Dependencies are both a productivity tool and a security surface. Claude Code can help audit, update, and manage them systematically — when you give it the right instructions.
CLAUDE.md for Dependency Management
## Dependency Rules
### Adding Dependencies
- Before adding: check npm/PyPI page, GitHub stars, last commit date
- Prefer established packages (>1M weekly downloads, active maintenance)
- Never install packages without checking them against these criteria
- postinstall scripts in packages are suspicious — check before allowing
### Version Management
- Pin exact versions in package.json (use =1.2.3, not ^1.2.3 or ~1.2.3)
- Lock file (package-lock.json / pnpm-lock.yaml) must be committed
- Never manually edit lock files
### Security
- Run `npm audit` after any dependency change
- Fail CI if high/critical vulnerabilities exist
- CVE threshold: block on High or Critical severity
### Allowed Package Additions (pre-approved)
- Utility: lodash, date-fns, zod, uuid
- DB: prisma, pg, redis
- Testing: vitest, jest, supertest, playwright
- All others: require justification comment in package.json
### Prohibited
- Packages with < 10,000 weekly downloads (unless specific need documented)
- Packages last updated > 2 years ago
- Packages with open critical CVEs
Vulnerability Audit Workflow
Analyze the output of `npm audit` and create an action plan.
npm audit output:
[paste the npm audit output]
For each vulnerability:
1. Severity level
2. Affected package and version
3. Fix recommendation (update/pin/replace)
4. Breaking change risk of the fix
5. Priority order for remediation
Dependency Update Plan
I need to update dependencies in this project. Analyze package.json
and create an update plan with risk levels:
package.json: [paste it]
For each outdated dependency:
1. Current vs latest version
2. Breaking changes risk (patch/minor/major)
3. Recommended action
4. Which packages to update first (low risk first)
Automated Vulnerability Check in CI
# .github/workflows/security.yml
name: Security Audit
on:
push:
paths:
- 'package*.json'
- 'pnpm-lock.yaml'
schedule:
- cron: '0 9 * * 1' # Weekly Monday 9am
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: npm audit (fail on high/critical)
run: npm audit --audit-level=high
- name: Check for outdated packages
run: |
npx npm-check-updates --target minor --format group
echo "Review above for updates"
Dependency Hook: Warn on New Packages
# .claude/hooks/check_new_deps.py
import json, sys, pathlib
data = json.load(sys.stdin)
content = data.get("tool_input", {}).get("content", "") or ""
fp = data.get("tool_input", {}).get("file_path", "")
if not fp or "package.json" not in fp:
sys.exit(0)
# Check if new dependencies were added (compare with lock file)
lock = pathlib.Path("package-lock.json")
if lock.exists():
import subprocess
result = subprocess.run(
["npm", "audit", "--audit-level=moderate", "--json"],
capture_output=True, text=True
)
if result.returncode != 0:
print("[DEPS] New security vulnerabilities detected after package.json change", file=sys.stderr)
print("[DEPS] Run: npm audit fix", file=sys.stderr)
sys.exit(0)
Identifying Unused Dependencies
Analyze this project's dependencies and identify which ones might be unused.
package.json:
[paste package.json]
Steps:
1. List each dependency
2. Check if it appears in import statements in src/
3. Mark as 'used', 'potentially unused', or 'dev only in production'
I'll use depcheck to verify, but give me your analysis first.
Package Selection Guidance
I need to add email sending to this project. What are the best options?
Requirements:
- TypeScript support
- Works with SendGrid and SMTP
- Well-maintained (>1M weekly downloads preferred)
- Test mode that doesn't actually send emails
Compare top 3 options with pros/cons and weekly download counts.
/deps-check Skill
With the /deps-check skill from Security Pack:
/deps-check
Output:
DEPENDENCY AUDIT
================
Security: 2 high vulnerabilities
- lodash@4.17.19 → update to 4.17.21 (prototype pollution fix)
- vm2@3.9.17 → REMOVE (unmaintained, critical RCE)
Outdated (minor):
- express: 4.18.2 → 4.19.2
- typescript: 5.2.2 → 5.4.5
Unused (verify):
- moment → consider date-fns (smaller, tree-shakeable)
Recommendation: Update lodash immediately, remove vm2, schedule others for next sprint.
Security Pack (¥1,480) includes /deps-check and /secret-scanner for continuous security monitoring.
Myouga (@myougatheaxo) — Security-focused Claude Code engineer.
Top comments (0)