playbooks

home / skills / shotaiuchi / dotclaude / review-dependency

review-dependency skill

/dotclaude/skills/review-dependency

This skill reviews dependencies for security, license, size, and version risks, guiding safe library upgrades and supply chain hygiene.

npx playbooks add skill shotaiuchi/dotclaude --skill review-dependency

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.1 KB
---
name: review-dependency
description: >-
  Dependency and supply chain-focused code review. Apply when reviewing
  library additions, version upgrades, license compliance, known vulnerabilities,
  dependency size, transitive dependencies, and lock files.
user-invocable: false
---

# Dependency Review

Review code from a dependency and supply chain security perspective.

## Review Checklist

### Vulnerability Assessment
- Check new dependencies for known CVEs
- Verify dependency versions are not end-of-life
- Look for dependencies with poor maintenance (no recent updates)
- Check for typosquatting risks on package names

### License Compliance
- Verify license compatibility with project license
- Check for copyleft licenses (GPL) in proprietary projects
- Look for license changes in version upgrades
- Ensure license attribution requirements are met

### Dependency Size & Impact
- Check if new dependency is justified (vs implementing directly)
- Verify dependency size impact on build/bundle
- Look for lighter alternatives for simple functionality
- Check transitive dependency tree for bloat

### Version Management
- Verify version pinning strategy is consistent
- Check lock files are updated and committed
- Look for wildcard version ranges that allow breaking changes
- Verify compatibility between related dependency versions

### Supply Chain Security
- Check dependency source is official (not fork or mirror)
- Verify package integrity (checksums, signatures)
- Look for post-install scripts that execute arbitrary code
- Check for dependencies that request excessive permissions

### Update Strategy
- Verify automated vulnerability scanning is configured
- Check major version upgrades include migration review
- Ensure deprecated APIs are not used in new code
- Verify upgrade path exists for critical dependencies

## Output Format

| Risk | Description |
|------|-------------|
| Critical | Known vulnerability or license violation |
| High | Unmaintained dependency or major risk |
| Medium | Version management issue or unnecessary dependency |
| Low | Minor improvement to dependency hygiene |

Overview

This skill performs dependency and supply chain–focused code reviews to catch vulnerabilities, licensing issues, and maintainability risks before they reach production. It evaluates new libraries, version upgrades, lock files, and transitive trees to quantify risk and recommend actions. The output classifies findings by risk level and gives focused remediation guidance.

How this skill works

The skill inspects dependency manifests, lock files, package sources, and changelogs to detect known CVEs, end-of-life versions, and typosquatting. It checks licenses for compatibility and attribution needs, analyzes dependency size and transitive bloat, and flags risky post-install scripts, excessive permissions, or unsigned packages. Results are summarized with risk categories and concrete recommendations.

When to use it

  • Adding a new library or micro-dependency to the codebase
  • Upgrading dependency versions or performing major version bumps
  • Validating license compliance for releases or commercial distributions
  • Reviewing pull requests that update lock files or dependency manifests
  • Assessing supply chain risk before deploying to production

Best practices

  • Prefer well-maintained packages with recent commits and active maintainers
  • Pin versions or use lock files and commit them to source control
  • Validate package sources and checksums; prefer signed releases
  • Replace heavy dependencies with lighter alternatives for simple needs
  • Automate vulnerability scanning and include dependency checks in CI
  • Document license decisions and attribution requirements in the repo

Example use cases

  • Reviewing a PR that adds a utility library to ensure no CVEs or typosquatting
  • Assessing a major framework upgrade to verify migration steps and API changes
  • Auditing a project for GPL or other copyleft licenses before a commercial release
  • Analyzing bundle size impact when adding a front-end library
  • Verifying lock file updates and consistent version pinning across services

FAQ

How are risks classified?

Findings map to Critical (known vulnerabilities or license violations), High (unmaintained or risky packages), Medium (version management or unnecessary dependency), and Low (minor hygiene improvements).

What evidence does the skill use?

It uses public vulnerability databases, package metadata, repository activity, manifest and lock file contents, and package publication details such as checksums and signatures.