Dependency Management Protocol
Core Principle
NEVER manually edit package.json for dependency changes. Always use package manager commands.
Dependency Operations
Adding Dependencies
# Production dependency
bun add <package>
pnpm add <package>
npm install <package>
# Dev dependency
bun add -d <package>
pnpm add -D <package>
npm install --save-dev <package>
Removing Dependencies
bun remove <package>
pnpm remove <package>
npm uninstall <package>
Updating Dependencies
# Check outdated
bun outdated
pnpm outdated
npm outdated
# Update specific package
bun update <package>
pnpm update <package>
npm update <package>
# Update all (interactive)
pnpm update --interactive
npx npm-check-updates -i
Security Audit
# Run audit
bun audit
pnpm audit
npm audit
# Auto-fix vulnerabilities
pnpm audit --fix
npm audit fix
# Force fix (breaking changes allowed)
npm audit fix --force
Lockfile Hygiene
- Commit lockfiles (
bun.lockb,pnpm-lock.yaml,package-lock.json) - Never delete lockfiles to resolve conflicts - regenerate properly
- Use
--frozen-lockfilein CI environments
# CI install (no lockfile changes)
bun install --frozen-lockfile
pnpm install --frozen-lockfile
npm ci
Quality Gates
- [ ] Dependencies added via CLI, not manual edits
- [ ] Lockfile committed with changes
- [ ] No high/critical vulnerabilities in audit
- [ ] Unused dependencies removed