Install command
Provided
Automatically checks for outdated dependencies and suggests updates with security analysis. This PostToolUse hook triggers when dependency manifest files (package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pyproject.toml) are modified, providing real-time dependency health monitoring.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Provided
Config snippet
Provided
Copy snippet
Provided
Prerequisites
None
Platforms
1 listed
Difficulty
0/100
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, permissions & scopes.
#!/usr/bin/env bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Check if it's a dependency file
if [[ "$FILE_PATH" == *package.json ]] || [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *Gemfile ]] || [[ "$FILE_PATH" == *go.mod ]] || [[ "$FILE_PATH" == *Cargo.toml ]]; then
echo "📦 Dependency file detected: $FILE_PATH" >&2
# Node.js projects
if [[ "$FILE_PATH" == *package.json ]]; then
echo "🟢 Node.js project detected - checking dependencies..." >&2
if command -v npm &> /dev/null; then
echo "🔍 Running npm outdated check..." >&2
OUTDATED_OUTPUT=$(npm outdated --depth=0 2>/dev/null || echo "No outdated packages")
if [ "$OUTDATED_OUTPUT" = "No outdated packages" ]; then
echo "✅ All npm packages are up to date" >&2
else
echo "📊 Found outdated npm packages:" >&2
echo "$OUTDATED_OUTPUT" | head -10 >&2
OUTDATED_COUNT=$(echo "$OUTDATED_OUTPUT" | wc -l)
echo "📈 Total outdated packages: $OUTDATED_COUNT" >&2
fi
# Check for security vulnerabilities
echo "🔒 Checking for security vulnerabilities..." >&2
AUDIT_OUTPUT=$(npm audit --audit-level=moderate 2>&1)
if echo "$AUDIT_OUTPUT" | grep -q "found 0 vulnerabilities"; then
echo "✅ No security vulnerabilities found" >&2
else
VULN_COUNT=$(echo "$AUDIT_OUTPUT" | grep -o '[0-9]\+ vulnerabilities' | head -1 || echo "unknown vulnerabilities")
echo "⚠️ Security audit found: $VULN_COUNT" >&2
echo "💡 Run 'npm audit fix' to automatically fix vulnerabilities" >&2
fi
# Check for npm-check-updates availability
if command -v npx &> /dev/null && npx ncu --version &> /dev/null 2>&1; then
echo "🔧 Running npm-check-updates for detailed analysis..." >&2
NCU_OUTPUT=$(npx ncu 2>/dev/null | head -5)
echo "$NCU_OUTPUT" >&2
else
echo "💡 Install npm-check-updates for better dependency analysis: npm install -g npm-check-updates" >&2
fi
else
echo "⚠️ npm command not available" >&2
fi
# Python projects
elif [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *pyproject.toml ]]; then
echo "🐍 Python project detected - checking dependencies..." >&2
if command -v pip &> /dev/null; then
echo "🔍 Checking for outdated Python packages..." >&2
PIP_OUTDATED=$(pip list --outdated 2>/dev/null || echo "Unable to check outdated packages")
if [ "$PIP_OUTDATED" = "Unable to check outdated packages" ]; then
echo "⚠️ Unable to check pip packages" >&2
else
OUTDATED_COUNT=$(echo "$PIP_OUTDATED" | wc -l)
if [ "$OUTDATED_COUNT" -gt 1 ]; then
echo "📊 Found $OUTDATED_COUNT outdated Python packages" >&2
echo "$PIP_OUTDATED" | head -5 >&2
else
echo "✅ All Python packages are up to date" >&2
fi
fi
# Check for security issues with safety
if command -v safety &> /dev/null; then
echo "🔒 Running Safety security check..." >&2
SAFETY_OUTPUT=$(safety check --json 2>/dev/null || safety check 2>/dev/null || echo "Safety check completed")
if echo "$SAFETY_OUTPUT" | grep -q "No known security vulnerabilities"; then
echo "✅ No known security vulnerabilities in Python dependencies" >&2
else
echo "⚠️ Safety scan found potential security issues" >&2
fi
else
echo "💡 Install Safety for Python security scanning: pip install safety" >&2
fi
else
echo "⚠️ pip command not available" >&2
fi
# Ruby projects
elif [[ "$FILE_PATH" == *Gemfile ]]; then
echo "💎 Ruby project detected - checking dependencies..." >&2
if command -v bundle &> /dev/null; then
echo "🔍 Checking for outdated Ruby gems..." >&2
BUNDLE_OUTDATED=$(bundle outdated 2>/dev/null | head -10 || echo "Unable to check outdated gems")
echo "$BUNDLE_OUTDATED" >&2
# Check for security issues
if bundle exec bundler-audit --version &> /dev/null; then
echo "🔒 Running bundler-audit security check..." >&2
BUNDLE_AUDIT=$(bundle exec bundler-audit check 2>&1 || echo "Bundle audit completed")
if echo "$BUNDLE_AUDIT" | grep -q "No vulnerabilities found"; then
echo "✅ No vulnerabilities found in Ruby gems" >&2
else
echo "⚠️ Bundle audit found potential issues" >&2
fi
else
echo "💡 Install bundler-audit: gem install bundler-audit" >&2
fi
else
echo "⚠️ bundle command not available" >&2
fi
# Go projects
elif [[ "$FILE_PATH" == *go.mod ]]; then
echo "🐹 Go project detected - checking dependencies..." >&2
if command -v go &> /dev/null; then
echo "🔍 Checking Go module dependencies..." >&2
# List modules
GO_LIST=$(go list -m -u all 2>/dev/null | head -10 || echo "Unable to list Go modules")
echo "$GO_LIST" >&2
# Check for available updates
OUTDATED_MODULES=$(echo "$GO_LIST" | grep -c '\[' 2>/dev/null || echo "0")
if [ "$OUTDATED_MODULES" -gt 0 ]; then
echo "📊 Found $OUTDATED_MODULES Go modules with available updates" >&2
echo "💡 Run 'go get -u ./...' to update dependencies" >&2
else
echo "✅ All Go modules are up to date" >&2
fi
else
echo "⚠️ go command not available" >&2
fi
# Rust projects
elif [[ "$FILE_PATH" == *Cargo.toml ]]; then
echo "🦀 Rust project detected - checking dependencies..." >&2
if command -v cargo &> /dev/null; then
# Check for outdated crates
if cargo outdated --version &> /dev/null; then
echo "🔍 Checking for outdated Rust crates..." >&2
CARGO_OUTDATED=$(cargo outdated 2>/dev/null | head -10 || echo "Unable to check outdated crates")
echo "$CARGO_OUTDATED" >&2
else
echo "💡 Install cargo-outdated: cargo install cargo-outdated" >&2
fi
# Security audit
if cargo audit --version &> /dev/null; then
echo "🔒 Running Rust security audit..." >&2
CARGO_AUDIT=$(cargo audit 2>&1 || echo "Audit completed")
if echo "$CARGO_AUDIT" | grep -q "Success No vulnerable packages found"; then
echo "✅ No vulnerable crates found" >&2
else
echo "⚠️ Cargo audit found potential issues" >&2
fi
else
echo "💡 Install cargo-audit: cargo install cargo-audit" >&2
fi
else
echo "⚠️ cargo command not available" >&2
fi
fi
# General recommendations
echo "" >&2
echo "📋 Dependency Update Best Practices:" >&2
echo " • Review changelogs before major version updates" >&2
echo " • Test thoroughly after dependency updates" >&2
echo " • Update security-critical packages immediately" >&2
echo " • Use lockfiles for reproducible builds" >&2
else
echo "File $FILE_PATH is not a recognized dependency file, skipping analysis" >&2
fi
exit 0{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/dependency-update-checker.sh",
"matchers": [
"write",
"edit"
]
}
}
}.claude/settings.local.json~/.claude/settings.json.claude/settings.json{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/dependency-update-checker.sh",
"matchers": ["write", "edit"]
}
}
}
#!/usr/bin/env bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Check if it's a dependency file
if [[ "$FILE_PATH" == *package.json ]] || [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *Gemfile ]] || [[ "$FILE_PATH" == *go.mod ]] || [[ "$FILE_PATH" == *Cargo.toml ]]; then
echo "📦 Dependency file detected: $FILE_PATH" >&2
# Node.js projects
if [[ "$FILE_PATH" == *package.json ]]; then
echo "🟢 Node.js project detected - checking dependencies..." >&2
if command -v npm &> /dev/null; then
echo "🔍 Running npm outdated check..." >&2
OUTDATED_OUTPUT=$(npm outdated --depth=0 2>/dev/null || echo "No outdated packages")
if [ "$OUTDATED_OUTPUT" = "No outdated packages" ]; then
echo "✅ All npm packages are up to date" >&2
else
echo "📊 Found outdated npm packages:" >&2
echo "$OUTDATED_OUTPUT" | head -10 >&2
OUTDATED_COUNT=$(echo "$OUTDATED_OUTPUT" | wc -l)
echo "📈 Total outdated packages: $OUTDATED_COUNT" >&2
fi
# Check for security vulnerabilities
echo "🔒 Checking for security vulnerabilities..." >&2
AUDIT_OUTPUT=$(npm audit --audit-level=moderate 2>&1)
if echo "$AUDIT_OUTPUT" | grep -q "found 0 vulnerabilities"; then
echo "✅ No security vulnerabilities found" >&2
else
VULN_COUNT=$(echo "$AUDIT_OUTPUT" | grep -o '[0-9]\+ vulnerabilities' | head -1 || echo "unknown vulnerabilities")
echo "⚠️ Security audit found: $VULN_COUNT" >&2
echo "💡 Run 'npm audit fix' to automatically fix vulnerabilities" >&2
fi
# Check for npm-check-updates availability
if command -v npx &> /dev/null && npx ncu --version &> /dev/null 2>&1; then
echo "🔧 Running npm-check-updates for detailed analysis..." >&2
NCU_OUTPUT=$(npx ncu 2>/dev/null | head -5)
echo "$NCU_OUTPUT" >&2
else
echo "💡 Install npm-check-updates for better dependency analysis: npm install -g npm-check-updates" >&2
fi
else
echo "⚠️ npm command not available" >&2
fi
# Python projects
elif [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *pyproject.toml ]]; then
echo "🐍 Python project detected - checking dependencies..." >&2
if command -v pip &> /dev/null; then
echo "🔍 Checking for outdated Python packages..." >&2
PIP_OUTDATED=$(pip list --outdated 2>/dev/null || echo "Unable to check outdated packages")
if [ "$PIP_OUTDATED" = "Unable to check outdated packages" ]; then
echo "⚠️ Unable to check pip packages" >&2
else
OUTDATED_COUNT=$(echo "$PIP_OUTDATED" | wc -l)
if [ "$OUTDATED_COUNT" -gt 1 ]; then
echo "📊 Found $OUTDATED_COUNT outdated Python packages" >&2
echo "$PIP_OUTDATED" | head -5 >&2
else
echo "✅ All Python packages are up to date" >&2
fi
fi
# Check for security issues with safety
if command -v safety &> /dev/null; then
echo "🔒 Running Safety security check..." >&2
SAFETY_OUTPUT=$(safety check --json 2>/dev/null || safety check 2>/dev/null || echo "Safety check completed")
if echo "$SAFETY_OUTPUT" | grep -q "No known security vulnerabilities"; then
echo "✅ No known security vulnerabilities in Python dependencies" >&2
else
echo "⚠️ Safety scan found potential security issues" >&2
fi
else
echo "💡 Install Safety for Python security scanning: pip install safety" >&2
fi
else
echo "⚠️ pip command not available" >&2
fi
# Ruby projects
elif [[ "$FILE_PATH" == *Gemfile ]]; then
echo "💎 Ruby project detected - checking dependencies..." >&2
if command -v bundle &> /dev/null; then
echo "🔍 Checking for outdated Ruby gems..." >&2
BUNDLE_OUTDATED=$(bundle outdated 2>/dev/null | head -10 || echo "Unable to check outdated gems")
echo "$BUNDLE_OUTDATED" >&2
# Check for security issues
if bundle exec bundler-audit --version &> /dev/null; then
echo "🔒 Running bundler-audit security check..." >&2
BUNDLE_AUDIT=$(bundle exec bundler-audit check 2>&1 || echo "Bundle audit completed")
if echo "$BUNDLE_AUDIT" | grep -q "No vulnerabilities found"; then
echo "✅ No vulnerabilities found in Ruby gems" >&2
else
echo "⚠️ Bundle audit found potential issues" >&2
fi
else
echo "💡 Install bundler-audit: gem install bundler-audit" >&2
fi
else
echo "⚠️ bundle command not available" >&2
fi
# Go projects
elif [[ "$FILE_PATH" == *go.mod ]]; then
echo "🐹 Go project detected - checking dependencies..." >&2
if command -v go &> /dev/null; then
echo "🔍 Checking Go module dependencies..." >&2
# List modules
GO_LIST=$(go list -m -u all 2>/dev/null | head -10 || echo "Unable to list Go modules")
echo "$GO_LIST" >&2
# Check for available updates
OUTDATED_MODULES=$(echo "$GO_LIST" | grep -c '\[' 2>/dev/null || echo "0")
if [ "$OUTDATED_MODULES" -gt 0 ]; then
echo "📊 Found $OUTDATED_MODULES Go modules with available updates" >&2
echo "💡 Run 'go get -u ./...' to update dependencies" >&2
else
echo "✅ All Go modules are up to date" >&2
fi
else
echo "⚠️ go command not available" >&2
fi
# Rust projects
elif [[ "$FILE_PATH" == *Cargo.toml ]]; then
echo "🦀 Rust project detected - checking dependencies..." >&2
if command -v cargo &> /dev/null; then
# Check for outdated crates
if cargo outdated --version &> /dev/null; then
echo "🔍 Checking for outdated Rust crates..." >&2
CARGO_OUTDATED=$(cargo outdated 2>/dev/null | head -10 || echo "Unable to check outdated crates")
echo "$CARGO_OUTDATED" >&2
else
echo "💡 Install cargo-outdated: cargo install cargo-outdated" >&2
fi
# Security audit
if cargo audit --version &> /dev/null; then
echo "🔒 Running Rust security audit..." >&2
CARGO_AUDIT=$(cargo audit 2>&1 || echo "Audit completed")
if echo "$CARGO_AUDIT" | grep -q "Success No vulnerable packages found"; then
echo "✅ No vulnerable crates found" >&2
else
echo "⚠️ Cargo audit found potential issues" >&2
fi
else
echo "💡 Install cargo-audit: cargo install cargo-audit" >&2
fi
else
echo "⚠️ cargo command not available" >&2
fi
fi
# General recommendations
echo "" >&2
echo "📋 Dependency Update Best Practices:" >&2
echo " • Review changelogs before major version updates" >&2
echo " • Test thoroughly after dependency updates" >&2
echo " • Update security-critical packages immediately" >&2
echo " • Use lockfiles for reproducible builds" >&2
else
echo "File $FILE_PATH is not a recognized dependency file, skipping analysis" >&2
fi
exit 0
Complete hook script that performs dependency update checking when dependency files are modified
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
if [[ "$FILE_PATH" == *package.json ]]; then
echo "Node.js project detected - checking dependencies..." >&2
if command -v npm &> /dev/null; then
echo "Running npm outdated check..." >&2
OUTDATED_OUTPUT=$(npm outdated --depth=0 2>/dev/null || echo "No outdated packages")
if [ "$OUTDATED_OUTPUT" != "No outdated packages" ]; then
OUTDATED_COUNT=$(echo "$OUTDATED_OUTPUT" | wc -l)
echo "Found $OUTDATED_COUNT outdated npm packages" >&2
fi
if command -v npx &> /dev/null && npx ncu --version &> /dev/null 2>&1; then
echo "Running npm-check-updates for detailed analysis..." >&2
npx ncu 2>/dev/null | head -5
fi
fi
fi
exit 0
Complete hook configuration for .claude/settings.json to enable dependency update checking on dependency file changes
{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/dependency-update-checker.sh",
"matchers": ["write", "edit"]
}
}
}
Enhanced hook script for Python dependency update checking using pip-audit 2.9.0+
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *requirements.txt ]] || [[ "$FILE_PATH" == *pyproject.toml ]]; then
echo "Python project detected - checking dependencies..." >&2
if command -v pip &> /dev/null; then
PIP_OUTDATED=$(pip list --outdated 2>/dev/null || echo "Unable to check outdated packages")
if [ "$PIP_OUTDATED" != "Unable to check outdated packages" ]; then
OUTDATED_COUNT=$(echo "$PIP_OUTDATED" | wc -l)
if [ "$OUTDATED_COUNT" -gt 1 ]; then
echo "Found $OUTDATED_COUNT outdated Python packages" >&2
fi
fi
if command -v pip-audit &> /dev/null; then
echo "Running pip-audit for security and update analysis..." >&2
pip-audit --format=json 2>/dev/null | jq '.' || pip-audit
fi
fi
fi
exit 0
Enhanced hook script for Rust dependency update checking using cargo-outdated and cargo-audit
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *Cargo.toml ]]; then
echo "Rust project detected - checking dependencies..." >&2
if command -v cargo &> /dev/null; then
if cargo outdated --version &> /dev/null; then
echo "Checking for outdated Rust crates..." >&2
cargo outdated 2>/dev/null | head -10
else
echo "Install cargo-outdated: cargo install cargo-outdated" >&2
fi
if cargo audit --version &> /dev/null; then
echo "Running Rust security audit..." >&2
cargo audit 2>&1 || echo "Audit completed"
fi
fi
fi
exit 0
Enhanced hook script for Go dependency update checking using govulncheck
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *go.mod ]]; then
echo "Go project detected - checking dependencies..." >&2
if command -v go &> /dev/null; then
echo "Checking Go module dependencies..." >&2
GO_LIST=$(go list -m -u all 2>/dev/null | head -10 || echo "Unable to list Go modules")
OUTDATED_MODULES=$(echo "$GO_LIST" | grep -c '\[' 2>/dev/null || echo "0")
if [ "$OUTDATED_MODULES" -gt 0 ]; then
echo "Found $OUTDATED_MODULES Go modules with available updates" >&2
echo "Run 'go get -u ./...' to update dependencies" >&2
fi
if command -v govulncheck &> /dev/null; then
echo "Running govulncheck for security analysis..." >&2
govulncheck ./... 2>/dev/null || echo "No vulnerabilities detected"
fi
fi
fi
exit 0
Verify matchers array includes only write and edit tools. Add file path validation in script header to exit early when FILE_PATH does not match dependency file patterns (package.json, requirements.txt, Gemfile, go.mod, Cargo.toml). Use explicit file extension checks for better accuracy.
Run npm update --dry-run instead of npm outdated to see available updates. Check npm cache with npm cache verify and clear if corrupted using npm cache clean --force. Verify package-lock.json exists and is up to date. Use npm-check-updates (ncu) for more reliable results: npx ncu.
Add debouncing by storing last check timestamp in temp file: .claude/.last-dependency-check. Skip audit if less than 5 minutes elapsed since previous check to reduce noise during active development sessions. Use file modification time comparison to avoid redundant checks.
Install jq JSON processor using package manager: brew install jq on macOS, apt-get install jq on Ubuntu/Debian, yum install jq on RHEL/CentOS. Verify installation with jq --version before testing hook again. Consider using Python json module as fallback if jq unavailable.
Activate correct virtual environment before running hook or detect venv using VIRTUAL_ENV variable. Install safety in project venv rather than globally: pip install safety within activated environment. Consider using pip-audit 2.9.0+ as alternative with better virtual environment support.
Install npm-check-updates globally: npm install -g npm-check-updates or use npx: npx npm-check-updates. Verify installation: ncu --version. Check npm global bin path is in PATH. Use npx ncu for one-time execution without global installation.
Pre-update cargo registry index: cargo update in CI setup. Use offline mode if network restricted. Cache cargo registry between runs. Check firewall rules for crates.io access. Verify cargo-outdated is installed: cargo install cargo-outdated. Ensure Rust toolchain is properly configured.
Ensure go.mod and go.sum are up to date: go mod tidy. Verify Go version is 1.18+ for reliable module updates. Use go list -m -u all for accurate update information. Check module proxy settings: go env GOPROXY. Verify network connectivity to Go module proxy.
Show that Dependency Update Checker - Hooks is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/hooks/dependency-update-checker)Dependency Update Checker - Hooks side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
| Field | Automatically checks for outdated dependencies and suggests updates with security analysis. This PostToolUse hook triggers when dependency manifest files (package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, pyproject.toml) are modified, providing real-time dependency health monitoring. Open dossier | A Stop hook that runs npm audit, pip-audit, safety, or bundler-audit automatically at the end of every Claude Code session, detecting CVEs and outdated packages across Node.js, Python, and Ruby projects. Open dossier | Scans for security vulnerabilities when package.json or requirements.txt files are modified. Open dossier | PostToolUse hook that inspects an edited npm package-lock.json for supply-chain provenance risk rather than known CVEs — dependencies resolved from outside the public npm registry (git, alternate-registry, or insecure transports) and registry tarballs missing an integrity hash. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| SubmitterDiffers | — | — | — | techforgeworks |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — | — |
| Category | hooks | hooks | hooks | hooks |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | JSONbored | JSONbored | JSONbored | techforgeworks |
| Added | 2025-09-16 | 2025-09-19 | 2025-09-19 | 2026-06-04 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. | ✓Runs automatically at session end and invokes local package-manager audit tools when dependency lockfiles are present. May contact package registries or vulnerability advisory services through npm, yarn, safety, pip, or bundler-audit. Writes a timestamped security-audit log in the current working directory. | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. | ✓Runs after every Write, Edit, and MultiEdit and inspects only npm package-lock.json or npm-shrinkwrap.json content; for yarn.lock and pnpm-lock.yaml it prints a one-line reminder to run lockfile-lint. Read-only and advisory - it parses the lockfile JSON, never installs packages, runs npm, or makes a network call, and always exits 0. Uses the resolved-URL and integrity fields to flag provenance risk (sources outside the public registry, missing integrity); it does not assess known vulnerabilities, so pair it with an audit tool. |
| Privacy notes | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. | ✓Reads dependency manifests and lockfiles to identify package managers and audit targets. The generated audit log may include package names, versions, vulnerability identifiers, and remediation output. External audit tools may send package metadata to their configured registries or advisory services. | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. | ✓Reads only the local lockfile from disk; it makes no network or registry calls. Prints dependency paths and their resolved URLs to local hook stderr; it writes no logs. Resolved URLs shown in output may include internal registry or git host names if your project depends on them. |
| Prerequisites | — none listed | — none listed | — none listed |
|
| Install | | | | |
| Config | | | | |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Set autoMode.hard_deny rules to block risky actions in auto mode.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.