScript, Express, and Prisma.",
|
|
7
|
+
"expected_output": "Should evaluate all four libraries across the standard dimensions (maintenance, TS support, bundle size, API quality) and make a clear recommendation based on the TypeScript stack.",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Evaluates all four options, not just recommends one without comparison",
|
|
10
|
+
"Considers TypeScript integration as a key differentiator",
|
|
11
|
+
"Notes zod's TypeScript-native schema-to-type inference as a strong fit",
|
|
12
|
+
"Compares bundle sizes",
|
|
13
|
+
"Compares API ergonomics with brief examples",
|
|
14
|
+
"Makes a clear recommendation with primary reason",
|
|
15
|
+
"Does not dismiss alternatives without explanation"
|
|
16
|
+
]
|
|
17
|
+
},
|
|
18
|
+
{
|
|
19
|
+
"id": 2,
|
|
20
|
+
"prompt": "npm audit shows 47 vulnerabilities: 3 critical, 8 high, 15 moderate, 21 low. I don't know where to start. Help me triage this.",
|
|
21
|
+
"expected_output": "Should guide triage by severity, distinguish direct vs transitive dependencies, check if vulnerable code paths are actually used, and produce an action plan.",
|
|
22
|
+
"assertions": [
|
|
23
|
+
"Starts with critical vulnerabilities, not the full list",
|
|
24
|
+
"Distinguishes between direct and transitive dependencies",
|
|
25
|
+
"Asks about or checks whether vulnerable code paths are actually exercised",
|
|
26
|
+
"Suggests npm audit fix --force ONLY with caution (can introduce breaking changes)",
|
|
27
|
+
"Recommends overrides/resolutions for transitive deps when parent hasn't updated",
|
|
28
|
+
"Identifies that many moderate/low findings may be acceptable risk",
|
|
29
|
+
"Produces a prioritized action plan, not just 'fix everything'"
|
|
30
|
+
]
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"id": 3,
|
|
34
|
+
"prompt": "We need to upgrade React from v17 to v19. We have a large codebase with 200+ components. Some use class components and legacy context API. How should we approach this?",
|
|
35
|
+
"expected_output": "Should recommend a phased approach (17→18→19), identify the major breaking changes at each step, suggest using the feature-planning skill to break this into tasks, and warn about class component and legacy API issues.",
|
|
36
|
+
"assertions": [
|
|
37
|
+
"Recommends incremental upgrade (17→18 first, then 18→19), not direct 17→19",
|
|
38
|
+
"Identifies class components and legacy context as migration blockers",
|
|
39
|
+
"Lists the key breaking changes at each major version boundary",
|
|
40
|
+
"Suggests codemods for automated migration where available",
|
|
41
|
+
"Recommends comprehensive test coverage before starting",
|
|
42
|
+
"Suggests feature-planning skill to break into manageable tasks",
|
|
43
|
+
"Warns about the scope and risk — this is not a one-afternoon task",
|
|
44
|
+
"Recommends testing in isolation before merging to main"
|
|
45
|
+
]
|
|
46
|
+
}
|
|
47
|
+
]
|
|
48
|
+
}
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
# Dependency Evaluation Checklist
|
|
2
|
+
|
|
3
|
+
## Contents
|
|
4
|
+
- Structured assessment template
|
|
5
|
+
- License compatibility guide
|
|
6
|
+
- Red flags to watch for
|
|
7
|
+
- Bundle size guidelines
|
|
8
|
+
- Common decisions by category
|
|
9
|
+
|
|
10
|
+
## Structured Assessment Template
|
|
11
|
+
|
|
12
|
+
Use this template when evaluating a library for adoption:
|
|
13
|
+
|
|
14
|
+
```markdown
|
|
15
|
+
## Dependency Evaluation: [library-name]
|
|
16
|
+
|
|
17
|
+
**Purpose**: [What does it do? Why do we need it?]
|
|
18
|
+
**Alternative to**: [What we're using now, or "nothing — new capability"]
|
|
19
|
+
**Evaluated on**: [Date]
|
|
20
|
+
|
|
21
|
+
### Maintenance Health
|
|
22
|
+
- Last release: [date]
|
|
23
|
+
- Commits in last 6 months: [number]
|
|
24
|
+
- Open issues / total issues: [ratio]
|
|
25
|
+
- Maintainers: [number, names if notable]
|
|
26
|
+
- Bus factor concern? [Yes/No]
|
|
27
|
+
|
|
28
|
+
### Adoption
|
|
29
|
+
- Weekly downloads: [number]
|
|
30
|
+
- GitHub stars: [number]
|
|
31
|
+
- Notable dependents: [projects]
|
|
32
|
+
- Stack Overflow questions: [rough count]
|
|
33
|
+
|
|
34
|
+
### Technical Fit
|
|
35
|
+
- TypeScript types: [built-in / @types / none]
|
|
36
|
+
- Bundle size (minified + gzipped): [KB]
|
|
37
|
+
- Transitive dependencies: [count]
|
|
38
|
+
- Compatible with our [framework] version? [Yes/No]
|
|
39
|
+
- API quality: [Good / Acceptable / Poor]
|
|
40
|
+
|
|
41
|
+
### Security & Legal
|
|
42
|
+
- License: [license type]
|
|
43
|
+
- Compatible with our project? [Yes/No]
|
|
44
|
+
- Known vulnerabilities: [count / none]
|
|
45
|
+
- Security advisory history: [clean / concerning]
|
|
46
|
+
|
|
47
|
+
### Alternatives Considered
|
|
48
|
+
| Criteria | [Library A] | [Library B] | [Library C] |
|
|
49
|
+
|----------|-------------|-------------|-------------|
|
|
50
|
+
| Bundle size | | | |
|
|
51
|
+
| TypeScript | | | |
|
|
52
|
+
| Maintenance | | | |
|
|
53
|
+
| API quality | | | |
|
|
54
|
+
| Adoption | | | |
|
|
55
|
+
|
|
56
|
+
### Decision
|
|
57
|
+
**Recommendation**: [Adopt / Don't adopt / Adopt alternative X]
|
|
58
|
+
**Rationale**: [1-2 sentences]
|
|
59
|
+
**Risks accepted**: [What we're giving up]
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
## License Compatibility Guide
|
|
63
|
+
|
|
64
|
+
| License | Commercial Use | Can Modify | Must Disclose Source | Viral |
|
|
65
|
+
|---------|---------------|------------|---------------------|-------|
|
|
66
|
+
| MIT | ✓ | ✓ | No | No |
|
|
67
|
+
| Apache 2.0 | ✓ | ✓ | No (but must include license) | No |
|
|
68
|
+
| BSD 2/3 | ✓ | ✓ | No | No |
|
|
69
|
+
| ISC | ✓ | ✓ | No | No |
|
|
70
|
+
| GPL 2/3 | ✓ | ✓ | Yes — your code must also be GPL | **Yes** |
|
|
71
|
+
| LGPL | ✓ | ✓ | Only for modifications to the library | Partially |
|
|
72
|
+
| AGPL | ✓ | ✓ | Yes — even for SaaS/network use | **Yes** |
|
|
73
|
+
| BSL | Varies | ✓ | After time period | Varies |
|
|
74
|
+
| Unlicense | ✓ | ✓ | No | No |
|
|
75
|
+
|
|
76
|
+
**Safe for most projects**: MIT, Apache 2.0, BSD, ISC, Unlicense
|
|
77
|
+
**Requires legal review**: GPL, LGPL, AGPL, BSL, any custom license
|
|
78
|
+
**Red flag**: No license file at all — technically you have no right to use it
|
|
79
|
+
|
|
80
|
+
## Red Flags
|
|
81
|
+
|
|
82
|
+
**Maintenance red flags:**
|
|
83
|
+
- No commits in 12+ months with open issues
|
|
84
|
+
- Single maintainer who has gone silent
|
|
85
|
+
- Repository archived or marked as deprecated
|
|
86
|
+
- No changelog or release notes for major versions
|
|
87
|
+
|
|
88
|
+
**Quality red flags:**
|
|
89
|
+
- No tests in the repository
|
|
90
|
+
- Many open issues with the "bug" label and no response
|
|
91
|
+
- Breaking changes in minor/patch versions (doesn't follow semver)
|
|
92
|
+
- Excessive transitive dependencies (a utility library with 50+ deps)
|
|
93
|
+
|
|
94
|
+
**Security red flags:**
|
|
95
|
+
- Known unpatched vulnerabilities
|
|
96
|
+
- History of supply chain attacks on this package
|
|
97
|
+
- Maintainer account compromise history
|
|
98
|
+
- Obfuscated or minified source code in the published package
|
|
99
|
+
|
|
100
|
+
## Bundle Size Guidelines
|
|
101
|
+
|
|
102
|
+
Context for JavaScript frontend projects:
|
|
103
|
+
|
|
104
|
+
| Category | Acceptable | Concerning | Excessive |
|
|
105
|
+
|----------|-----------|------------|-----------|
|
|
106
|
+
| Utility (lodash-like) | < 5 KB | 5-20 KB | > 20 KB |
|
|
107
|
+
| UI component | < 15 KB | 15-50 KB | > 50 KB |
|
|
108
|
+
| State management | < 10 KB | 10-30 KB | > 30 KB |
|
|
109
|
+
| Date library | < 10 KB | 10-30 KB | > 30 KB |
|
|
110
|
+
| Charting | < 50 KB | 50-150 KB | > 150 KB |
|
|
111
|
+
| Full framework | < 50 KB | 50-100 KB | > 100 KB |
|
|
112
|
+
|
|
113
|
+
Check with: `bundlephobia.com` or `npm pack && tar -tzf *.tgz | wc -l`
|
|
114
|
+
|
|
115
|
+
For backend projects, bundle size matters less — focus on transitive dependency count and startup time impact.
|
|
116
|
+
|
|
117
|
+
## Common Decisions by Category
|
|
118
|
+
|
|
119
|
+
| Need | Recommended Approach |
|
|
120
|
+
|------|---------------------|
|
|
121
|
+
| **Date handling** | Use `Intl.DateTimeFormat` (built-in) for formatting. Add `date-fns` only for complex date math. Avoid `moment` (deprecated, huge). |
|
|
122
|
+
| **HTTP client** | Use built-in `fetch` (Node 18+, all browsers). Add `ky` or `ofetch` for convenience wrappers only if needed. |
|
|
123
|
+
| **Validation** | `zod` for TypeScript (schema + types). `joi` for JavaScript. Built-in validators for simple cases. |
|
|
124
|
+
| **UUID generation** | `crypto.randomUUID()` (built-in Node 19+, all browsers). Add `uuid` only for v1/v5 or older runtimes. |
|
|
125
|
+
| **Cryptography** | Always use built-in `crypto` module or `bcrypt`/`argon2`. Never implement your own. |
|
|
126
|
+
| **Testing** | `vitest` for Vite projects, `jest` for everything else. Both are comprehensive enough to avoid extra test utilities. |
|
|
127
|
+
| **Linting** | `eslint` with `typescript-eslint`. `biome` as a faster alternative. Avoid stacking too many plugins. |
|