How Claude Code's /deps-check Command Catches CVEs Before They Reach Production

Supply chain attacks don't happen because developers are careless. They happen because the window between a CVE disclosure and an actual patch is filled with noise, competing priorities, and tools that cry wolf too often. When npm audit returns 47 warnings and 38 of them are transitive dependencies your code never touches, the instinct is to close the terminal and ship the feature.

What /deps-check actually does differently

/deps-check is a custom Claude Code skill from the Security Pack, built to close that gap between "vulnerability exists" and "vulnerability matters to your project." It scans dependency manifests across ecosystems — package.json, requirements.txt, Cargo.toml, go.mod — and cross-references each package version against NVD, OSV, and the GitHub Advisory Database.

The part that separates it from existing tooling is call-path analysis. Rather than flagging every package that carries a CVE, it checks whether your code actually reaches the vulnerable function. A prototype pollution vulnerability in a transitive dependency of your test runner is a very different risk profile than the same vulnerability in a library your API handler calls directly with user-supplied input. /deps-check treats them differently.

The output reflects that distinction. Critical vulnerabilities with available patches surface first, each with a suggested minimum safe version and a flag for breaking-change risk. Low-severity findings with no detected call path get grouped and deprioritized. The report also includes a time estimate for remediation — which sounds minor until you realize it's what turns "we should do a security review" from a vague backlog item into a scoped task.

Two real-world output examples worth examining

For a Node.js project carrying lodash@4.17.15, the tool identifies CVE-2021-23337 (CVSS 7.2, prototype pollution via _.zipObjectDeep()), then goes further: it traces that your code calls _.merge() in src/utils/merge.js at line 34, and confirms the upgrade to lodash@4.17.21 is non-breaking. A separate high-severity finding for minimist gets flagged as a transitive dependency of mocha — same CVE class, but handled differently because the exposure path is different.

The Python example is more instructive. Pillow==9.0.0 carries CVE-2023-44271, an uncontrolled resource consumption issue triggered by crafted TIFF files. The tool doesn't just report the CVE — it detects that the vulnerable function is called from src/image_processor.py, which accepts user uploads, and elevates the risk rating accordingly. "User-supplied input path detected" is the kind of contextual signal that plain version-comparison tools simply don't produce.

Why this matters for teams running security checks in CI

The comparison against npm audit and Python's safety tool is straightforward on paper: neither performs contextual triage, neither warns about breaking changes, and neither covers multiple ecosystems in a single pass. But the practical implication runs deeper than a feature matrix.

Teams that run npm audit in CI and routinely suppress or ignore the output aren't being negligent — they're responding rationally to a tool that produces too much noise to act on. When every PR triggers a wall of transitive dependency warnings, the signal gets buried. The result is that genuinely critical vulnerabilities sit unpatched not because no one ran the audit, but because the audit output trained everyone to tune it out.

The GitHub Actions integration reinforces this. The workflow triggers on manifest file changes and on a Monday morning schedule — specifically to catch CVEs disclosed over the weekend, when most teams aren't watching advisory feeds. The pipeline fails on critical findings and uploads the full JSON report as an artifact, giving security-conscious teams a reviewable paper trail without requiring manual intervention on every run.

Availability and what else ships in the pack

/deps-check is one of three skills in the Security Pack, available at https://prompt-works.jp for ¥1,480. The other two are /security-audit for OWASP Top 10 scanning and /secret-scanner for detecting hardcoded credentials. A separate Code Review Pack (¥980) covers /code-review, /refactor-suggest, and /test-gen for teams whose primary need is code quality rather than security posture. Both packs ship as SKILL.md files — extract to .claude/skills/ and the commands are available in Claude Code immediately.

The tool was built by @myougatheaxo, a security-focused Claude Code engineer.

The underlying problem — that vulnerability disclosure outpaces patching cycles — isn't going away. But a tool that filters signal from noise and tells you specifically why a CVE matters for your codebase makes the gap a lot easier to close before someone else closes it for you.