DEP-003 recommended dependency-management

No deprecated or unmaintained libraries

Critical dependencies are actively maintained, no deprecated packages

Question to ask

"Any critical packages with last commit over 2 years ago?"

Verification guide

Severity: Recommended

Check automatically:

  1. Check for known deprecated packages (Node.js):

    # Check npm deprecation warnings during install
pnpm install --dry-run 2>&1 | grep -i "deprecated" || npm install --dry-run 2>&1 | grep -i "deprecated"

  2. Check package health on key dependencies:

    # Extract direct dependencies from package.json
cat package.json | jq -r '.dependencies // {} | keys[]' 2>/dev/null

  3. For critical dependencies, check GitHub activity:

    # Example for a specific package - check last commit
gh api repos/{owner}/{repo}/commits --jq '.[0].commit.committer.date' 2>/dev/null

Note: Full automation is difficult here. Focus on:

  • Framework packages (React, Express, Django, etc.)
  • Security-sensitive packages (auth, crypto)
  • Packages with known deprecation announcements

Pass criteria:

  • No deprecated packages in install output
  • Critical dependencies have commits within last 12 months
  • No packages with known security abandonment

Fail criteria:

  • Deprecated packages in use with no migration plan
  • Critical dependency unmaintained (no commits in 2+ years)
  • Using packages with known security issues and no maintainer

If deprecated packages found, ask user: "Found deprecated packages: [list]. Are there migration plans for these?"

Evidence to capture:

  • List of deprecated packages from install output
  • Key dependencies and their last update dates
  • Any known unmaintained packages flagged

Section

02. Dependencies & Code Quality

Infrastructure & Setup

← Previous

DEP-002

Dependency update system configured

 Next →

DEP-004

TypeScript over JavaScript