Skill323 repo starsupdated today

dependency-triage

Dependency Triage analyzes package dependencies across ecosystems (npm, pip, go, etc.) and classifies each update by risk level, CVE severity, and recommended action. Use this skill to systematically evaluate whether dependency upgrades should be applied automatically via patch bumps, require human review for minor/major versions, or be escalated due to security vulnerabilities, denylist restrictions, or dependency conflicts.

View source Repository: loop-engineering

Install in Claude Code

Copy

git clone --depth 1 https://github.com/cobusgreyling/loop-engineering /tmp/dependency-triage && cp -r /tmp/dependency-triage/starters/dependency-sweeper/.grok/skills/dependency-triage ~/.claude/skills/dependency-triage

Then start a new Claude Code session; the skill loads automatically.

Definition

SKILL.md

# Dependency Triage Skill

## Output per package

```markdown
### package-name (ecosystem: npm|pip|go|etc.)
- Current: x.y.z
- Suggested: x.y.z
- Risk: patch | minor | major
- CVE: none | CVE-XXXX (severity)
- Actionable: yes | no (denylist / human gate)
- Suggested loop action: patch-in-worktree | escalate-human | skip
```

## Classification Rules

- **patch**: semver patch or lockfile-only security fix with no API change
- **minor**: semver minor — cautious, verifier required
- **major**: always escalate-human unless explicitly pre-approved in state
- **denylist**: packages in state denylist → escalate-human, no auto-touch
- **high-severity CVE**: escalate if fix requires major or breaking change

## Rules

- Prefer the smallest safe bump that resolves the advisory.
- Never bundle unrelated package updates in one change.
- Record human overrides from `dependency-sweeper-state.md` every run.
- If lockfile conflict or peer dependency warning → escalate-human.