dependency-guardian
@nikhillinit/dependency-guardian
Automated dependency management with security scanning, update orchestration, and compatibility validation
Installation
$npx agent-skills-cli install @nikhillinit/dependency-guardian
Claude Code
Cursor
Copilot
Codex
Antigravity
Details
Repositorynikhillinit/Updog_restore
Path.claude/skills/workflow-engine/dependency-guardian/SKILL.md
Branchmain
Scoped Name@nikhillinit/dependency-guardian
Usage
After installing, this skill will be available to your AI coding assistant.
Verify installation:
npx agent-skills-cli listSkill Instructions
name: dependency-guardian description: Automated dependency management with security scanning, update orchestration, and compatibility validation version: 1.0.0 author: Claude Memory System tags: [ dependencies, security, vulnerabilities, updates, automation, npm, pip, cargo, ] last_updated: 2026-04-03
Dependency Guardian Skill
Purpose
Automatically manage project dependencies with security scanning, intelligent updates, breaking change detection, and license compliance validation.
When to Use
- Weekly dependency health checks
- Security vulnerability scanning
- Before major releases
- After security advisories
- Automated dependency updates
- License compliance audits
Supported Package Managers
JavaScript/TypeScript
- npm: Node.js packages
- yarn: Alternative Node.js package manager
- pnpm: Fast, disk-efficient package manager
Python
- pip: Python package installer
- poetry: Modern dependency management
- pipenv: Virtual environments + dependencies
Rust
- cargo: Rust package manager
Go
- go mod: Go modules
Ruby
- bundler: Ruby gem dependencies
Java/JVM
- maven: Apache Maven
- gradle: Gradle build tool
Operations
1. Scan Vulnerabilities
- Check dependencies against CVE databases
- Identify critical, high, medium, low severity
- Report vulnerable transitive dependencies
- Generate remediation recommendations
2. Check for Updates
- Find outdated dependencies
- Classify updates (major, minor, patch)
- Detect breaking changes
- Calculate update priority
3. Update Dependencies
- Apply safe updates automatically
- Create separate PRs for major vs minor
- Run tests after updates
- Rollback on failure
4. License Compliance
- Detect dependency licenses
- Flag incompatible licenses
- Generate license report
- Check OSS license compatibility
5. Dependency Audit
- Generate dependency tree
- Identify duplicate dependencies
- Detect circular dependencies
- Calculate total dependency count
Scripts
main.py
# Scan for vulnerabilities
python scripts/main.py scan --project-dir=.
# Check for updates
python scripts/main.py check-updates --project-dir=.
# Update dependencies (safe updates only)
python scripts/main.py update --type=patch --auto-merge
# Generate audit report
python scripts/main.py audit --output=audit-report.json
# Check license compliance
python scripts/main.py licenses --allow=MIT,Apache-2.0,BSD-3-Clause
Subcommands
scan: Vulnerability scanning
python scripts/main.py scan --severity=high,critical
# Output: List of vulnerabilities with remediation
check-updates: Find outdated dependencies
python scripts/main.py check-updates --include-dev
# Output: Available updates grouped by type
update: Apply updates
python scripts/main.py update --type=patch --dry-run
# Output: Preview of updates (no changes)
audit: Generate dependency report
python scripts/main.py audit --format=markdown
# Output: Complete dependency analysis
licenses: License compliance check
python scripts/main.py licenses --check-compatibility
# Output: License compatibility report
Configuration
Project Configuration
Create .dependency-guardian.json:
{
"updateSchedule": "weekly",
"autoMerge": {
"patch": true,
"minor": false,
"major": false
},
"allowedLicenses": ["MIT", "Apache-2.0", "BSD-3-Clause", "ISC"],
"ignoredPackages": ["legacy-package-name"],
"severityThreshold": "high"
}
Memory Integration
Stores vulnerability history and preferences:
{
"topic": "dependency-guardian-config",
"scope": "repository",
"value": {
"last_scan": "2025-10-20T10:00:00Z",
"vulnerabilities_found": 3,
"vulnerabilities_fixed": 2,
"update_preferences": {
"auto_patch": true,
"test_before_merge": true,
"create_pr": true
},
"license_policy": {
"allowed": ["MIT", "Apache-2.0", "BSD-3-Clause"],
"blocked": ["GPL-3.0", "AGPL-3.0"]
}
}
}
Integration Points
With Security Scanner Skill
- Share vulnerability database
- Coordinate security scanning
- Cross-reference CVE findings
With Test-First Change Skill
- Run tests after updates
- Validate no regressions
- Block merge on test failure
With PR Author/Reviewer Skill
- Create update PRs automatically
- Include vulnerability details
- Add security review checklist
With Release Orchestrator Skill
- Block releases with critical CVEs
- Include dependency updates in changelog
- Verify dependencies before deployment
Examples
Example 1: Scan for Vulnerabilities
Project: Node.js app with outdated dependencies
Command:
python scripts/main.py scan --project-dir=/path/to/project
Output:
{
"success": true,
"project_type": "npm",
"vulnerabilities": [
{
"package": "lodash",
"version": "4.17.15",
"severity": "high",
"cve": "CVE-2020-8203",
"title": "Prototype Pollution",
"fixed_in": "4.17.19",
"recommendation": "Update to lodash@4.17.19 or higher"
},
{
"package": "axios",
"version": "0.19.0",
"severity": "medium",
"cve": "CVE-2020-28168",
"title": "SSRF vulnerability",
"fixed_in": "0.21.1",
"recommendation": "Update to axios@0.21.1 or higher"
}
],
"summary": {
"critical": 0,
"high": 1,
"medium": 1,
"low": 0,
"total": 2
}
}
Example 2: Check for Updates
Command:
python scripts/main.py check-updates --project-dir=.
Output:
{
"success": true,
"project_type": "npm",
"updates": {
"patch": [
{
"package": "express",
"current": "4.17.1",
"latest": "4.17.3",
"type": "patch"
}
],
"minor": [
{
"package": "react",
"current": "17.0.2",
"latest": "17.2.0",
"type": "minor"
}
],
"major": [
{
"package": "webpack",
"current": "4.46.0",
"latest": "5.75.0",
"type": "major",
"breaking_changes": true
}
]
},
"summary": {
"total": 15,
"patch": 8,
"minor": 5,
"major": 2
}
}
Example 3: Update Dependencies (Patch Only)
Command:
python scripts/main.py update --type=patch --dry-run=false
Output:
{
"success": true,
"updates_applied": 8,
"packages": [
{ "name": "express", "from": "4.17.1", "to": "4.17.3" },
{ "name": "lodash", "from": "4.17.15", "to": "4.17.21" },
{ "name": "moment", "from": "2.29.1", "to": "2.29.4" }
],
"tests_run": true,
"tests_passed": true,
"pr_created": true,
"pr_url": "https://github.com/user/repo/pull/123"
}
Example 4: License Audit
Command:
python scripts/main.py licenses --check-compatibility
Output:
{
"success": true,
"total_packages": 247,
"licenses": {
"MIT": 189,
"Apache-2.0": 31,
"BSD-3-Clause": 18,
"ISC": 7,
"UNLICENSED": 2
},
"issues": [
{
"package": "some-gpl-package",
"license": "GPL-3.0",
"severity": "high",
"reason": "GPL-3.0 not in allowed list",
"recommendation": "Find alternative or add license exception"
}
]
}
Example 5: Dependency Audit
Command:
python scripts/main.py audit --format=json
Output:
{
"success": true,
"project_type": "npm",
"dependencies": {
"production": 87,
"development": 160,
"total": 247
},
"depth": {
"direct": 42,
"transitive": 205,
"max_depth": 7
},
"duplicates": [
{
"package": "semver",
"versions": ["5.7.1", "6.3.0", "7.3.5"],
"count": 3
}
],
"size": {
"total_mb": 156.3,
"largest": [
{ "package": "typescript", "size_mb": 34.2 },
{ "package": "webpack", "size_mb": 12.8 }
]
}
}
Token Economics
Without Skill (Agent-driven dependency check):
- Read package file: 1,500 tokens
- Query vulnerability database: 4,000 tokens
- Analyze updates: 3,000 tokens
- Generate recommendations: 2,500 tokens
- Explain process: 2,000 tokens
- Total: 13,000 tokens
With Skill (Code execution):
- Metadata: 50 tokens
- SKILL.md: 400 tokens
- Script execution: 0 tokens (returns result)
- Result parsing: 200 tokens
- Total: 650 tokens
Savings: 95.0% (12,350 tokens saved per scan)
Success Metrics
Performance
- Vulnerability scan: <30 seconds
- Update check: <15 seconds
- License audit: <10 seconds
- Dependency update: <2 minutes (including tests)
Quality
- Vulnerability detection rate: >99%
- False positive rate: <5%
- Update success rate: >95%
- Test pass rate after updates: >90%
Security
- Time to patch critical CVEs: <24 hours
- Percentage of dependencies up-to-date: >80%
- License compliance: 100%
Safety Checks
Pre-Update
- ✅ Backup package lock file
- ✅ Check for breaking changes
- ✅ Verify tests exist
- ✅ Create git branch for updates
- ✅ Check CI status
Post-Update
- ✅ Run full test suite
- ✅ Verify build succeeds
- ✅ Check for new vulnerabilities
- ✅ Generate dependency diff
- ✅ Create PR with details
Rollback Conditions
- Tests fail after update
- Build fails
- New vulnerabilities introduced
- Circular dependency detected
Error Handling
Missing Package Manager
❌ Package manager not detected
Supported: npm, yarn, pnpm, pip, poetry, cargo, go mod
Recommendation: Ensure package manifest exists (package.json, requirements.txt, etc.)
Vulnerability Database Unavailable
⚠️ Cannot connect to vulnerability database
Falling back to local cache (may be outdated)
Recommendation: Check internet connection
Breaking Change Detected
⚠️ Major update detected: webpack 4.46.0 → 5.75.0
Breaking changes: Module federation, Asset modules
Recommendation: Review migration guide before updating
Advanced Features
Automatic PR Creation
{
"auto_pr": {
"enabled": true,
"branch_prefix": "deps/",
"labels": ["dependencies", "security"],
"assign_to": ["@security-team"],
"require_reviews": 1
}
}
Grouped Updates
{
"grouping": {
"patch_updates": "single-pr",
"minor_updates": "separate-prs",
"major_updates": "separate-prs"
}
}
Custom Vulnerability Sources
{
"vulnerability_sources": ["npm-audit", "snyk", "github-advisory", "ossindex"]
}
Limitations
- Requires internet connection for vulnerability database
- Cannot automatically fix all breaking changes
- Manual review recommended for major updates
- License detection accuracy depends on package metadata
References
See references/ for:
vulnerability-databases.md- CVE and security advisory sourcesbreaking-changes-guide.md- How to handle major updateslicense-compatibility.md- OSS license compatibility matrixtroubleshooting.md- Common issues and solutions
Dependency Guardian Skill v1.0.0 - Keep your dependencies secure and up-to-date
More by nikhillinit
View alldeal-sourcing-agent
0Run the Discovery Engine pipeline to find new consumer companies. Use when the user asks to "find deals", "source companies", "run the pipeline", "discover startups", or "search for prospects" in CPG, health tech, travel, or marketplaces.
phoenix-reserves-optimizer
0Reserve allocation and follow-on optimization for the Phoenix fund model. Use when working on deterministic reserve engine logic and optimal reserves ranking.
phoenix-waterfall-ledger-semantics
0Waterfall ledger semantics and clawback behavior for the Phoenix VC fund model. Use when working on tier or ledger waterfall code, clawback behavior, or waterfall truth cases.
collector-framework
0Universal workflow for building and running signal collectors in the Discovery Engine. Use when creating a new collector, running an existing collector, debugging collector failures, or understanding the collector architecture. Covers the 5-step workflow (Initialize, Fetch, Enrich, Convert, Persist) that all collectors follow.