Skip to main content
hooksSource-backedReview first Safety Privacy

Dependency Update Checker - Hooks

Automatically checks for outdated dependencies and suggests updates with security analysis. This PostToolUse hook triggers when dependency manifest files (package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pyproject.toml) are modified, providing real-time dependency health monitoring.

by JSONbored·added 2025-09-16·
HarnessClaude Code
Trigger:PostToolUse
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://docs.npmjs.com/cli/v8/commands/npm-audit, https://github.com/JSONbored/awesome-claude/blob/main/content/hooks/dependency-update-checker.mdx
Safety notes
Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling.
Privacy notes
Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output.
Author
JSONbored
Claim status
unclaimed
Last verified
2025-09-16

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

CLI install

Copy-ready — paste the snippet to get started.

Install command

Provided

Config snippet

Provided

Copy snippet

Provided

Prerequisites

None

Platforms

1 listed

Difficulty

0/100

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Safety & privacy surface

Safety & privacy surface

1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, permissions & scopes.

2 areas
  • SafetyPermissions & scopesRuns automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling.
  • PrivacyCredentials & tokensReceives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output.

Safety notes

  • Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling.

Privacy notes

  • Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output.

Schema details

Install type
cli
Reading time
1 min
Difficulty score
0
Troubleshooting
Yes
Breaking changes
No
Runtime and command metadata
Trigger
PostToolUse
Script language
bash
Script body
#!/usr/bin/env bash

# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')

if [ -z "$FILE_PATH" ]; then
  exit 0
fi

# Check if it's a dependency file
if [[ "$FILE_PATH" == *package.json ]] || [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *Gemfile ]] || [[ "$FILE_PATH" == *go.mod ]] || [[ "$FILE_PATH" == *Cargo.toml ]]; then
  echo "📦 Dependency file detected: $FILE_PATH" >&2
  
  # Node.js projects
  if [[ "$FILE_PATH" == *package.json ]]; then
    echo "🟢 Node.js project detected - checking dependencies..." >&2
    
    if command -v npm &> /dev/null; then
      echo "🔍 Running npm outdated check..." >&2
      OUTDATED_OUTPUT=$(npm outdated --depth=0 2>/dev/null || echo "No outdated packages")
      
      if [ "$OUTDATED_OUTPUT" = "No outdated packages" ]; then
        echo "✅ All npm packages are up to date" >&2
      else
        echo "📊 Found outdated npm packages:" >&2
        echo "$OUTDATED_OUTPUT" | head -10 >&2
        
        OUTDATED_COUNT=$(echo "$OUTDATED_OUTPUT" | wc -l)
        echo "📈 Total outdated packages: $OUTDATED_COUNT" >&2
      fi
      
      # Check for security vulnerabilities
      echo "🔒 Checking for security vulnerabilities..." >&2
      AUDIT_OUTPUT=$(npm audit --audit-level=moderate 2>&1)
      
      if echo "$AUDIT_OUTPUT" | grep -q "found 0 vulnerabilities"; then
        echo "✅ No security vulnerabilities found" >&2
      else
        VULN_COUNT=$(echo "$AUDIT_OUTPUT" | grep -o '[0-9]\+ vulnerabilities' | head -1 || echo "unknown vulnerabilities")
        echo "⚠️ Security audit found: $VULN_COUNT" >&2
        echo "💡 Run 'npm audit fix' to automatically fix vulnerabilities" >&2
      fi
      
      # Check for npm-check-updates availability
      if command -v npx &> /dev/null && npx ncu --version &> /dev/null 2>&1; then
        echo "🔧 Running npm-check-updates for detailed analysis..." >&2
        NCU_OUTPUT=$(npx ncu 2>/dev/null | head -5)
        echo "$NCU_OUTPUT" >&2
      else
        echo "💡 Install npm-check-updates for better dependency analysis: npm install -g npm-check-updates" >&2
      fi
    else
      echo "⚠️ npm command not available" >&2
    fi
    
  # Python projects
  elif [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *pyproject.toml ]]; then
    echo "🐍 Python project detected - checking dependencies..." >&2
    
    if command -v pip &> /dev/null; then
      echo "🔍 Checking for outdated Python packages..." >&2
      PIP_OUTDATED=$(pip list --outdated 2>/dev/null || echo "Unable to check outdated packages")
      
      if [ "$PIP_OUTDATED" = "Unable to check outdated packages" ]; then
        echo "⚠️ Unable to check pip packages" >&2
      else
        OUTDATED_COUNT=$(echo "$PIP_OUTDATED" | wc -l)
        if [ "$OUTDATED_COUNT" -gt 1 ]; then
          echo "📊 Found $OUTDATED_COUNT outdated Python packages" >&2
          echo "$PIP_OUTDATED" | head -5 >&2
        else
          echo "✅ All Python packages are up to date" >&2
        fi
      fi
      
      # Check for security issues with safety
      if command -v safety &> /dev/null; then
        echo "🔒 Running Safety security check..." >&2
        SAFETY_OUTPUT=$(safety check --json 2>/dev/null || safety check 2>/dev/null || echo "Safety check completed")
        
        if echo "$SAFETY_OUTPUT" | grep -q "No known security vulnerabilities"; then
          echo "✅ No known security vulnerabilities in Python dependencies" >&2
        else
          echo "⚠️ Safety scan found potential security issues" >&2
        fi
      else
        echo "💡 Install Safety for Python security scanning: pip install safety" >&2
      fi
    else
      echo "⚠️ pip command not available" >&2
    fi
    
  # Ruby projects
  elif [[ "$FILE_PATH" == *Gemfile ]]; then
    echo "💎 Ruby project detected - checking dependencies..." >&2
    
    if command -v bundle &> /dev/null; then
      echo "🔍 Checking for outdated Ruby gems..." >&2
      BUNDLE_OUTDATED=$(bundle outdated 2>/dev/null | head -10 || echo "Unable to check outdated gems")
      echo "$BUNDLE_OUTDATED" >&2
      
      # Check for security issues
      if bundle exec bundler-audit --version &> /dev/null; then
        echo "🔒 Running bundler-audit security check..." >&2
        BUNDLE_AUDIT=$(bundle exec bundler-audit check 2>&1 || echo "Bundle audit completed")
        
        if echo "$BUNDLE_AUDIT" | grep -q "No vulnerabilities found"; then
          echo "✅ No vulnerabilities found in Ruby gems" >&2
        else
          echo "⚠️ Bundle audit found potential issues" >&2
        fi
      else
        echo "💡 Install bundler-audit: gem install bundler-audit" >&2
      fi
    else
      echo "⚠️ bundle command not available" >&2
    fi
    
  # Go projects
  elif [[ "$FILE_PATH" == *go.mod ]]; then
    echo "🐹 Go project detected - checking dependencies..." >&2
    
    if command -v go &> /dev/null; then
      echo "🔍 Checking Go module dependencies..." >&2
      
      # List modules
      GO_LIST=$(go list -m -u all 2>/dev/null | head -10 || echo "Unable to list Go modules")
      echo "$GO_LIST" >&2
      
      # Check for available updates
      OUTDATED_MODULES=$(echo "$GO_LIST" | grep -c '\[' 2>/dev/null || echo "0")
      if [ "$OUTDATED_MODULES" -gt 0 ]; then
        echo "📊 Found $OUTDATED_MODULES Go modules with available updates" >&2
        echo "💡 Run 'go get -u ./...' to update dependencies" >&2
      else
        echo "✅ All Go modules are up to date" >&2
      fi
    else
      echo "⚠️ go command not available" >&2
    fi
    
  # Rust projects
  elif [[ "$FILE_PATH" == *Cargo.toml ]]; then
    echo "🦀 Rust project detected - checking dependencies..." >&2
    
    if command -v cargo &> /dev/null; then
      # Check for outdated crates
      if cargo outdated --version &> /dev/null; then
        echo "🔍 Checking for outdated Rust crates..." >&2
        CARGO_OUTDATED=$(cargo outdated 2>/dev/null | head -10 || echo "Unable to check outdated crates")
        echo "$CARGO_OUTDATED" >&2
      else
        echo "💡 Install cargo-outdated: cargo install cargo-outdated" >&2
      fi
      
      # Security audit
      if cargo audit --version &> /dev/null; then
        echo "🔒 Running Rust security audit..." >&2
        CARGO_AUDIT=$(cargo audit 2>&1 || echo "Audit completed")
        
        if echo "$CARGO_AUDIT" | grep -q "Success No vulnerable packages found"; then
          echo "✅ No vulnerable crates found" >&2
        else
          echo "⚠️ Cargo audit found potential issues" >&2
        fi
      else
        echo "💡 Install cargo-audit: cargo install cargo-audit" >&2
      fi
    else
      echo "⚠️ cargo command not available" >&2
    fi
  fi
  
  # General recommendations
  echo "" >&2
  echo "📋 Dependency Update Best Practices:" >&2
  echo "   • Review changelogs before major version updates" >&2
  echo "   • Test thoroughly after dependency updates" >&2
  echo "   • Update security-critical packages immediately" >&2
  echo "   • Use lockfiles for reproducible builds" >&2
  
else
  echo "File $FILE_PATH is not a recognized dependency file, skipping analysis" >&2
fi

exit 0
Full copyable content
{
  "hooks": {
    "postToolUse": {
      "script": "./.claude/hooks/dependency-update-checker.sh",
      "matchers": [
        "write",
        "edit"
      ]
    }
  }
}

About this resource

Features

  • Automated dependency analysis for multiple package managers (npm 10.x+, Yarn 4.x+, pip, Poetry, bundler, Go modules, Cargo) with automatic detection and package manager identification
  • Security vulnerability detection and reporting integrated with update checks using npm audit, pip-audit 2.9.0+, safety, cargo-audit, govulncheck, and bundler-audit
  • Categorized update recommendations (critical, major, minor, patch) with semver analysis and compatibility checks showing current vs latest versions
  • Breaking change warnings for major version updates with changelog references and migration guides for safe upgrade paths
  • Multi-language support (Node.js, Python, Ruby, Go, Rust) with package manager-specific update strategies and best practices
  • Detailed update strategy guidance with interactive selection (npm-check-updates -i), dry-run capabilities, and update impact analysis
  • Real-time monitoring during development with PostToolUse hook integration detecting dependency file changes automatically
  • Automated fix suggestions with npm audit fix, pip-audit --fix, and cargo update commands with compatibility verification

Use Cases

  • Automated dependency health monitoring during development providing real-time feedback when dependency files are modified
  • Security vulnerability detection in package updates identifying security issues in outdated dependencies before they become critical
  • CI/CD pipeline integration for dependency validation ensuring all dependencies are up-to-date and secure before deployment
  • Multi-language project dependency management supporting projects with multiple package managers simultaneously
  • Safe update strategy recommendations providing guidance on breaking changes and migration paths for major version updates
  • Development workflow optimization providing immediate dependency health feedback as packages are added or updated during active development

Installation

  1. Create hooks directory: mkdir -p .claude/hooks
  2. Create hook file: touch .claude/hooks/dependency-update-checker.sh
  3. Make executable: chmod +x .claude/hooks/dependency-update-checker.sh
  4. Add configuration from Hook Configuration section above to .claude/settings.json or ~/.claude/settings.json
  5. Alternative: Use the interactive /hooks command in Claude Code

Config paths

  • Local (not committed): .claude/settings.local.json
  • User settings (global): ~/.claude/settings.json
  • Project-wide (committed): .claude/settings.json

Requirements

  • Claude Code CLI installed
  • Project directory initialized
  • Bash shell available
  • Package manager: npm 10.x+, Yarn 4.x+, pip, Poetry, bundler, Go modules, or Cargo
  • Update tools: npm-check-updates (ncu), pip-audit 2.9.0+, safety, cargo-outdated, cargo-audit, govulncheck, or bundler-audit
  • jq JSON processor for parsing tool input and audit output

Hook Configuration

{
  "hooks": {
    "postToolUse": {
      "script": "./.claude/hooks/dependency-update-checker.sh",
      "matchers": ["write", "edit"]
    }
  }
}

Hook Script

#!/usr/bin/env bash

# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')

if [ -z "$FILE_PATH" ]; then
  exit 0
fi

# Check if it's a dependency file
if [[ "$FILE_PATH" == *package.json ]] || [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *Gemfile ]] || [[ "$FILE_PATH" == *go.mod ]] || [[ "$FILE_PATH" == *Cargo.toml ]]; then
  echo "📦 Dependency file detected: $FILE_PATH" >&2

  # Node.js projects
  if [[ "$FILE_PATH" == *package.json ]]; then
    echo "🟢 Node.js project detected - checking dependencies..." >&2

    if command -v npm &> /dev/null; then
      echo "🔍 Running npm outdated check..." >&2
      OUTDATED_OUTPUT=$(npm outdated --depth=0 2>/dev/null || echo "No outdated packages")

      if [ "$OUTDATED_OUTPUT" = "No outdated packages" ]; then
        echo "✅ All npm packages are up to date" >&2
      else
        echo "📊 Found outdated npm packages:" >&2
        echo "$OUTDATED_OUTPUT" | head -10 >&2

        OUTDATED_COUNT=$(echo "$OUTDATED_OUTPUT" | wc -l)
        echo "📈 Total outdated packages: $OUTDATED_COUNT" >&2
      fi

      # Check for security vulnerabilities
      echo "🔒 Checking for security vulnerabilities..." >&2
      AUDIT_OUTPUT=$(npm audit --audit-level=moderate 2>&1)

      if echo "$AUDIT_OUTPUT" | grep -q "found 0 vulnerabilities"; then
        echo "✅ No security vulnerabilities found" >&2
      else
        VULN_COUNT=$(echo "$AUDIT_OUTPUT" | grep -o '[0-9]\+ vulnerabilities' | head -1 || echo "unknown vulnerabilities")
        echo "⚠️ Security audit found: $VULN_COUNT" >&2
        echo "💡 Run 'npm audit fix' to automatically fix vulnerabilities" >&2
      fi

      # Check for npm-check-updates availability
      if command -v npx &> /dev/null && npx ncu --version &> /dev/null 2>&1; then
        echo "🔧 Running npm-check-updates for detailed analysis..." >&2
        NCU_OUTPUT=$(npx ncu 2>/dev/null | head -5)
        echo "$NCU_OUTPUT" >&2
      else
        echo "💡 Install npm-check-updates for better dependency analysis: npm install -g npm-check-updates" >&2
      fi
    else
      echo "⚠️ npm command not available" >&2
    fi

  # Python projects
  elif [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *pyproject.toml ]]; then
    echo "🐍 Python project detected - checking dependencies..." >&2

    if command -v pip &> /dev/null; then
      echo "🔍 Checking for outdated Python packages..." >&2
      PIP_OUTDATED=$(pip list --outdated 2>/dev/null || echo "Unable to check outdated packages")

      if [ "$PIP_OUTDATED" = "Unable to check outdated packages" ]; then
        echo "⚠️ Unable to check pip packages" >&2
      else
        OUTDATED_COUNT=$(echo "$PIP_OUTDATED" | wc -l)
        if [ "$OUTDATED_COUNT" -gt 1 ]; then
          echo "📊 Found $OUTDATED_COUNT outdated Python packages" >&2
          echo "$PIP_OUTDATED" | head -5 >&2
        else
          echo "✅ All Python packages are up to date" >&2
        fi
      fi

      # Check for security issues with safety
      if command -v safety &> /dev/null; then
        echo "🔒 Running Safety security check..." >&2
        SAFETY_OUTPUT=$(safety check --json 2>/dev/null || safety check 2>/dev/null || echo "Safety check completed")

        if echo "$SAFETY_OUTPUT" | grep -q "No known security vulnerabilities"; then
          echo "✅ No known security vulnerabilities in Python dependencies" >&2
        else
          echo "⚠️ Safety scan found potential security issues" >&2
        fi
      else
        echo "💡 Install Safety for Python security scanning: pip install safety" >&2
      fi
    else
      echo "⚠️ pip command not available" >&2
    fi

  # Ruby projects
  elif [[ "$FILE_PATH" == *Gemfile ]]; then
    echo "💎 Ruby project detected - checking dependencies..." >&2

    if command -v bundle &> /dev/null; then
      echo "🔍 Checking for outdated Ruby gems..." >&2
      BUNDLE_OUTDATED=$(bundle outdated 2>/dev/null | head -10 || echo "Unable to check outdated gems")
      echo "$BUNDLE_OUTDATED" >&2

      # Check for security issues
      if bundle exec bundler-audit --version &> /dev/null; then
        echo "🔒 Running bundler-audit security check..." >&2
        BUNDLE_AUDIT=$(bundle exec bundler-audit check 2>&1 || echo "Bundle audit completed")

        if echo "$BUNDLE_AUDIT" | grep -q "No vulnerabilities found"; then
          echo "✅ No vulnerabilities found in Ruby gems" >&2
        else
          echo "⚠️ Bundle audit found potential issues" >&2
        fi
      else
        echo "💡 Install bundler-audit: gem install bundler-audit" >&2
      fi
    else
      echo "⚠️ bundle command not available" >&2
    fi

  # Go projects
  elif [[ "$FILE_PATH" == *go.mod ]]; then
    echo "🐹 Go project detected - checking dependencies..." >&2

    if command -v go &> /dev/null; then
      echo "🔍 Checking Go module dependencies..." >&2

      # List modules
      GO_LIST=$(go list -m -u all 2>/dev/null | head -10 || echo "Unable to list Go modules")
      echo "$GO_LIST" >&2

      # Check for available updates
      OUTDATED_MODULES=$(echo "$GO_LIST" | grep -c '\[' 2>/dev/null || echo "0")
      if [ "$OUTDATED_MODULES" -gt 0 ]; then
        echo "📊 Found $OUTDATED_MODULES Go modules with available updates" >&2
        echo "💡 Run 'go get -u ./...' to update dependencies" >&2
      else
        echo "✅ All Go modules are up to date" >&2
      fi
    else
      echo "⚠️ go command not available" >&2
    fi

  # Rust projects
  elif [[ "$FILE_PATH" == *Cargo.toml ]]; then
    echo "🦀 Rust project detected - checking dependencies..." >&2

    if command -v cargo &> /dev/null; then
      # Check for outdated crates
      if cargo outdated --version &> /dev/null; then
        echo "🔍 Checking for outdated Rust crates..." >&2
        CARGO_OUTDATED=$(cargo outdated 2>/dev/null | head -10 || echo "Unable to check outdated crates")
        echo "$CARGO_OUTDATED" >&2
      else
        echo "💡 Install cargo-outdated: cargo install cargo-outdated" >&2
      fi

      # Security audit
      if cargo audit --version &> /dev/null; then
        echo "🔒 Running Rust security audit..." >&2
        CARGO_AUDIT=$(cargo audit 2>&1 || echo "Audit completed")

        if echo "$CARGO_AUDIT" | grep -q "Success No vulnerable packages found"; then
          echo "✅ No vulnerable crates found" >&2
        else
          echo "⚠️ Cargo audit found potential issues" >&2
        fi
      else
        echo "💡 Install cargo-audit: cargo install cargo-audit" >&2
      fi
    else
      echo "⚠️ cargo command not available" >&2
    fi
  fi

  # General recommendations
  echo "" >&2
  echo "📋 Dependency Update Best Practices:" >&2
  echo "   • Review changelogs before major version updates" >&2
  echo "   • Test thoroughly after dependency updates" >&2
  echo "   • Update security-critical packages immediately" >&2
  echo "   • Use lockfiles for reproducible builds" >&2

else
  echo "File $FILE_PATH is not a recognized dependency file, skipping analysis" >&2
fi

exit 0

Examples

Dependency Update Checker Hook Script

Complete hook script that performs dependency update checking when dependency files are modified

#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
  exit 0
fi
if [[ "$FILE_PATH" == *package.json ]]; then
  echo "Node.js project detected - checking dependencies..." >&2
  if command -v npm &> /dev/null; then
    echo "Running npm outdated check..." >&2
    OUTDATED_OUTPUT=$(npm outdated --depth=0 2>/dev/null || echo "No outdated packages")
    if [ "$OUTDATED_OUTPUT" != "No outdated packages" ]; then
      OUTDATED_COUNT=$(echo "$OUTDATED_OUTPUT" | wc -l)
      echo "Found $OUTDATED_COUNT outdated npm packages" >&2
    fi
    if command -v npx &> /dev/null && npx ncu --version &> /dev/null 2>&1; then
      echo "Running npm-check-updates for detailed analysis..." >&2
      npx ncu 2>/dev/null | head -5
    fi
  fi
fi
exit 0

Hook Configuration

Complete hook configuration for .claude/settings.json to enable dependency update checking on dependency file changes

{
  "hooks": {
    "postToolUse": {
      "script": "./.claude/hooks/dependency-update-checker.sh",
      "matchers": ["write", "edit"]
    }
  }
}

Python Dependency Update Checker with pip-audit

Enhanced hook script for Python dependency update checking using pip-audit 2.9.0+

#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *pyproject.toml ]]; then
  echo "Python project detected - checking dependencies..." >&2
  if command -v pip &> /dev/null; then
    PIP_OUTDATED=$(pip list --outdated 2>/dev/null || echo "Unable to check outdated packages")
    if [ "$PIP_OUTDATED" != "Unable to check outdated packages" ]; then
      OUTDATED_COUNT=$(echo "$PIP_OUTDATED" | wc -l)
      if [ "$OUTDATED_COUNT" -gt 1 ]; then
        echo "Found $OUTDATED_COUNT outdated Python packages" >&2
      fi
    fi
    if command -v pip-audit &> /dev/null; then
      echo "Running pip-audit for security and update analysis..." >&2
      pip-audit --format=json 2>/dev/null | jq '.' || pip-audit
    fi
  fi
fi
exit 0

Rust Dependency Update Checker with cargo-outdated

Enhanced hook script for Rust dependency update checking using cargo-outdated and cargo-audit

#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *Cargo.toml ]]; then
  echo "Rust project detected - checking dependencies..." >&2
  if command -v cargo &> /dev/null; then
    if cargo outdated --version &> /dev/null; then
      echo "Checking for outdated Rust crates..." >&2
      cargo outdated 2>/dev/null | head -10
    else
      echo "Install cargo-outdated: cargo install cargo-outdated" >&2
    fi
    if cargo audit --version &> /dev/null; then
      echo "Running Rust security audit..." >&2
      cargo audit 2>&1 || echo "Audit completed"
    fi
  fi
fi
exit 0

Go Dependency Update Checker with govulncheck

Enhanced hook script for Go dependency update checking using govulncheck

#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *go.mod ]]; then
  echo "Go project detected - checking dependencies..." >&2
  if command -v go &> /dev/null; then
    echo "Checking Go module dependencies..." >&2
    GO_LIST=$(go list -m -u all 2>/dev/null | head -10 || echo "Unable to list Go modules")
    OUTDATED_MODULES=$(echo "$GO_LIST" | grep -c '\[' 2>/dev/null || echo "0")
    if [ "$OUTDATED_MODULES" -gt 0 ]; then
      echo "Found $OUTDATED_MODULES Go modules with available updates" >&2
      echo "Run 'go get -u ./...' to update dependencies" >&2
    fi
    if command -v govulncheck &> /dev/null; then
      echo "Running govulncheck for security analysis..." >&2
      govulncheck ./... 2>/dev/null || echo "No vulnerabilities detected"
    fi
  fi
fi
exit 0

Troubleshooting

Hook triggers on every file write but only dependency files should activate it

Verify matchers array includes only write and edit tools. Add file path validation in script header to exit early when FILE_PATH does not match dependency file patterns (package.json, requirements.txt, Gemfile, go.mod, Cargo.toml). Use explicit file extension checks for better accuracy.

npm outdated command returns empty output despite outdated packages existing

Run npm update --dry-run instead of npm outdated to see available updates. Check npm cache with npm cache verify and clear if corrupted using npm cache clean --force. Verify package-lock.json exists and is up to date. Use npm-check-updates (ncu) for more reliable results: npx ncu.

Hook execution floods stderr with security warnings during rapid file edits

Add debouncing by storing last check timestamp in temp file: .claude/.last-dependency-check. Skip audit if less than 5 minutes elapsed since previous check to reduce noise during active development sessions. Use file modification time comparison to avoid redundant checks.

jq command not found error prevents hook from parsing tool input JSON

Install jq JSON processor using package manager: brew install jq on macOS, apt-get install jq on Ubuntu/Debian, yum install jq on RHEL/CentOS. Verify installation with jq --version before testing hook again. Consider using Python json module as fallback if jq unavailable.

Python safety check fails in virtual environments with permission errors

Activate correct virtual environment before running hook or detect venv using VIRTUAL_ENV variable. Install safety in project venv rather than globally: pip install safety within activated environment. Consider using pip-audit 2.9.0+ as alternative with better virtual environment support.

npm-check-updates (ncu) not found despite npm installation

Install npm-check-updates globally: npm install -g npm-check-updates or use npx: npx npm-check-updates. Verify installation: ncu --version. Check npm global bin path is in PATH. Use npx ncu for one-time execution without global installation.

cargo-outdated fails with index update errors in CI

Pre-update cargo registry index: cargo update in CI setup. Use offline mode if network restricted. Cache cargo registry between runs. Check firewall rules for crates.io access. Verify cargo-outdated is installed: cargo install cargo-outdated. Ensure Rust toolchain is properly configured.

Go module update check shows incorrect version information

Ensure go.mod and go.sum are up to date: go mod tidy. Verify Go version is 1.18+ for reliable module updates. Use go list -m -u all for accurate update information. Check module proxy settings: go env GOPROXY. Verify network connectivity to Go module proxy.

Source citations

Add this badge to your README

Show that Dependency Update Checker - Hooks is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/hooks/dependency-update-checker.svg)](https://heyclau.de/entry/hooks/dependency-update-checker)

How it compares

Dependency Update Checker - Hooks side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

1 trust signal differ across this comparison (Submitter).

Field

Automatically checks for outdated dependencies and suggests updates with security analysis. This PostToolUse hook triggers when dependency manifest files (package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pyproject.toml) are modified, providing real-time dependency health monitoring.

Open dossier

A Stop hook that runs npm audit, pip-audit, safety, or bundler-audit automatically at the end of every Claude Code session, detecting CVEs and outdated packages across Node.js, Python, and Ruby projects.

Open dossier

Scans for security vulnerabilities when package.json or requirements.txt files are modified.

Open dossier

PostToolUse hook that inspects an edited npm package-lock.json for supply-chain provenance risk rather than known CVEs — dependencies resolved from outside the public npm registry (git, alternate-registry, or insecure transports) and registry tarballs missing an integrity hash.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
SubmitterDifferstechforgeworks
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Brand
Categoryhookshookshookshooks
Sourcesource-backedsource-backedsource-backedsource-backed
AuthorJSONboredJSONboredJSONboredtechforgeworks
Added2025-09-162025-09-192025-09-192026-06-04
Platforms
Claude Code
Claude Code
Claude Code
Claude Code
Source repo
Safety notesRuns automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling.Runs automatically at session end and invokes local package-manager audit tools when dependency lockfiles are present. May contact package registries or vulnerability advisory services through npm, yarn, safety, pip, or bundler-audit. Writes a timestamped security-audit log in the current working directory.Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling.Runs after every Write, Edit, and MultiEdit and inspects only npm package-lock.json or npm-shrinkwrap.json content; for yarn.lock and pnpm-lock.yaml it prints a one-line reminder to run lockfile-lint. Read-only and advisory - it parses the lockfile JSON, never installs packages, runs npm, or makes a network call, and always exits 0. Uses the resolved-URL and integrity fields to flag provenance risk (sources outside the public registry, missing integrity); it does not assess known vulnerabilities, so pair it with an audit tool.
Privacy notesReceives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output.Reads dependency manifests and lockfiles to identify package managers and audit targets. The generated audit log may include package names, versions, vulnerability identifiers, and remediation output. External audit tools may send package metadata to their configured registries or advisory services.Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output.Reads only the local lockfile from disk; it makes no network or registry calls. Prints dependency paths and their resolved URLs to local hook stderr; it writes no logs. Resolved URLs shown in output may include internal registry or git host names if your project depends on them.
Prerequisites— none listed— none listed— none listed
  • Claude Code CLI with hooks enabled.
  • bash and jq on PATH; the hook fails open and stays silent when jq is missing.
Install
mkdir -p .claude/hooks && touch .claude/hooks/dependency-update-checker.sh && chmod +x .claude/hooks/dependency-update-checker.sh
mkdir -p .claude/hooks && touch .claude/hooks/dependency-security-audit-on-stop.sh && chmod +x .claude/hooks/dependency-security-audit-on-stop.sh
mkdir -p .claude/hooks && touch .claude/hooks/package-vulnerability-scanner.sh && chmod +x .claude/hooks/package-vulnerability-scanner.sh
mkdir -p .claude/hooks && touch .claude/hooks/lockfile-provenance-checker.sh && chmod +x .claude/hooks/lockfile-provenance-checker.sh
Config
{
  "hooks": {
    "postToolUse": {
      "script": "./.claude/hooks/dependency-update-checker.sh",
      "matchers": [
        "write",
        "edit"
      ]
    }
  }
}
{
  "hooks": {
    "stop": {
      "script": "./.claude/hooks/dependency-security-audit-on-stop.sh"
    }
  }
}
{
  "hooks": {
    "postToolUse": {
      "script": "./.claude/hooks/package-vulnerability-scanner.sh",
      "matchers": [
        "write",
        "edit"
      ]
    }
  }
}
{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/lockfile-provenance-checker.sh"
          }
        ]
      }
    ]
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.