Claude Code Plugins

Community-maintained marketplace

Feedback

dependencies

@DNYoussef/context-cascade
6
0

Dependency management and analysis hub. Map project dependencies, analyze dependency graphs, identify vulnerabilities, and manage package versions. Routes to dependency-mapper and related analysis tools.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name dependencies
version 2.1.0
description Dependency management and analysis hub. Map project dependencies, analyze dependency graphs, identify vulnerabilities, and manage package versions. Routes to dependency-mapper and related analysis tools.

Dependencies

Dependency management, analysis, and vulnerability detection for projects.

Phase 0: Expertise Loading

expertise_check:
  domain: dependencies
  file: .claude/expertise/dependencies.yaml

  if_exists:
    - Load package ecosystems
    - Load vulnerability databases
    - Apply version policies

  if_not_exists:
    - Flag discovery mode
    - Document patterns learned

When to Use This Skill

Use dependencies when:

  • Mapping project dependency graphs
  • Analyzing package vulnerabilities
  • Managing version upgrades
  • Identifying circular dependencies
  • Auditing security issues

Sub-Skills

Skill Use Case
dependency-mapper Visualize dependency graphs

Dependency Analysis

Package Ecosystems

supported:
  - npm/yarn (JavaScript)
  - pip/poetry (Python)
  - cargo (Rust)
  - go mod (Go)
  - maven/gradle (Java)
  - composer (PHP)

Analysis Types

analyses:
  graph: "Dependency tree visualization"
  vulnerabilities: "CVE/security scanning"
  outdated: "Version freshness check"
  circular: "Circular dependency detection"
  unused: "Dead dependency identification"

Commands

# Map dependencies
npm ls --all
pip list --format=freeze
cargo tree

# Security audit
npm audit
pip-audit
cargo audit

MCP Requirements

  • claude-flow: For orchestration
  • Bash: For package commands

Recursive Improvement Integration (v2.1)

Eval Harness Integration

benchmark: dependencies-benchmark-v1
  tests:
    - dep-001: Graph generation
    - dep-002: Vulnerability detection
  minimum_scores:
    graph_accuracy: 0.95
    vuln_detection: 0.90

Memory Namespace

namespaces:
  - dependencies/graphs/{id}: Dependency graphs
  - dependencies/audits/{id}: Security audits
  - improvement/audits/dependencies: Skill audits

Uncertainty Handling

confidence_check:
  if confidence >= 0.8:
    - Proceed with analysis
  if confidence 0.5-0.8:
    - Confirm package ecosystem
  if confidence < 0.5:
    - Ask for package.json/requirements.txt

Cross-Skill Coordination

Works with: security, code-review-assistant, deployment-readiness

!! SKILL COMPLETION VERIFICATION (MANDATORY) !!

  • Agent Spawning: Spawned agent via Task()
  • Agent Registry Validation: Agent from registry
  • TodoWrite Called: Called with 5+ todos
  • Work Delegation: Delegated to agents

Remember: Skill() -> Task() -> TodoWrite() - ALWAYS

Core Principles

1. Transitive Dependency Awareness as Security Priority

Direct dependencies are visible and reviewed, but transitive dependencies (dependencies-of-dependencies) often escape scrutiny despite comprising 80-95% of total dependency count. A single vulnerable transitive dependency deep in the graph creates exploitable attack surface. Dependency analysis must traverse the full graph, flagging high-risk transitives (unmaintained packages, known CVEs, excessive permissions) with equal priority to direct dependencies.

2. Version Freshness Balanced Against Stability Risk

Outdated dependencies accumulate security vulnerabilities and miss performance improvements, but aggressive version upgrades introduce breaking changes and untested code paths. The optimal strategy is risk-stratified: security patches applied immediately, minor updates batched and tested weekly, major updates evaluated for breaking changes and scheduled deliberately. Blanket "always latest" or "never update" policies fail by ignoring risk context.

3. Circular Dependencies as Architectural Code Smell

Circular dependencies (package A depends on B, B depends on A) indicate architectural coupling that prevents independent evolution, complicates testing, and signals unclear separation of concerns. While sometimes unavoidable in legacy codebases, new circular dependencies should trigger architectural review. Dependency graph analysis that only reports existence without surfacing cycles misses a critical maintainability signal.

Anti-Patterns

Anti-Pattern Why It Fails Correct Approach
Only auditing direct dependencies Ignores 80-95% of dependency graph. Transitive dependencies carry same security risks but escape review. Event-stream attack (2018) compromised via transitive dependency. False sense of security. Audit full dependency tree: npm audit, pip-audit, cargo audit traverse transitives. Flag unmaintained packages at any depth. Review high-risk transitives (network access, filesystem writes).
Ignoring unused dependencies Bloats bundle size, increases attack surface, slows install times, creates maintenance burden for updates. Suggests code was deleted but package.json not cleaned up, indicating lax hygiene. Run dependency-cruiser or depcheck to identify unused. Remove immediately. Prevent via CI check that fails on unused deps. Enforce "delete code, delete dependency" discipline.
Accepting circular dependencies as inevitable Circular dependencies prevent module-level testing, complicate reasoning about data flow, block parallelization, and signal architectural coupling. Treating as normal discourages refactoring. Detect with madge or similar tools. Block new circulars in CI. Refactor existing: extract shared code to new module, apply dependency inversion, break into layers (domain/application/infrastructure).

Conclusion

Dependency management addresses the tension between leveraging ecosystem velocity and controlling software supply chain risk. Modern applications depend on hundreds or thousands of packages, creating attack surface and maintenance burden that manual review cannot scale to. This skill systematizes dependency analysis to surface the signals that matter: security vulnerabilities, version freshness, circular coupling, and unused bloat.

The skill's effectiveness comes from treating dependencies as a living system requiring continuous monitoring rather than one-time audits. Automated security scanning detects CVEs as they are disclosed, version freshness checks identify stale packages before vulnerabilities emerge, and circular dependency detection prevents architectural decay. The cross-skill coordination with security audits and code review integrates dependency health into broader quality gates rather than treating it as isolated infrastructure concern.

By providing ecosystem-specific tooling (npm/pip/cargo/go mod) and risk-stratified update strategies (security patches immediate, minor updates batched, major updates deliberate), the skill balances the conflicting goals of staying current and maintaining stability. The result is applications that leverage ecosystem innovation without accumulating hidden technical debt and security exposure in the dependency graph.