Check-Dependencies: NPM Security Automation
The check-dependencies ClawFlows workflow audits your NPM and package dependencies for security issues, outdated versions, and license problems.
Dependencies are the hidden attack surface of every software project. The average Node.js project has hundreds of transitive dependencies, any one of which can carry a vulnerability, an expired maintainer account, or a backdoor introduced by a supply-chain attack. The honest version of most security postures is: "I hope nothing's wrong, and I haven't checked recently."
That hope-based approach worked in 2015. It doesn't work in 2026. Supply-chain attacks are frequent, visible, and costly. Running npm audit quarterly isn't enough — you need it weekly, with visible results and actionable output.
The check-dependencies workflow from ClawFlows makes that practical. It runs in 30 seconds, produces a clean report, and fits into any CI or local routine.
Key Takeaways
- check-dependencies is a ClawFlows workflow in the Dev Tools category that audits package dependencies.
- It supports NPM, pip, cargo, and other package managers via the respective skills.
- It flags security vulnerabilities, outdated major versions, and license issues in one pass.
- Output is actionable — each finding includes severity, fix version, and upgrade path.
- It's part of nikilster/clawflows and fully open source.
What the Workflow Does
When you invoke check-dependencies, the workflow:
- Detects the package manager for the current project (npm, yarn, pnpm, pip, cargo, etc.)
- Runs the native audit command to collect vulnerability data
- Queries additional databases (Snyk-style sources, GHSA) for broader coverage
- Checks for major version updates on production dependencies
- Scans licenses against your allowlist (e.g., no GPL in commercial code)
- Produces a structured report with severity, fix versions, and upgrade paths
- Optionally opens GitHub issues for each high/critical finding
The whole pass takes about 30 seconds for a typical project. CI runs can be longer if you're auditing a monorepo.
What's Different From npm audit?
npm audit is the raw tool. check-dependencies wraps it with everything the raw tool is missing:
- Additional data sources for broader vulnerability coverage
- License checking
- Outdated version checking (not just security)
- Structured output ready for CI integration
- Optional issue creation for findings
- Configurable severity thresholds
- Exclusion lists for known-acceptable findings
Think of it as npm audit with all the ergonomic improvements you'd eventually build yourself.
A Weekly Routine
I run check-dependencies weekly on every active project. The routine:
- Every Sunday night, a scheduled run on each repo
- If high or critical findings, an issue is auto-created
- Monday morning I see the issues and act on them
For projects I'm not actively working on, the workflow still runs weekly and surfaces issues in a shared dashboard. This way, even abandoned projects don't turn into liability.
Total weekly time investment: about 5 minutes of review across all projects. Compared to the damage a single unaudited vulnerability can cause, this is the cheapest security insurance available.
CI Integration
check-dependencies runs cleanly in GitHub Actions, GitLab CI, or any CI system. The pattern:
- On every push to main, run check-dependencies
- Block the build if high/critical findings appear
- Allow the build to pass with warnings for lower-severity findings
This keeps dependency health continuous rather than episodic. Vulnerabilities get caught the week they're disclosed, not the quarter.
The Findings Report
Default report format:
Dependencies Audit Report
=========================
Project: my-app
Scanned: 342 packages (48 direct, 294 transitive)
CRITICAL (0)
HIGH (1)
- lodash@4.17.15
CVE-2021-23337 (Command injection)
Fix: upgrade to 4.17.21+
Path: my-app > express-middleware > lodash
MEDIUM (3)
- [listed...]
LOW (12)
- [summarized...]
LICENSE ISSUES (0)
OUTDATED MAJOR VERSIONS (8)
- react: 17.0.2 -> 18.2.0 (breaking)
- webpack: 4.x -> 5.x (breaking)
- [etc]
Actionable, structured, scannable. You know exactly what to fix and what can wait.
Handling False Positives
Not every "vulnerability" matters. Some don't apply to your usage (dev-only code paths, unused functions). Some are in transitive deps you can't control. Some are known-acceptable for reasons specific to your project.
check-dependencies supports an exclusion file where you list known-acceptable findings with justifications. The workflow respects exclusions but warns if an exclusion becomes stale (e.g., the exploit became worse since you excluded it).
This is the right tradeoff — you maintain explicit exceptions rather than ignoring everything.
Pairing With Other Security Workflows
check-dependencies is one piece of a broader security routine:
- security-audit — environmental security (see Security Audit Workflows for Solo Devs)
- audit-env-files — secret leak prevention
- digital-hygiene — personal digital footprint (see Digital Hygiene Workflows for Privacy)
- rotate-passwords — credential hygiene
Running all four weekly plus check-dependencies daily (or on every CI run) gets you to a strong security posture without hiring a dedicated security person.
Customization Examples
Ways people customize check-dependencies:
- A startup added Slack notifications for findings above medium
- An open-source maintainer added PR comments with audit results
- A monorepo team added per-package scoping so each team sees their own findings
- A strict-license project added GPL/AGPL blocking for commercial code
- A pragmatic team downgraded LOW findings to "info" level to reduce noise
We cover authoring in Writing Your First Custom ClawFlow.
The Economics of Weekly Scanning
Here's the honest cost-benefit:
Cost of weekly scanning: ~5 minutes of review time per week per active project. $0 in tool fees.
Cost of a single exploited vulnerability: Hours of incident response. Potential user data exposure. Reputation damage. Legal liability for regulated data.
The math is absurd. Weekly scanning is free money. The only reason it isn't universal is friction — and check-dependencies removes the friction.
FAQ
Does it work for Python, Rust, Go?
Yes. Each language's audit mechanism is wrapped by a corresponding skill. pip-audit, cargo-audit, govulncheck — all supported.
What about private registries?
If your package manager is configured to talk to a private registry, check-dependencies inherits that. It uses the native audit command, which uses whatever registries you've configured.
Does it fix issues automatically?
No — that's update-deps (a separate workflow). check-dependencies identifies; update-deps fixes. The separation is intentional because auto-fixing can break things.
Can I run it in a pre-commit hook?
Yes. Many developers do. It adds a few seconds to commit time in exchange for catching vulnerabilities the moment they're introduced.
How accurate is the vulnerability data?
It's as good as the sources — npm advisories, GHSA, Snyk-style databases. False positives are rare. False negatives (missed vulnerabilities) happen when the vulnerability database hasn't caught up yet, but that's true of any tool.
Start Scanning This Week
If you ship software with any dependencies, check-dependencies is the cheapest security improvement you can make this quarter. Install ClawFlows (see How to Install ClawFlows in One Command), run it on your main project today, and wire it into your weekly routine.
Explore all 113 workflows at aiskill.market/workflows or submit your own.
Sources
- nikilster/clawflows on GitHub — source for check-dependencies
- NPM advisory database
- OpenClaw documentation
- Security Audit Workflows for Solo Devs
- Anthropic Claude docs