Comprehensive rules for automating, securing, and maintaining third-party dependencies across JavaScript/TypeScript, Python, Java, .NET, and Go projects.
Managing dependencies across multiple languages while keeping your codebase secure, up-to-date, and deterministic feels like fighting a hydra—fix one language's vulnerabilities, and three more appear in your Python, Java, and Go services. These Cursor Rules transform your chaotic dependency management into a streamlined, automated system that works consistently across your entire tech stack.
You know the drill: Monday morning starts with Dependabot flooding your inbox with 47 update PRs across six different package managers. Your JavaScript project uses npm audit, Python services need safety check, Java modules require OWASP scanning, and your Go services have their own vulnerability detection. Each language has different lockfile formats, versioning strategies, and security tools.
Meanwhile, your CI pipeline breaks because someone used npm install instead of npm ci, your Python service fails in production due to a transitive dependency version mismatch, and your security team is asking why you're still running packages with known CVEs from six months ago.
The real problem isn't just keeping dependencies updated—it's creating a unified, automated system that works the same way whether you're shipping Node.js microservices, Python ML models, Java enterprise apps, .NET APIs, or Go backends.
These rules establish a comprehensive automation framework that standardizes dependency management across JavaScript/TypeScript, Python, Java, .NET, and Go. Instead of managing five different dependency strategies, you get one coherent approach that:
Here's what automated cross-language dependency management looks like in practice:
# Single workflow handles all languages
name: Dependency Audit
on:
schedule: [cron: "55 2 * * *"]
pull_request:
paths: ['**/package*.json', '**/poetry.lock', '**/go.mod', '**/*.csproj']
jobs:
unified-audit:
strategy:
matrix:
include:
- lang: node
audit: "npm ci && npm audit --audit-level=high"
- lang: python
audit: "poetry install --no-root && poetry export | safety check --stdin"
- lang: java
audit: "mvn dependency:resolve && mvn org.owasp:dependency-check-maven:check"
Eliminate Context Switching: Instead of remembering different commands for npm audit, safety check, mvn dependency:resolve, and govulncheck, you run consistent CI checks across all projects.
Reduce Security Response Time: Automated vulnerability scanning catches critical CVEs within hours instead of weeks. The rules enforce a 24-hour SLA for patching critical vulnerabilities across all languages.
Prevent Production Surprises: Lockfile validation and deterministic builds mean your Python poetry.lock, JavaScript package-lock.json, and Go go.sum files guarantee identical dependencies between development and production.
Speed Up Code Reviews: Standardized dependency PRs from Renovate include the same format and testing across all languages, so reviewers know exactly what to check regardless of the tech stack.
Cut Maintenance Overhead: Monorepo configurations with Nx, Lerna, or Gradle BOM centralize version management, so updating a shared library propagates consistently across all dependent services.
# Monday morning routine across different projects
cd frontend && npm audit --fix && npm test
cd ../python-service && pip list --outdated && safety check
cd ../java-service && mvn versions:display-dependency-updates
cd ../dotnet-api && dotnet list package --outdated
cd ../go-service && govulncheck ./...
Your CI pipeline handles everything automatically. Dependabot opens language-appropriate PRs, each triggers the same testing workflow, and you review consolidated security reports:
// Renovate configuration covers all languages
{
"extends": ["config:base"],
"packageRules": [
{
"matchLanguages": ["javascript", "python", "java", "dotnet", "golang"],
"groupName": "security updates",
"matchUpdateTypes": ["patch"],
"automerge": true
}
]
}
// Nx workspace manages cross-language dependencies
{
"projects": {
"frontend": "apps/frontend",
"python-ml": "services/ml",
"java-api": "services/api"
},
"targetDefaults": {
"build": {
"dependsOn": ["^build"],
"cache": true
},
"audit": {
"executor": "@nx/eslint:audit",
"cache": true
}
}
}
Enable Dependabot or Renovate for your repositories. Create .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
reviewers: ["@dev-team"]
- package-ecosystem: "pip"
directory: "/python-service"
schedule:
interval: "weekly"
- package-ecosystem: "maven"
directory: "/java-service"
schedule:
interval: "weekly"
Ensure every project commits the appropriate lockfiles:
# JavaScript: Always use npm ci in CI
npm ci # not npm install
# Python: Lock dependencies explicitly
poetry lock --no-update && git add poetry.lock
# Java: Generate and commit lock files
./gradlew dependencies --write-locks
# Go: Verify and tidy modules
go mod tidy && go mod verify
Add vulnerability checking to your CI pipeline for each language:
- name: Security Audit
run: |
case "${{ matrix.lang }}" in
node) npm audit --audit-level=high ;;
python) poetry export --without-hashes | safety check --stdin ;;
java) mvn org.owasp:dependency-check-maven:check ;;
dotnet) dotnet list package --vulnerable --include-transitive ;;
go) govulncheck ./... ;;
esac
Create APPROVED_LIBRARIES.md in your repository root:
| Library | Purpose | Version | Owner | Review Date |
|---------|---------|---------|-------|-------------|
| lodash | Utility functions | ^4.17.21 | @frontend-team | 2024-01-15 |
| requests | HTTP client | ^2.28.0 | @backend-team | 2024-01-15 |
| spring-boot | Framework | 3.1.x | @java-team | 2024-01-15 |
Week 1: Automated dependency updates running across all your repositories. No more manual checking for outdated packages.
Week 2: Consistent CI builds with proper lockfile validation. Staging environments match production exactly.
Month 1: Security vulnerabilities caught and patched within your defined SLA. Zero critical CVEs older than 24 hours.
Month 3: Streamlined monorepo dependency management with centralized version control. Shared library updates propagate cleanly across all services.
Ongoing: Your team spends time building features instead of fighting dependency conflicts. New developers onboard faster because dependency management works the same way in every project, regardless of language.
The end result? Your dependency management becomes invisible infrastructure that just works, freeing your team to focus on shipping product instead of wrestling with package managers.
You are an expert in cross-language Dependency Management (JavaScript/TypeScript • Node.js, Python • Poetry/Pipenv, Java • Maven/Gradle, .NET • NuGet, Go • Go modules).
Key Principles
- Automate updates: use Dependabot, Renovate, or Snyk to open pull requests for every outdated or vulnerable package.
- Pin & lock: always commit lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, go.sum, pom.lock, packages.lock.json) to ensure deterministic builds.
- Prefer minimalism: routinely audit and remove unused, obsolete, or overly heavy dependencies.
- Semantic Versioning (SemVer): respect MAJOR.MINOR.PATCH; never use unpinned wildcards ("*" or ">=") in production.
- Control transitive dependencies: review indirect packages; override or exclude risky transitive libs.
- Security first: integrate vulnerability scanning early in CI; fail the build on HIGH/Critical findings.
- Document decisions: maintain an APPROVED_LIBRARIES.md with rationale, version constraints, and owner.
- Reproducibility: build containers or artifacts from clean environment using only lockfiles.
- Monorepos: manage shared versions with Nx, Lerna, or Gradle BOM; apply consistent rules via central config.
- Dependency Injection (DI): isolate third-party libraries to simplify future replacement and testing.
JavaScript / TypeScript (npm, Yarn, pnpm)
- dependencies vs devDependencies vs peerDependencies:
• runtime code → dependencies
• build/test tooling → devDependencies
• plugins/extensions required by host pkg → peerDependencies
- Use ^ for libraries you own; use ~ or exact for third-party to reduce breakage.
- Enable "packageManager" field (Node >= 16.9) to declare tool & version (e.g., "[email protected]").
- Prefer pnpm for disk efficiency; enable “shared-workspace-lockfile=true” inside .npmrc for monorepos.
- scripts:
"npm run audit:ci" => npm audit --audit-level=high --json | oa-filter.
- Example Renovate config (renovate.json):
```json
{
"extends": ["config:base"],
"dependencyDashboard": true,
"packageRules": [{"matchPackagePatterns": ["^@types/"], "groupName": "@types (dev)"}]
}
```
Python (Poetry / Pipenv)
- Use pyproject.toml with Poetry; never mix with requirements.txt in the same repo.
- Lock with `poetry lock --no-update`; commit poetry.lock.
- Use caret constraints (^1.4) for libs you control and exact versions for external.
- Activate venv locally: `poetry shell`; in CI: `poetry install --no-root --no-interaction`.
- Security: `poetry export --without-hashes | safety check --stdin`.
Java (Maven / Gradle)
- Centralize versions using Maven BOM or Gradle Version Catalog; avoid version duplication across modules.
- Use "<dependencyManagement>" in parent POM; child modules list groupId/artifactId with no version.
- Prefer fixed versions; avoid Maven “LATEST” or "SNAPSHOT" in production.
- Gradle: enable “--write-locks” and commit dependency-lock files.
.NET (NuGet)
- Use PackageReference; store versions in Directory.Packages.props for central control.
- Enable “RestoreLockedMode=true” to enforce packages.lock.json.
- Use dotnet-outdated tool in CI.
Go (Go modules)
- Always run `go mod tidy && go mod verify` before commit.
- Pin indirect deps via go.sum; never edit go.sum manually.
- Use `replace` only for forks or local debugging; remove before merge.
Error Handling and Validation
- CI pipeline stages:
1. prepare → fresh environment, restore cache
2. dependency install → lockfile validation (`npm ci`, `poetry install --no-root`, `mvn -q -pl !tests dependency:go-offline`)
3. audit → npm audit / pnpm audit / safety / osv-scanner / osv-detector / dotnet list package --vulnerable / govulncheck
4. test → unit/integration
5. build → compile, package
- Fail fast: abort pipeline on lockfile mismatch or high vulnerabilities.
- Log SBOM (Software Bill of Materials) using CycloneDX or SPDX; store as artifact.
Framework-Specific Rules (Nx, Lerna, Gradle BOM)
- Nx: define `targetDefaults.build.dependsOn=["^build"]` to guarantee upstream libs build first.
- Tag libraries (e.g., "type:ui", "scope:auth"); enforce dependency graph linting via `nx lint`.
- Lerna: use "version": "independent" mode only for publishable packages; otherwise, fixed version.
- Gradle BOM: place BOM module in root; consume with `platform(project(":bom"))`.
Additional Sections
Testing
- Every PR from Renovate/Dependabot triggers full test suite.
- Use DI + mocks to isolate external libs.
Performance
- Identify heavy packages with `webpack-bundle-analyzer` or `pipdeptree --reverse`.
- Prefer tree-shakeable ESM bundles in JS.
Security
- Adopt “Zero-Day SLA”: patch critical CVEs within 24h.
- Blocklisted licenses list (GPL-3, AGPL-3, SSPL); enforce via license checker.
Documentation
- Keep APPROVED_LIBRARIES.md containing: Library • Purpose • Version • Owner • Review Date.
CI/CD Templates
```yaml
# .github/workflows/deps.yml
name: Dependency Checks
on:
schedule: [cron: "55 2 * * *"]
pull_request:
paths: ['**/package*.json', '**/poetry.lock', '**/go.mod', '**/*.csproj']
jobs:
audit:
runs-on: ubuntu-latest
strategy:
matrix: lang: [node, python]
steps:
- uses: actions/checkout@v3
- name: Setup Node
if: matrix.lang == 'node'
uses: actions/setup-node@v3
with:
node-version: 18
- name: Install & Audit (Node)
if: matrix.lang == 'node'
run: |
npm ci
npm audit --audit-level=high
- name: Setup Python
if: matrix.lang == 'python'
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install & Audit (Python)
if: matrix.lang == 'python'
run: |
pip install poetry safety
poetry install --no-root --no-interaction
poetry export -f requirements.txt --without-hashes | safety check --stdin
```
Common Pitfalls & Fixes
- ❌ Committing code with `npm install` instead of `npm ci` → break CI parity.
- ❌ Using "*" or "latest" in requirements → unpredictable prod failures.
- ❌ Ignoring lockfile merge conflicts → corrupt dependency graph; resolve by regenerating lockfile.
- ✅ Always regenerate lockfile after major Node or Python upgrade.