- Home
- Skills
- Shotaiuchi
- Dotclaude
- Review Dependency
review-dependency_skill
- Shell
0
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill shotaiuchi/dotclaude --skill review-dependency- SKILL.md2.1 KB
Overview
This skill performs dependency and supply chain–focused code reviews to catch vulnerabilities, licensing issues, and maintainability risks before they reach production. It evaluates new libraries, version upgrades, lock files, and transitive trees to quantify risk and recommend actions. The output classifies findings by risk level and gives focused remediation guidance.
How this skill works
The skill inspects dependency manifests, lock files, package sources, and changelogs to detect known CVEs, end-of-life versions, and typosquatting. It checks licenses for compatibility and attribution needs, analyzes dependency size and transitive bloat, and flags risky post-install scripts, excessive permissions, or unsigned packages. Results are summarized with risk categories and concrete recommendations.
When to use it
- Adding a new library or micro-dependency to the codebase
- Upgrading dependency versions or performing major version bumps
- Validating license compliance for releases or commercial distributions
- Reviewing pull requests that update lock files or dependency manifests
- Assessing supply chain risk before deploying to production
Best practices
- Prefer well-maintained packages with recent commits and active maintainers
- Pin versions or use lock files and commit them to source control
- Validate package sources and checksums; prefer signed releases
- Replace heavy dependencies with lighter alternatives for simple needs
- Automate vulnerability scanning and include dependency checks in CI
- Document license decisions and attribution requirements in the repo
Example use cases
- Reviewing a PR that adds a utility library to ensure no CVEs or typosquatting
- Assessing a major framework upgrade to verify migration steps and API changes
- Auditing a project for GPL or other copyleft licenses before a commercial release
- Analyzing bundle size impact when adding a front-end library
- Verifying lock file updates and consistent version pinning across services
FAQ
Findings map to Critical (known vulnerabilities or license violations), High (unmaintained or risky packages), Medium (version management or unnecessary dependency), and Low (minor hygiene improvements).
What evidence does the skill use?
It uses public vulnerability databases, package metadata, repository activity, manifest and lock file contents, and package publication details such as checksums and signatures.