Claude-skill-registry dependency-guardian
Automated dependency management with security scanning, update orchestration, and compatibility validation
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/dependency-guardian" ~/.claude/skills/majiayu000-claude-skill-registry-dependency-guardian && rm -rf "$T"
manifest:
skills/data/dependency-guardian/SKILL.mdtags
source content
Dependency Guardian Skill
Purpose
Automatically manage project dependencies with security scanning, intelligent updates, breaking change detection, and license compliance validation.
When to Use
- Weekly dependency health checks
- Security vulnerability scanning
- Before major releases
- After security advisories
- Automated dependency updates
- License compliance audits
Supported Package Managers
JavaScript/TypeScript
- npm: Node.js packages
- yarn: Alternative Node.js package manager
- pnpm: Fast, disk-efficient package manager
Python
- pip: Python package installer
- poetry: Modern dependency management
- pipenv: Virtual environments + dependencies
Rust
- cargo: Rust package manager
Go
- go mod: Go modules
Ruby
- bundler: Ruby gem dependencies
Java/JVM
- maven: Apache Maven
- gradle: Gradle build tool
Operations
1. Scan Vulnerabilities
- Check dependencies against CVE databases
- Identify critical, high, medium, low severity
- Report vulnerable transitive dependencies
- Generate remediation recommendations
2. Check for Updates
- Find outdated dependencies
- Classify updates (major, minor, patch)
- Detect breaking changes
- Calculate update priority
3. Update Dependencies
- Apply safe updates automatically
- Create separate PRs for major vs minor
- Run tests after updates
- Rollback on failure
4. License Compliance
- Detect dependency licenses
- Flag incompatible licenses
- Generate license report
- Check OSS license compatibility
5. Dependency Audit
- Generate dependency tree
- Identify duplicate dependencies
- Detect circular dependencies
- Calculate total dependency count
Scripts
main.py
# Scan for vulnerabilities python scripts/main.py scan --project-dir=. # Check for updates python scripts/main.py check-updates --project-dir=. # Update dependencies (safe updates only) python scripts/main.py update --type=patch --auto-merge # Generate audit report python scripts/main.py audit --output=audit-report.json # Check license compliance python scripts/main.py licenses --allow=MIT,Apache-2.0,BSD-3-Clause
Subcommands
scan: Vulnerability scanning
python scripts/main.py scan --severity=high,critical # Output: List of vulnerabilities with remediation
check-updates: Find outdated dependencies
python scripts/main.py check-updates --include-dev # Output: Available updates grouped by type
update: Apply updates
python scripts/main.py update --type=patch --dry-run # Output: Preview of updates (no changes)
audit: Generate dependency report
python scripts/main.py audit --format=markdown # Output: Complete dependency analysis
licenses: License compliance check
python scripts/main.py licenses --check-compatibility # Output: License compatibility report
Configuration
Project Configuration
Create
.dependency-guardian.json{ "updateSchedule": "weekly", "autoMerge": { "patch": true, "minor": false, "major": false }, "allowedLicenses": [ "MIT", "Apache-2.0", "BSD-3-Clause", "ISC" ], "ignoredPackages": [ "legacy-package-name" ], "severityThreshold": "high" }
Memory Integration
Stores vulnerability history and preferences:
{ "topic": "dependency-guardian-config", "scope": "repository", "value": { "last_scan": "2025-10-20T10:00:00Z", "vulnerabilities_found": 3, "vulnerabilities_fixed": 2, "update_preferences": { "auto_patch": true, "test_before_merge": true, "create_pr": true }, "license_policy": { "allowed": ["MIT", "Apache-2.0", "BSD-3-Clause"], "blocked": ["GPL-3.0", "AGPL-3.0"] } } }
Integration Points
With Security Scanner Skill
- Share vulnerability database
- Coordinate security scanning
- Cross-reference CVE findings
With Test-First Change Skill
- Run tests after updates
- Validate no regressions
- Block merge on test failure
With PR Author/Reviewer Skill
- Create update PRs automatically
- Include vulnerability details
- Add security review checklist
With Release Orchestrator Skill
- Block releases with critical CVEs
- Include dependency updates in changelog
- Verify dependencies before deployment
Examples
Example 1: Scan for Vulnerabilities
Project: Node.js app with outdated dependencies
Command:
python scripts/main.py scan --project-dir=/path/to/project
Output:
{ "success": true, "project_type": "npm", "vulnerabilities": [ { "package": "lodash", "version": "4.17.15", "severity": "high", "cve": "CVE-2020-8203", "title": "Prototype Pollution", "fixed_in": "4.17.19", "recommendation": "Update to lodash@4.17.19 or higher" }, { "package": "axios", "version": "0.19.0", "severity": "medium", "cve": "CVE-2020-28168", "title": "SSRF vulnerability", "fixed_in": "0.21.1", "recommendation": "Update to axios@0.21.1 or higher" } ], "summary": { "critical": 0, "high": 1, "medium": 1, "low": 0, "total": 2 } }
Example 2: Check for Updates
Command:
python scripts/main.py check-updates --project-dir=.
Output:
{ "success": true, "project_type": "npm", "updates": { "patch": [ { "package": "express", "current": "4.17.1", "latest": "4.17.3", "type": "patch" } ], "minor": [ { "package": "react", "current": "17.0.2", "latest": "17.2.0", "type": "minor" } ], "major": [ { "package": "webpack", "current": "4.46.0", "latest": "5.75.0", "type": "major", "breaking_changes": true } ] }, "summary": { "total": 15, "patch": 8, "minor": 5, "major": 2 } }
Example 3: Update Dependencies (Patch Only)
Command:
python scripts/main.py update --type=patch --dry-run=false
Output:
{ "success": true, "updates_applied": 8, "packages": [ {"name": "express", "from": "4.17.1", "to": "4.17.3"}, {"name": "lodash", "from": "4.17.15", "to": "4.17.21"}, {"name": "moment", "from": "2.29.1", "to": "2.29.4"} ], "tests_run": true, "tests_passed": true, "pr_created": true, "pr_url": "https://github.com/user/repo/pull/123" }
Example 4: License Audit
Command:
python scripts/main.py licenses --check-compatibility
Output:
{ "success": true, "total_packages": 247, "licenses": { "MIT": 189, "Apache-2.0": 31, "BSD-3-Clause": 18, "ISC": 7, "UNLICENSED": 2 }, "issues": [ { "package": "some-gpl-package", "license": "GPL-3.0", "severity": "high", "reason": "GPL-3.0 not in allowed list", "recommendation": "Find alternative or add license exception" } ] }
Example 5: Dependency Audit
Command:
python scripts/main.py audit --format=json
Output:
{ "success": true, "project_type": "npm", "dependencies": { "production": 87, "development": 160, "total": 247 }, "depth": { "direct": 42, "transitive": 205, "max_depth": 7 }, "duplicates": [ { "package": "semver", "versions": ["5.7.1", "6.3.0", "7.3.5"], "count": 3 } ], "size": { "total_mb": 156.3, "largest": [ {"package": "typescript", "size_mb": 34.2}, {"package": "webpack", "size_mb": 12.8} ] } }
Token Economics
Without Skill (Agent-driven dependency check):
- Read package file: 1,500 tokens
- Query vulnerability database: 4,000 tokens
- Analyze updates: 3,000 tokens
- Generate recommendations: 2,500 tokens
- Explain process: 2,000 tokens
- Total: 13,000 tokens
With Skill (Code execution):
- Metadata: 50 tokens
- SKILL.md: 400 tokens
- Script execution: 0 tokens (returns result)
- Result parsing: 200 tokens
- Total: 650 tokens
Savings: 95.0% (12,350 tokens saved per scan)
Success Metrics
Performance
- Vulnerability scan: <30 seconds
- Update check: <15 seconds
- License audit: <10 seconds
- Dependency update: <2 minutes (including tests)
Quality
- Vulnerability detection rate: >99%
- False positive rate: <5%
- Update success rate: >95%
- Test pass rate after updates: >90%
Security
- Time to patch critical CVEs: <24 hours
- Percentage of dependencies up-to-date: >80%
- License compliance: 100%
Safety Checks
Pre-Update
- ✅ Backup package lock file
- ✅ Check for breaking changes
- ✅ Verify tests exist
- ✅ Create git branch for updates
- ✅ Check CI status
Post-Update
- ✅ Run full test suite
- ✅ Verify build succeeds
- ✅ Check for new vulnerabilities
- ✅ Generate dependency diff
- ✅ Create PR with details
Rollback Conditions
- Tests fail after update
- Build fails
- New vulnerabilities introduced
- Circular dependency detected
Error Handling
Missing Package Manager
❌ Package manager not detected Supported: npm, yarn, pnpm, pip, poetry, cargo, go mod Recommendation: Ensure package manifest exists (package.json, requirements.txt, etc.)
Vulnerability Database Unavailable
⚠️ Cannot connect to vulnerability database Falling back to local cache (may be outdated) Recommendation: Check internet connection
Breaking Change Detected
⚠️ Major update detected: webpack 4.46.0 → 5.75.0 Breaking changes: Module federation, Asset modules Recommendation: Review migration guide before updating
Advanced Features
Automatic PR Creation
{ "auto_pr": { "enabled": true, "branch_prefix": "deps/", "labels": ["dependencies", "security"], "assign_to": ["@security-team"], "require_reviews": 1 } }
Grouped Updates
{ "grouping": { "patch_updates": "single-pr", "minor_updates": "separate-prs", "major_updates": "separate-prs" } }
Custom Vulnerability Sources
{ "vulnerability_sources": [ "npm-audit", "snyk", "github-advisory", "ossindex" ] }
Limitations
- Requires internet connection for vulnerability database
- Cannot automatically fix all breaking changes
- Manual review recommended for major updates
- License detection accuracy depends on package metadata
References
See
references/
- CVE and security advisory sourcesvulnerability-databases.md
- How to handle major updatesbreaking-changes-guide.md
- OSS license compatibility matrixlicense-compatibility.md
- Common issues and solutionstroubleshooting.md
Dependency Guardian Skill v1.0.0 - Keep your dependencies secure and up-to-date