Stats
Actions
Available In
Tags
Plugin
dep-guard
Dependency guardian — intercepts package installs to enforce latest versions and block vulnerable packages. Supports npm, pip, and composer. Hard-blocks when offline or scans unavailable.
What's Inside
Slash Commands2
README
Dep Guard
Dependency security for Claude Code — automatically intercepts package install commands to enforce latest versions and block vulnerable packages before they reach your project.
What It Does
Every time Claude runs a package install command, dep-guard intercepts it and:
- Checks registry connectivity — hard-blocks if offline (can't verify = can't install)
- Resolves latest versions — detects outdated version requests and suggests upgrades
- Scans for vulnerabilities — queries OSV.dev for known CVEs
| Condition | Action |
|---|---|
| Registry offline | BLOCK — can't verify safety |
| Critical/High vulnerability | BLOCK — suggests alternatives |
| Medium vulnerability | WARN — allows with warning |
| Outdated version requested | BLOCK — provides corrected command |
| No issues found | ALLOW |
Supported Ecosystems
| Ecosystem | Install Commands | Registry |
|---|---|---|
| npm | npm install, npm i, npm add | npmjs.org |
| yarn | yarn add | npmjs.org |
| pnpm | pnpm add, pnpm install | npmjs.org |
| bun | bun add, bun install | npmjs.org |
| pip | pip install, pip3 install, uv add, uv pip install | pypi.org |
| composer | composer require | packagist.org |
Lockfile-only installs (npm ci, bare yarn, bare pnpm install, pip install -r requirements.txt, etc.) are skipped — no new packages means no checks needed.
Examples
Vulnerable package blocked
> npm install [email protected]
============================================================
BLOCKED: High/Critical vulnerabilities detected
============================================================
[HIGH] event-stream: GHSA-xxx-xxx
Malicious dependency injection via flatmap-stream
============================================================
Outdated version upgraded
> npm install [email protected]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERSION UPGRADE: Installing latest versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
express: 4.17.0 -> 5.1.0
Updated command: npm install [email protected]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BLOCKED: Outdated versions requested. Use this command instead:
npm install [email protected]
Clean install allowed
> pnpm add zod
✓ Registry online
✓ Latest version: 3.24.4
✓ No vulnerabilities found
Commands
/dep-guard:dep-check [package]— Check a specific package for vulnerabilities before installing/dep-guard:dep-audit [--fix]— Audit all installed dependencies in the current project
Installation
Add to your project's .claude/settings.json:
{
"extraKnownMarketplaces": {
"iwritec0de-plugins": {
"source": { "source": "github", "repo": "iwritec0de/claude-plugin-marketplace" }
}
},
"enabledPlugins": {
"dep-guard@iwritec0de-plugins": true
}
}
Logs
Debug logs are written to /tmp/dep-guard.log for troubleshooting.
License
MIT
Stats
Version1.0.0
LanguagePython
Stars1
MaintenanceGood
LicenseMIT
Last Commit
Added
Available In
Safety Signals
Caution
Executes bash commands
Hook triggers when Bash tool is used
Tags
Categories
