Dependency Guardian Skill
Purpose
Automatically manage project dependencies with security scanning, intelligent updates, breaking change detection, and license compliance validation.
When to Use
- •Weekly dependency health checks
- •Security vulnerability scanning
- •Before major releases
- •After security advisories
- •Automated dependency updates
- •License compliance audits
Supported Package Managers
JavaScript/TypeScript
- •npm: Node.js packages
- •yarn: Alternative Node.js package manager
- •pnpm: Fast, disk-efficient package manager
Python
- •pip: Python package installer
- •poetry: Modern dependency management
- •pipenv: Virtual environments + dependencies
Rust
- •cargo: Rust package manager
Go
- •go mod: Go modules
Ruby
- •bundler: Ruby gem dependencies
Java/JVM
- •maven: Apache Maven
- •gradle: Gradle build tool
Operations
1. Scan Vulnerabilities
- •Check dependencies against CVE databases
- •Identify critical, high, medium, low severity
- •Report vulnerable transitive dependencies
- •Generate remediation recommendations
2. Check for Updates
- •Find outdated dependencies
- •Classify updates (major, minor, patch)
- •Detect breaking changes
- •Calculate update priority
3. Update Dependencies
- •Apply safe updates automatically
- •Create separate PRs for major vs minor
- •Run tests after updates
- •Rollback on failure
4. License Compliance
- •Detect dependency licenses
- •Flag incompatible licenses
- •Generate license report
- •Check OSS license compatibility
5. Dependency Audit
- •Generate dependency tree
- •Identify duplicate dependencies
- •Detect circular dependencies
- •Calculate total dependency count
Scripts
main.py
# Scan for vulnerabilities python scripts/main.py scan --project-dir=. # Check for updates python scripts/main.py check-updates --project-dir=. # Update dependencies (safe updates only) python scripts/main.py update --type=patch --auto-merge # Generate audit report python scripts/main.py audit --output=audit-report.json # Check license compliance python scripts/main.py licenses --allow=MIT,Apache-2.0,BSD-3-Clause
Subcommands
scan: Vulnerability scanning
python scripts/main.py scan --severity=high,critical # Output: List of vulnerabilities with remediation
check-updates: Find outdated dependencies
python scripts/main.py check-updates --include-dev # Output: Available updates grouped by type
update: Apply updates
python scripts/main.py update --type=patch --dry-run # Output: Preview of updates (no changes)
audit: Generate dependency report
python scripts/main.py audit --format=markdown # Output: Complete dependency analysis
licenses: License compliance check
python scripts/main.py licenses --check-compatibility # Output: License compatibility report
Configuration
Project Configuration
Create .dependency-guardian.json:
{
"updateSchedule": "weekly",
"autoMerge": {
"patch": true,
"minor": false,
"major": false
},
"allowedLicenses": [
"MIT",
"Apache-2.0",
"BSD-3-Clause",
"ISC"
],
"ignoredPackages": [
"legacy-package-name"
],
"severityThreshold": "high"
}
Memory Integration
Stores vulnerability history and preferences:
{
"topic": "dependency-guardian-config",
"scope": "repository",
"value": {
"last_scan": "2025-10-20T10:00:00Z",
"vulnerabilities_found": 3,
"vulnerabilities_fixed": 2,
"update_preferences": {
"auto_patch": true,
"test_before_merge": true,
"create_pr": true
},
"license_policy": {
"allowed": ["MIT", "Apache-2.0", "BSD-3-Clause"],
"blocked": ["GPL-3.0", "AGPL-3.0"]
}
}
}
Integration Points
With Security Scanner Skill
- •Share vulnerability database
- •Coordinate security scanning
- •Cross-reference CVE findings
With Test-First Change Skill
- •Run tests after updates
- •Validate no regressions
- •Block merge on test failure
With PR Author/Reviewer Skill
- •Create update PRs automatically
- •Include vulnerability details
- •Add security review checklist
With Release Orchestrator Skill
- •Block releases with critical CVEs
- •Include dependency updates in changelog
- •Verify dependencies before deployment
Examples
Example 1: Scan for Vulnerabilities
Project: Node.js app with outdated dependencies
Command:
python scripts/main.py scan --project-dir=/path/to/project
Output:
{
"success": true,
"project_type": "npm",
"vulnerabilities": [
{
"package": "lodash",
"version": "4.17.15",
"severity": "high",
"cve": "CVE-2020-8203",
"title": "Prototype Pollution",
"fixed_in": "4.17.19",
"recommendation": "Update to lodash@4.17.19 or higher"
},
{
"package": "axios",
"version": "0.19.0",
"severity": "medium",
"cve": "CVE-2020-28168",
"title": "SSRF vulnerability",
"fixed_in": "0.21.1",
"recommendation": "Update to axios@0.21.1 or higher"
}
],
"summary": {
"critical": 0,
"high": 1,
"medium": 1,
"low": 0,
"total": 2
}
}
Example 2: Check for Updates
Command:
python scripts/main.py check-updates --project-dir=.
Output:
{
"success": true,
"project_type": "npm",
"updates": {
"patch": [
{
"package": "express",
"current": "4.17.1",
"latest": "4.17.3",
"type": "patch"
}
],
"minor": [
{
"package": "react",
"current": "17.0.2",
"latest": "17.2.0",
"type": "minor"
}
],
"major": [
{
"package": "webpack",
"current": "4.46.0",
"latest": "5.75.0",
"type": "major",
"breaking_changes": true
}
]
},
"summary": {
"total": 15,
"patch": 8,
"minor": 5,
"major": 2
}
}
Example 3: Update Dependencies (Patch Only)
Command:
python scripts/main.py update --type=patch --dry-run=false
Output:
{
"success": true,
"updates_applied": 8,
"packages": [
{"name": "express", "from": "4.17.1", "to": "4.17.3"},
{"name": "lodash", "from": "4.17.15", "to": "4.17.21"},
{"name": "moment", "from": "2.29.1", "to": "2.29.4"}
],
"tests_run": true,
"tests_passed": true,
"pr_created": true,
"pr_url": "https://github.com/user/repo/pull/123"
}
Example 4: License Audit
Command:
python scripts/main.py licenses --check-compatibility
Output:
{
"success": true,
"total_packages": 247,
"licenses": {
"MIT": 189,
"Apache-2.0": 31,
"BSD-3-Clause": 18,
"ISC": 7,
"UNLICENSED": 2
},
"issues": [
{
"package": "some-gpl-package",
"license": "GPL-3.0",
"severity": "high",
"reason": "GPL-3.0 not in allowed list",
"recommendation": "Find alternative or add license exception"
}
]
}
Example 5: Dependency Audit
Command:
python scripts/main.py audit --format=json
Output:
{
"success": true,
"project_type": "npm",
"dependencies": {
"production": 87,
"development": 160,
"total": 247
},
"depth": {
"direct": 42,
"transitive": 205,
"max_depth": 7
},
"duplicates": [
{
"package": "semver",
"versions": ["5.7.1", "6.3.0", "7.3.5"],
"count": 3
}
],
"size": {
"total_mb": 156.3,
"largest": [
{"package": "typescript", "size_mb": 34.2},
{"package": "webpack", "size_mb": 12.8}
]
}
}
Token Economics
Without Skill (Agent-driven dependency check):
- •Read package file: 1,500 tokens
- •Query vulnerability database: 4,000 tokens
- •Analyze updates: 3,000 tokens
- •Generate recommendations: 2,500 tokens
- •Explain process: 2,000 tokens
- •Total: 13,000 tokens
With Skill (Code execution):
- •Metadata: 50 tokens
- •SKILL.md: 400 tokens
- •Script execution: 0 tokens (returns result)
- •Result parsing: 200 tokens
- •Total: 650 tokens
Savings: 95.0% (12,350 tokens saved per scan)
Success Metrics
Performance
- •Vulnerability scan: <30 seconds
- •Update check: <15 seconds
- •License audit: <10 seconds
- •Dependency update: <2 minutes (including tests)
Quality
- •Vulnerability detection rate: >99%
- •False positive rate: <5%
- •Update success rate: >95%
- •Test pass rate after updates: >90%
Security
- •Time to patch critical CVEs: <24 hours
- •Percentage of dependencies up-to-date: >80%
- •License compliance: 100%
Safety Checks
Pre-Update
- •✅ Backup package lock file
- •✅ Check for breaking changes
- •✅ Verify tests exist
- •✅ Create git branch for updates
- •✅ Check CI status
Post-Update
- •✅ Run full test suite
- •✅ Verify build succeeds
- •✅ Check for new vulnerabilities
- •✅ Generate dependency diff
- •✅ Create PR with details
Rollback Conditions
- •Tests fail after update
- •Build fails
- •New vulnerabilities introduced
- •Circular dependency detected
Error Handling
Missing Package Manager
❌ Package manager not detected Supported: npm, yarn, pnpm, pip, poetry, cargo, go mod Recommendation: Ensure package manifest exists (package.json, requirements.txt, etc.)
Vulnerability Database Unavailable
⚠️ Cannot connect to vulnerability database Falling back to local cache (may be outdated) Recommendation: Check internet connection
Breaking Change Detected
⚠️ Major update detected: webpack 4.46.0 → 5.75.0 Breaking changes: Module federation, Asset modules Recommendation: Review migration guide before updating
Advanced Features
Automatic PR Creation
{
"auto_pr": {
"enabled": true,
"branch_prefix": "deps/",
"labels": ["dependencies", "security"],
"assign_to": ["@security-team"],
"require_reviews": 1
}
}
Grouped Updates
{
"grouping": {
"patch_updates": "single-pr",
"minor_updates": "separate-prs",
"major_updates": "separate-prs"
}
}
Custom Vulnerability Sources
{
"vulnerability_sources": [
"npm-audit",
"snyk",
"github-advisory",
"ossindex"
]
}
Limitations
- •Requires internet connection for vulnerability database
- •Cannot automatically fix all breaking changes
- •Manual review recommended for major updates
- •License detection accuracy depends on package metadata
References
See references/ for:
- •
vulnerability-databases.md- CVE and security advisory sources - •
breaking-changes-guide.md- How to handle major updates - •
license-compatibility.md- OSS license compatibility matrix - •
troubleshooting.md- Common issues and solutions
Dependency Guardian Skill v1.0.0 - Keep your dependencies secure and up-to-date