Dependency Guardian Skill
Purpose
Automatically manage project dependencies with security scanning, intelligent updates, breaking change detection, and license compliance validation.
When to Use
- Weekly dependency health checks
- Security vulnerability scanning
- Before major releases
- After security advisories
- Automated dependency updates
- License compliance audits
Supported Package Managers
JavaScript/TypeScript
- npm: Node.js packages
- yarn: Alternative Node.js package manager
- pnpm: Fast, disk-efficient package manager
Python
- pip: Python package installer
- poetry: Modern dependency management
- pipenv: Virtual environments + dependencies
Rust
- cargo: Rust package manager
Go
- go mod: Go modules
Ruby
- bundler: Ruby gem dependencies
Java/JVM
- maven: Apache Maven
- gradle: Gradle build tool
Operations
1. Scan Vulnerabilities
- Check dependencies against CVE databases
- Identify critical, high, medium, low severity
- Report vulnerable transitive dependencies
- Generate remediation recommendations
2. Check for Updates
- Find outdated dependencies
- Classify updates (major, minor, patch)
- Detect breaking changes
- Calculate update priority
3. Update Dependencies
- Apply safe updates automatically
- Create separate PRs for major vs minor
- Run tests after updates
- Rollback on failure
4. License Compliance
- Detect dependency licenses
- Flag incompatible licenses
- Generate license report
- Check OSS license compatibility
5. Dependency Audit
- Generate dependency tree
- Identify duplicate dependencies
- Detect circular dependencies
- Calculate total dependency count
Scripts
main.py
# Scan for vulnerabilities
python scripts/main.py scan --project-dir=.
# Check for updates
python scripts/main.py check-updates --project-dir=.
# Update dependencies (safe updates only)
python scripts/main.py update --type=patch --auto-merge
# Generate audit report
python scripts/main.py audit --output=audit-report.json
# Check license compliance
python scripts/main.py licenses --allow=MIT,Apache-2.0,BSD-3-Clause
Subcommands
scan: Vulnerability scanning
python scripts/main.py scan --severity=high,critical
# Output: List of vulnerabilities with remediation
check-updates: Find outdated dependencies
python scripts/main.py check-updates --include-dev
# Output: Available updates grouped by type
update: Apply updates
python scripts/main.py update --type=patch --dry-run
# Output: Preview of updates (no changes)
audit: Generate dependency report
python scripts/main.py audit --format=markdown
# Output: Complete dependency analysis
licenses: License compliance check
python scripts/main.py licenses --check-compatibility
# Output: License compatibility report
Configuration
Project Configuration
Create .dependency-guardian.json:
{
"updateSchedule": "weekly",
"autoMerge": {
"patch": true,
"minor": false,
"major": false
},
"allowedLicenses": [
"MIT",
"Apache-2.0",
"BSD-3-Clause",
"ISC"
],
"ignoredPackages": [
"legacy-package-name"
],
"severityThreshold": "high"
}
Memory Integration
Stores vulnerability history and preferences:
{
"topic": "dependency-guardian-config",
"scope": "repository",
"value": {
"last_scan": "2025-10-20T10:00:00Z",
"vulnerabilities_found": 3,
"vulnerabilities_fixed": 2,
"update_preferences": {
"auto_patch": true,
"test_before_merge": true,
"create_pr": true
},
"license_policy": {
"allowed": ["MIT", "Apache-2.0", "BSD-3-Clause"],
"blocked": ["GPL-3.0", "AGPL-3.0"]
}
}
}
Integration Points
With Security Scanner Skill
- Share vulnerability database
- Coordinate security scanning
- Cross-reference CVE findings
With Test-First Change Skill
- Run tests after updates
- Validate no regressions
- Block merge on test failure
With PR Author/Reviewer Skill
- Create update PRs automatically
- Include vulnerability details
- Add security review checklist
With Release Orchestrator Skill
- Block releases with critical CVEs
- Include dependency updates in changelog
- Verify dependencies before deployment
Examples
Example 1: Scan for Vulnerabilities
Project: Node.js app with outdated dependencies
Command:
python scripts/main.py scan --project-dir=/path/to/project
Output:
{
"success": true,
"project_type": "npm",
"vulnerabilities": [
{
"package": "lodash",
"version": "4.17.15",
"severity": "high",
"cve": "CVE-2020-8203",
"title": "Prototype Pollution",
"fixed_in": "4.17.19",
"recommendation": "Update to lodash@4.17.19 or higher"
},
{
"package": "axios",
"version": "0.19.0",
"severity": "medium",
"cve": "CVE-2020-28168",
"title": "SSRF vulnerability",
"fixed_in": "0.21.1",
"recommendation": "Update to axios@0.21.1 or higher"
}
],
"summary": {
"critical": 0,
"high": 1,
"medium": 1,
"low": 0,
"total": 2
}
}
Example 2: Check for Updates
Command:
python scripts/main.py check-updates --project-dir=.
Output:
{
"success": true,
"project_type": "npm",
"updates": {
"patch": [
{
"package": "express",
"current": "4.17.1",
"latest": "4.17.3",
"type": "patch"
}
],
"minor": [
{
"package": "react",
"current": "17.0.2",
"latest": "17.2.0",
"type": "minor"
}
],
"major": [
{
"package": "webpack",
"current": "4.46.0",
"latest": "5.75.0",
"type": "major",
"breaking_changes": true
}
]
},
"summary": {
"total": 15,
"patch": 8,
"minor": 5,
"major": 2
}
}
Example 3: Update Dependencies (Patch Only)
Command:
python scripts/main.py update --type=patch --dry-run=false
Output:
{
"success": true,
"updates_applied": 8,
"packages": [
{"name": "express", "from": "4.17.1", "to": "4.17.3"},
{"name": "lodash", "from": "4.17.15", "to": "4.17.21"},
{"name": "moment", "from": "2.29.1", "to": "2.29.4"}
],
"tests_run": true,
"tests_passed": true,
"pr_created": true,
"pr_url": "https://github.com/user/repo/pull/123"
}
Example 4: License Audit
Command:
python scripts/main.py licenses --check-compatibility
Output:
{
"success": true,
"total_packages": 247,
"licenses": {
"MIT": 189,
"Apache-2.0": 31,
"BSD-3-Clause": 18,
"ISC": 7,
"UNLICENSED": 2
},
"issues": [
{
"package": "some-gpl-package",
"license": "GPL-3.0",
"severity": "high",
"reason": "GPL-3.0 not in allowed list",
"recommendation": "Find alternative or add license exception"
}
]
}
Example 5: Dependency Audit
Command:
python scripts/main.py audit --format=json
Output:
{
"success": true,
"project_type": "npm",
"dependencies": {
"production": 87,
"development": 160,
"total": 247
},
"depth": {
"direct": 42,
"transitive": 205,
"max_depth": 7
},
"duplicates": [
{
"package": "semver",
"versions": ["5.7.1", "6.3.0", "7.3.5"],
"count": 3
}
],
"size": {
"total_mb": 156.3,
"largest": [
{"package": "typescript", "size_mb": 34.2},
{"package": "webpack", "size_mb": 12.8}
]
}
}
Token Economics
Without Skill (Agent-driven dependency check):
- Read package file: 1,500 tokens
- Query vulnerability database: 4,000 tokens
- Analyze updates: 3,000 tokens
- Generate recommendations: 2,500 tokens
- Explain process: 2,000 tokens
- Total: 13,000 tokens
With Skill (Code execution):
- Metadata: 50 tokens
- SKILL.md: 400 tokens
- Script execution: 0 tokens (returns result)
- Result parsing: 200 tokens
- Total: 650 tokens
Savings: 95.0% (12,350 tokens saved per scan)
Success Metrics
Performance
- Vulnerability scan: <30 seconds
- Update check: <15 seconds
- License audit: <10 seconds
- Dependency update: <2 minutes (including tests)
Quality
- Vulnerability detection rate: >99%
- False positive rate: <5%
- Update success rate: >95%
- Test pass rate after updates: >90%
Security
- Time to patch critical CVEs: <24 hours
- Percentage of dependencies up-to-date: >80%
- License compliance: 100%
Safety Checks
Pre-Update
- ✅ Backup package lock file
- ✅ Check for breaking changes
- ✅ Verify tests exist
- ✅ Create git branch for updates
- ✅ Check CI status
Post-Update
- ✅ Run full test suite
- ✅ Verify build succeeds
- ✅ Check for new vulnerabilities
- ✅ Generate dependency diff
- ✅ Create PR with details
Rollback Conditions
- Tests fail after update
- Build fails
- New vulnerabilities introduced
- Circular dependency detected
Error Handling
Missing Package Manager
❌ Package manager not detected
Supported: npm, yarn, pnpm, pip, poetry, cargo, go mod
Recommendation: Ensure package manifest exists (package.json, requirements.txt, etc.)
Vulnerability Database Unavailable
⚠️ Cannot connect to vulnerability database
Falling back to local cache (may be outdated)
Recommendation: Check internet connection
Breaking Change Detected
⚠️ Major update detected: webpack 4.46.0 → 5.75.0
Breaking changes: Module federation, Asset modules
Recommendation: Review migration guide before updating
Advanced Features
Automatic PR Creation
{
"auto_pr": {
"enabled": true,
"branch_prefix": "deps/",
"labels": ["dependencies", "security"],
"assign_to": ["@security-team"],
"require_reviews": 1
}
}
Grouped Updates
{
"grouping": {
"patch_updates": "single-pr",
"minor_updates": "separate-prs",
"major_updates": "separate-prs"
}
}
Custom Vulnerability Sources
{
"vulnerability_sources": [
"npm-audit",
"snyk",
"github-advisory",
"ossindex"
]
}
Limitations
- Requires internet connection for vulnerability database
- Cannot automatically fix all breaking changes
- Manual review recommended for major updates
- License detection accuracy depends on package metadata
References
See references/ for:
vulnerability-databases.md- CVE and security advisory sourcesbreaking-changes-guide.md- How to handle major updateslicense-compatibility.md- OSS license compatibility matrixtroubleshooting.md- Common issues and solutions
Dependency Guardian Skill v1.0.0 - Keep your dependencies secure and up-to-date