Rule: New dependency added (new-dependency) #11
Description
Rule: New Dependency Detection
Overview
Identifies when new dependencies are added to package management files (as opposed to version updates).
Label Metadata
- Label Name:
new-dependency - Color:
a2eeef(Cyan) - Description: New dependency added to package files
Detection Logic
Analyze diff/patch of dependency files to detect additions:
- Line starting with
+in dependency section - Not in version update format (which shows
-then+) - Pattern:
+dependency-name: versionor+"dependency-name": "version"
Detection by Package Manager
npm/yarn:
+"package-name": "version"independenciesordevDependencies
Python (requirements.txt):
- New line starting with
+and package name
Go (go.mod):
+require (followed by package
Ruby (Gemfile):
+gem 'package-name'or+gem "package-name"
Rust (Cargo.toml):
+[dependencies]section with new entries
Example Code That Triggers
+ "express": "^4.18.0",
+ "lodash": "4.17.21"Example Code That Does NOT Trigger (Version Update)
- "express": "^4.17.0",
+ "express": "^4.18.0",Test Cases Needed
- Detects new package additions
- Ignores version updates
- Handles both dependencies and devDependencies
- Supports multiple package managers
- Handles commented additions (should ignore)
Edge Cases
- Dependency version range change - should not trigger (update, not new)
- Adding same package with different name/alias
- Conditional dependencies (optional, peer)
Integration Notes
- Requires dependency files to be present (depends on
dependency-changerule) - Consider analyzing lock files for more accurate detection
Priority
Medium - Useful for dependency tracking
Status: Not implemented
Category: Code & Dependencies