Claude-code-plugins-plus-skills analyzing-dependencies
Analyze dependencies for known security vulnerabilities and outdated versions. Use when auditing third-party libraries. Trigger with 'check dependencies', 'scan for vulnerabilities', or 'audit packages'.
install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/security/dependency-checker/skills/analyzing-dependencies" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-analyzing-dependencies-f7f9d9 && rm -rf "$T"
manifest:
plugins/security/dependency-checker/skills/analyzing-dependencies/SKILL.mdsource content
Analyzing Dependencies
Overview
Analyze project dependencies for known security vulnerabilities, outdated versions, and license compliance issues across multiple package ecosystems. This skill inspects npm, pip, Composer, Gem, Go module, and Cargo manifests and lock files, cross-references findings against CVE databases, and produces actionable remediation guidance with upgrade paths.
Prerequisites
- Access to the target project directory and manifest files in
${CLAUDE_SKILL_DIR}/ - At least one package manager CLI available:
,npm
/pip
,pip-audit
,composer
,gem
, orgocargo - Network access for querying vulnerability databases (NVD, GitHub Advisory Database, OSV)
- Reference:
for npm/pip audit report formats, license compatibility matrix, and dependency management best practices${CLAUDE_SKILL_DIR}/references/README.md
Instructions
- Detect the project ecosystem by scanning
for manifest files:${CLAUDE_SKILL_DIR}/
andpackage.json
(npm/Node.js),package-lock.json
/requirements.txt
/pyproject.toml
(Python),Pipfile.lock
/composer.json
(PHP),composer.lock
/Gemfile
(Ruby),Gemfile.lock
/go.mod
(Go),go.sum
/Cargo.toml
(Rust).Cargo.lock - For npm projects, run
and parse the structured output. Map each advisory to its CVE identifier, CVSS score, severity level, vulnerable version range, and patched version.npm audit --json - For Python projects, run
or parsepip-audit --format=json
output. Cross-reference each vulnerability against the OSV database for additional context.safety check --json - For other ecosystems, run the equivalent audit command (
,composer audit
,bundle audit
,cargo audit
) and normalize the output to a common finding format.govulncheck - Analyze the dependency tree for transitive vulnerabilities -- identify which direct dependency pulls in the vulnerable transitive dependency, and whether upgrading the direct dependency resolves the issue.
- Check for outdated packages by comparing installed versions against the latest available versions. Categorize updates as patch (safe), minor (likely safe), or major (breaking changes possible).
- Audit license compliance by extracting license declarations from each dependency. Flag packages using copyleft licenses (GPL, AGPL) in proprietary projects, packages with no declared license, and packages with license conflicts per the compatibility matrix in
.${CLAUDE_SKILL_DIR}/references/README.md - Identify abandoned or unmaintained packages: flag dependencies with no releases in over 2 years, archived repositories, or known deprecation notices.
- Classify each finding by severity (critical, high, medium, low) using CVSS scores: critical >= 9.0, high >= 7.0, medium >= 4.0, low < 4.0.
- Generate a remediation plan with specific upgrade commands, alternative packages for abandoned dependencies, and a priority order based on severity and exploitability.
Output
- Vulnerability report: Table with columns: Package, Installed Version, Vulnerability (CVE ID), CVSS Score, Severity, Patched Version, Direct/Transitive
- Outdated packages: Table with columns: Package, Current Version, Latest Version, Update Type (patch/minor/major), Breaking Changes Risk
- License audit: Table with columns: Package, License, Compatibility Status (OK, Warning, Conflict), Notes
- Dependency tree visualization: For critical vulnerabilities, the chain from direct dependency to vulnerable transitive dependency
- Remediation commands: Ready-to-run commands (e.g.,
,npm install package@version
) prioritized by severitypip install --upgrade package==version - Executive summary: Total dependencies scanned, total vulnerabilities by severity, outdated count, license conflicts count
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Vulnerabilities found (expected behavior) | Parse the JSON output normally; exit code 1 indicates findings, not a tool failure |
| Tool not available in the environment | Install with |
| Lock file missing or outdated | Dependencies not properly locked | Run |
| Network timeout querying vulnerability DB | Firewall or connectivity issue | Retry with increased timeout; fall back to offline analysis of lock file versions against cached CVE data |
| Mixed ecosystem project | Multiple manifest files in one repo | Scan each ecosystem independently and combine results into a unified report |
| Private registry packages not found | Audit tools cannot resolve private packages | Skip private packages in the vulnerability scan; note them as "unverifiable" in the report |
Examples
npm Pre-Deployment Audit
Run
npm audit --json${CLAUDE_SKILL_DIR}/npm install express@4.19.2path-to-regexpPython Dependency Security Check
Run
pip-audit --format=json -r ${CLAUDE_SKILL_DIR}/requirements.txtrequirements.txtpip-auditLicense Compliance Scan
Extract licenses from
${CLAUDE_SKILL_DIR}/node_modules/license-checker --jsonUNLICENSED