How Claude Code /deps-check Finds CVEs Before They Hit Production
Every week, security researchers publish new CVEs. Every week, production systems get breached because someone didn't update a dependency in time. The gap between "vulnerability disclosed" and "team patches it" is where most supply chain attacks live.
The problem isn't that developers don't care — it's that manual dependency auditing is slow, noisy, and easy to skip under deadline pressure.
This is where /deps-check, a custom Claude Code skill from the Security Pack, changes the workflow.
How /deps-check Works
/deps-check scans your project's dependency manifests (package.json, requirements.txt, Cargo.toml, go.mod) and cross-references each package version against known CVE databases (NVD, OSV, GitHub Advisory Database).
Unlike raw npm audit output, /deps-check adds an AI-assisted triage layer:
- Severity scoring in context: It considers whether your code actually calls the vulnerable function, not just whether the package is installed.
- Fix priority ranking: Critical vulnerabilities with available patches are surfaced first.
- Upgrade path suggestions: For each vulnerability, it suggests the minimum safe version and flags breaking-change risk.
The skill is invoked with a single command inside Claude Code:
/deps-check
No flags, no configuration. It auto-detects your manifest files and runs.
Example: Node.js Project with a Critical CVE
Say you have a project with [email protected] in package.json. Here's the kind of output you'd see:
/deps-check results — 2024-01-15
📦 Scanned: package.json (47 dependencies, 12 dev)
🔴 CRITICAL (1)
[email protected] — CVE-2021-23337 (CVSS 7.2)
Prototype pollution via _.zipObjectDeep()
Your code calls _.merge() in src/utils/merge.js:34
→ Upgrade to [email protected] (non-breaking)
🟡 HIGH (2)
[email protected] — CVE-2021-3749 (CVSS 7.5)
ReDoS via malformed HTTP headers
→ Upgrade to [email protected]
[email protected] — CVE-2021-44906 (CVSS 9.8)
Prototype pollution (not called directly, transitive dep of mocha)
→ npm audit fix --force (check for mocha breaking changes)
🟢 LOW (3) — skipped (no direct usage detected)
Estimated fix time: ~15 minutes
Three things stand out here: the triage explains how your code is exposed, flags transitive dependencies separately, and gives a time estimate. That last line matters — it turns "security review" from an open-ended task into a bounded one.
Example: Python Project
For a requirements.txt with Pillow==9.0.0:
/deps-check results — Python project
📦 Scanned: requirements.txt (23 packages)
🔴 CRITICAL (1)
Pillow==9.0.0 — CVE-2023-44271 (CVSS 7.5)
Uncontrolled resource consumption via crafted TIFF files
Used in: src/image_processor.py (accepts user uploads)
Risk elevated: user-supplied input path detected
→ Upgrade to Pillow==10.0.1
🟡 HIGH (0)
🟠 MEDIUM (2) — transitive, no direct call path detected
Action required: 1 package
The key line is "user-supplied input path detected." /deps-check doesn't just report the CVE; it checks your code for whether untrusted input reaches the vulnerable function. That contextual analysis is what separates it from a plain version-comparison tool.
Integration with GitHub Actions
You can run /deps-check as part of your CI pipeline. Here's a minimal GitHub Actions workflow:
name: Dependency Security Check
on:
push:
paths:
- 'package.json'
- 'requirements.txt'
- 'Cargo.toml'
schedule:
- cron: '0 9 * * 1' # Every Monday 09:00 UTC
jobs:
deps-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Claude Code CLI
run: npm install -g @anthropic-ai/claude-code
- name: Run /deps-check
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
claude -p "/deps-check" --output-format json > deps-report.json
- name: Fail on critical CVEs
run: |
CRITICAL=$(jq '.critical_count' deps-report.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "::error::$CRITICAL critical CVE(s) found. See deps-report.json"
exit 1
fi
- name: Upload report
uses: actions/upload-artifact@v4
with:
name: deps-security-report
path: deps-report.json
The scheduled Monday run catches vulnerabilities disclosed over the weekend — a window when many teams aren't actively watching their dependency feeds.
How /deps-check Compares to npm audit and safety
| Feature | npm audit | safety (Python) | /deps-check |
|---|---|---|---|
| CVE database | npm advisory | PyPI/NVD | NVD + OSV + GitHub Advisory |
| Contextual triage | No | No | Yes — checks call paths |
| Breaking-change warning | Partial | No | Yes |
| Multi-ecosystem | No | No | Yes (Node/Python/Rust/Go) |
| AI-assisted prioritization | No | No | Yes |
| Output format | JSON/text | JSON/text | Human-readable + JSON |
The core differentiator is AI-assisted triage. npm audit tells you "this package has a CVE." /deps-check tells you "this CVE matters for your specific codebase because your code calls the vulnerable function via this path, and here's the fix."
For teams running npm audit in CI and ignoring 80% of the output because it's all transitive noise — that's the problem /deps-check solves.
Get the Security Pack
/deps-check is one of three skills in the Security Pack, available on PromptWorks:
- /security-audit — Full OWASP Top 10 scan of your project
- /secret-scanner — Detects hardcoded API keys, tokens, and credentials
- /deps-check — CVE triage with call-path analysis (this article)
Security Pack ¥1,480 → https://prompt-works.jp
If you want just the review and refactor tooling without the security focus, the Code Review Pack (¥980) covers /code-review, /refactor-suggest, and /test-gen.
Both packs ship as SKILL.md files in a ZIP. Extract to .claude/skills/ and the commands are live in Claude Code immediately.
Built by みょうが (@myougatheaxo) — security-focused Claude Code engineer.