dependency-management

Original source / Raw SKILL.md

---
name: dependency-management
description: >
  Manage Schmock project dependencies. Check for outdated packages, update
  safely, verify compatibility, and run publish checks.
argument-hint: "check | update [package] | audit"
disable-model-invocation: true
allowed-tools:
  - Bash(bash .claude/skills/dependency-management/scripts/check-deps.sh *)
---

# Schmock Dependency Management Skill

## Dependency Categories

### Root devDependencies

Shared tooling installed at the workspace root:

| Package | Purpose |
|---------|---------|
| `@biomejs/biome` | Linting and formatting |
| `typescript` | TypeScript compiler |
| `publint` | Package publishing validation |
| `@arethetypeswrong/cli` | Type export validation |
| `@vitest/coverage-v8` | Test coverage |
| `bun-types` | Bun runtime types |

### Per-package Dependencies

| Package | Key Deps |
|---------|----------|
| `@schmock/core` | None (zero deps) |
| `@schmock/faker` | `json-schema-faker`, `@faker-js/faker` (dev) |
| `@schmock/express` | None (express is peer dep) |
| `@schmock/angular` | None (angular packages are peer deps) |

### Peer Dependencies

Critical compatibility ranges:

| Package | Peer Dep | Range |
|---------|----------|-------|
| `@schmock/express` | `express` | `^4.18.0 \|\| ^5.0.0` |
| `@schmock/angular` | `@angular/core` | `>=15.0.0` |
| `@schmock/angular` | `@angular/common` | `>=15.0.0` |
| `@schmock/angular` | `rxjs` | `^7.0.0` |
| `@schmock/faker`, `express`, `angular` | `@schmock/core` | `^1.0.0` |

## Update Workflow

1. **Check outdated:**
   ```
   /dependency-management check
   ```

2. **Update specific package:**
   ```bash
   bun update <package>
   ```

3. **Verify after update:**
   ```bash
   bun check:publish    # Package exports still valid
   bun test:all         # All tests pass
   ```

4. **Commit the update:**
   ```bash
   git add bun.lockb package.json packages/*/package.json
   git commit -m "chore(deps): update <package> to <version>"
   ```

## Compatibility Rules

When updating dependencies, respect these constraints:

- **Angular** peer dep range: `>=15.0.0` — must support Angular 15 through latest
- **Express** peer dep range: `^4.18.0 || ^5.0.0` — must support both Express 4.18+ and 5.x
- **RxJS** peer dep: `^7.0.0` — Angular adapter relies on RxJS 7+ APIs
- **TypeScript** must stay compatible with all packages — test with `bun typecheck`
- **Vitest** — all packages must use the same major version

## Audit

Check for known security vulnerabilities:

```bash
npm audit
```

## Commands

| Command | Description |
|---------|-------------|
| `/dependency-management check` | Check outdated + compatibility |
| `/dependency-management update <pkg>` | Update a specific dependency |
| `/dependency-management audit` | Security audit |


---

## Skill Companion Files

> Additional files collected from the skill directory layout.

### scripts/__tests__/check-deps.test.ts

```typescript
import { execSync } from "node:child_process";
import { readFileSync } from "node:fs";
import { join } from "node:path";
import { describe, expect, it } from "vitest";

const SCRIPT = join(__dirname, "..", "check-deps.sh");
const ROOT = join(__dirname, "../../../../..");

function run(args: string): { stdout: string; stderr: string; exitCode: number } {
  try {
    const stdout = execSync(`bash ${SCRIPT} ${args}`, {
      cwd: ROOT,
      encoding: "utf-8",
      timeout: 60000,
      stdio: ["pipe", "pipe", "pipe"],
    });
    return { stdout, stderr: "", exitCode: 0 };
  } catch (e: any) {
    return {
      stdout: e.stdout || "",
      stderr: e.stderr || "",
      exitCode: e.status ?? 1,
    };
  }
}

describe("check-deps.sh", () => {
  it("should be a valid bash script", () => {
    const content = readFileSync(SCRIPT, "utf-8");
    expect(content).toContain("#!/usr/bin/env bash");
  });

  it("should reject unknown targets", () => {
    const result = run("invalid");
    expect(result.exitCode).not.toBe(0);
    expect(result.stdout + result.stderr).toContain("Unknown target");
  });

  it("should accept 'all' target (default)", () => {
    const result = run("all");
    const output = result.stdout + result.stderr;
    expect(output).toContain("Outdated Packages");
    expect(output).toContain("Package Export Compatibility");
  });

  it("should accept 'outdated' target", () => {
    const result = run("outdated");
    const output = result.stdout + result.stderr;
    expect(output).toContain("Outdated Packages");
  });

  it("should accept 'publish' target", () => {
    const result = run("publish");
    const output = result.stdout + result.stderr;
    expect(output).toContain("Package Export Compatibility");
  });

  it("should accept 'audit' target", () => {
    const result = run("audit");
    const output = result.stdout + result.stderr;
    expect(output).toContain("Security Audit");
  });

  it("should default to 'all' when no argument given", () => {
    const result = run("");
    const output = result.stdout + result.stderr;
    expect(output).toContain("Outdated Packages");
  });
});

```

### scripts/check-deps.sh

```bash
#!/usr/bin/env bash
set -uo pipefail

# Check dependencies: outdated packages + publish compatibility.
#
# Usage:
#   bash check-deps.sh           # Full check
#   bash check-deps.sh outdated  # Only outdated packages
#   bash check-deps.sh publish   # Only publish compatibility
#   bash check-deps.sh audit     # Security audit

TARGET="${1:-all}"

check_outdated() {
  echo "━━━ Outdated Packages ━━━"
  bun outdated 2>&1 || true
  echo ""
}

check_publish() {
  echo "━━━ Package Export Compatibility ━━━"
  bun check:publish 2>&1 || true
  echo ""
}

check_audit() {
  echo "━━━ Security Audit ━━━"
  npm audit 2>&1 || true
  echo ""
}

case "$TARGET" in
  all)
    check_outdated
    check_publish
    ;;
  outdated)
    check_outdated
    ;;
  publish)
    check_publish
    ;;
  audit)
    check_audit
    ;;
  *)
    echo "Unknown target: ${TARGET}"
    echo "Usage: check-deps.sh [all|outdated|publish|audit]"
    exit 1
    ;;
esac

```