Added CLAUDE skills to fix dependency versions and related principles

Author: kubrickcode

.claude/skills/dependancy-management/SKILL.md

@@ -0,0 +1,83 @@
+---
+name: dependency-management
+description: |
+  Enforces fixed version dependency installation across all package managers. Ensures reproducible builds, supply chain security, and stability.
+  Use when: installing packages, updating dependencies, working with package.json/requirements.txt/go.mod/Cargo.toml/pom.xml/build.gradle/composer.json/Gemfile/.csproj, reviewing dependency configurations, configuring CI/CD pipelines
+---
+
+# Dependency Management
+
+## Basic Principles
+
+### Always Use Exact Versions
+
+- Use exact versions only: `package@1.2.3`
+- Forbid: `^1.2.3`, `~1.2.3`, `latest`, `*`, version ranges
+- Exception: Library peerDependencies only
+
+### Lock Files Are Mandatory
+
+- Always commit to version control
+- Forbid manual editing
+- CI/CD must use frozen/locked mode
+
+### Security Audit First
+
+- Check vulnerabilities before installation
+- Automate regular audits
+
+## Installation Commands
+
+```bash
+# Node.js
+npm install --save-exact package@1.2.3
+pnpm add --save-exact package@1.2.3
+yarn add --exact package@1.2.3
+
+# Python
+pip install package==1.2.3
+poetry add package@1.2.3
+
+# Go
+go get package@v1.2.3
+
+# Rust
+cargo add package@=1.2.3
+
+# PHP
+composer require vendor/package:1.2.3
+
+# Ruby (Gemfile)
+gem 'package', '1.2.3'
+
+# Java/Kotlin
+implementation("group:artifact:1.2.3")  # Gradle
+<version>1.2.3</version>                # Maven
+
+# .NET
+dotnet add package PackageName --version 1.2.3
+```
+
+## CI/CD Commands
+
+```bash
+npm ci                          # npm
+pnpm install --frozen-lockfile  # pnpm
+yarn install --frozen-lockfile  # yarn
+poetry install --no-update      # poetry
+go mod verify                   # go
+cargo build --locked            # rust
+composer install --no-update    # php
+bundle install --frozen         # ruby
+dotnet restore --locked-mode    # .NET
+```
+
+## Common Mistakes
+
+| ❌ Wrong                 | ✅ Correct                     |
+| ------------------------ | ------------------------------ |
+| `npm install` (CI)       | `npm ci`                       |
+| `package@latest`         | `package@1.2.3`                |
+| `package@^1.2.3`         | `package@1.2.3`                |
+| Lock file in .gitignore  | Commit lock file               |
+| Manual lock file editing | Regenerate via package manager |

package.json

@@ -48,29 +48,29 @@
     "prepublishOnly": "yarn build"
   },
   "dependencies": {
-    "@octokit/rest": "^22.0.1",
-    "commander": "^14.0.1",
-    "globby": "^14.0.0",
-    "js-yaml": "^4.1.0",
-    "ky": "^1.8.3",
-    "micromatch": "^4.0.8",
-    "picocolors": "^1.0.0",
-    "tar": "^7.5.1",
-    "zod": "^4.1.12"
+    "@octokit/rest": "22.0.1",
+    "commander": "14.0.1",
+    "globby": "14.0.0",
+    "js-yaml": "4.1.0",
+    "ky": "1.14.0",
+    "micromatch": "4.0.8",
+    "picocolors": "1.0.0",
+    "tar": "7.5.1",
+    "zod": "4.1.12"
   },
   "devDependencies": {
-    "@types/js-yaml": "^4.0.9",
-    "@types/micromatch": "^4.0.9",
-    "@types/node": "^24.7.1",
-    "@types/tar": "^6.1.13",
+    "@types/js-yaml": "4.0.9",
+    "@types/micromatch": "4.0.9",
+    "@types/node": "24.7.1",
+    "@types/tar": "6.1.13",
     "eslint": "9.39.1",
     "eslint-plugin-import": "2.32.0",
     "eslint-plugin-perfectionist": "4.15.1",
     "husky": "9.1.7",
     "lint-staged": "15.2.11",
     "prettier": "3.6.2",
-    "tsup": "^8.0.0",
-    "typescript": "^5.3.0",
+    "tsup": "8.0.0",
+    "typescript": "5.9.3",
     "typescript-eslint": "8.46.3"
   }
 }