Agent skill

agentic-jumpstart-dependency-management

Dependency management guidelines for Jarvy - crate selection criteria, feature flag best practices, version management, security auditing with cargo-audit and cargo-deny.

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/agentic-jumpstart-dependency-management

SKILL.md

Dependency Management Guidelines

This skill provides guidance for managing Rust dependencies in the Jarvy project.

Dependency Selection Criteria

Prefer Standard Library First

Before adding external crates, verify stdlib cannot handle the need:

rust
// PREFER: stdlib for simple operations
use std::fs;
use std::path::PathBuf;
use std::process::Command;

// AVOID: Adding crates for trivial functionality

Evaluation Checklist

When considering a new dependency:

  1. Necessity: Can this be implemented in <100 lines?
  2. Maintenance: Is the crate actively maintained?
  3. Transitive deps: How many dependencies does it bring?
  4. Compile time: What is the build time impact?
  5. License: Is it compatible (MIT, Apache-2.0, BSD)?

Reuse Existing Dependencies

Need Use Existing
JSON serde_json
YAML serde_yaml
TOML toml
Error types thiserror
HTTP ureq
Logging tracing
CLI args clap with derive
Interactive prompts inquire
Unique IDs uuid v7
Platform dirs dirs

Feature Flag Best Practices

Minimize Enabled Features

toml
# GOOD: Explicit minimal features
clap = { version = "4.5", features = ["derive"] }
uuid = { version = "1.10", features = ["v7"] }
serde = { version = "1.0", features = ["derive"] }
ureq = { version = "3.1", features = ["json"] }

# BAD: Enabling all features
# clap = { version = "4.5", features = ["full"] }

Document Non-Obvious Features

toml
# v7 provides time-ordered UUIDs for telemetry event ordering
uuid = { version = "1.10", features = ["v7"] }

Disable Default Features When Appropriate

toml
some-crate = { version = "1.0", default-features = false, features = ["needed"] }

Version Management

Version Specification

toml
# Standard: Allow patch and minor updates
serde = "1.0"

# Specific: Pin only when necessary
opentelemetry-otlp = "0.31.0"

Update Commands

bash
# Update all dependencies
cargo update

# Update specific dependency
cargo update -p serde

# Check for outdated dependencies
cargo outdated

Lockfile Management

  • Commit Cargo.lock: This is an application, not a library
  • Review lockfile changes: Check diffs for unexpected updates

Security Auditing

Automated Auditing

bash
# Install audit tools
cargo install cargo-audit
cargo install cargo-deny

# Run security advisory check
cargo audit

# Comprehensive check (security, licenses, duplicates)
cargo deny check

cargo-deny Configuration

Create deny.toml:

toml
[advisories]
vulnerability = "deny"
unmaintained = "warn"
yanked = "deny"

[licenses]
unlicensed = "deny"
allow = ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Zlib"]

[bans]
multiple-versions = "warn"
wildcards = "deny"

[sources]
unknown-registry = "deny"
unknown-git = "deny"

Security Workflow

  1. Pre-commit: Run cargo audit locally
  2. CI Pipeline: Run cargo deny check on every PR
  3. Weekly: Automated dependency update PRs
  4. Release: Full audit before publishing

Adding New Dependencies

Process

  1. Justify: Document why needed
  2. Research: Check alternatives and maintenance status
  3. Audit: Run cargo audit after adding
  4. Minimize: Enable only required features
  5. Test: Verify compile time impact

PR Template

markdown
## New Dependency: `crate-name`

**Purpose**: [What functionality?]

**Alternatives Considered**:
- stdlib: [Why not sufficient?]

**Metrics**:
- Transitive dependencies: [count]
- Build time impact: [minimal/moderate/significant]
- Last updated: [date]

**Features Enabled**: [list and why]

Build Optimization

Current Build Configuration

toml
[build]
rustc-wrapper = "sccache"
jobs = 16

[profile.dev]
opt-level = 1

[profile.release]
lto = "thin"

Monitor Build Times

bash
# Measure build time
cargo build --timings

# Generate HTML report
cargo build --timings=html

Platform-Specific Dependencies

toml
[target.'cfg(target_os = "macos")'.dependencies]
macos-crate = "1.0"

[target.'cfg(target_os = "windows")'.dependencies]
windows-crate = "1.0"

Verify cross-platform compilation:

bash
cargo check --target x86_64-unknown-linux-gnu
cargo check --target x86_64-apple-darwin
cargo check --target x86_64-pc-windows-msvc

Current Project Dependencies

Runtime Dependencies

Crate Version Purpose
clap 4.5.6 CLI parsing
serde 1.0.204 Serialization
toml 0.9.5 Config parsing
thiserror 2.0.16 Error types
tracing 0.1.40 Logging
ureq 3.1.2 HTTP client
inquire 0.9.1 Interactive prompts
dirs 6.0.0 Platform directories
uuid 1.10.0 Unique IDs
machineid-rs 1.2 Machine fingerprint

Dev Dependencies

Crate Version Purpose
tempfile 3.20.0 Temp file handling
assert_cmd 2.0.17 CLI testing

Dependency Checklist

  1. Checked if stdlib can handle the need
  2. Reviewed existing dependencies for reuse
  3. Minimized enabled features
  4. Ran cargo audit after adding
  5. Tested cross-platform compilation
  6. Documented justification in PR

Didn't find tool you were looking for?

Be as detailed as possible for better results