Post-Merge Dependency Checker

Automatically audits dependency files after merge operations, checking for security vulnerabilities, outdated packages, and license compatibility.

When to Use This Hook

Attach this hook when you need to:

• Detect newly introduced security vulnerabilities from merged dependency changes
• Alert developers when merged code includes outdated or deprecated packages
• Validate license compatibility of newly added dependencies against project policy

Consider alternatives when:

• Your CI pipeline runs Dependabot, Snyk, or Renovate for dependency management
• You lock dependency versions and updates go through a dedicated review process

Quick Start

Configuration

Copy
name: post-merge-dependency-checker
type: hook
trigger: PostToolUse
category: development

Example Trigger

Copy
# Hook triggers after dependency files are modified
claude> Edit package.json
# Checker runs npm audit and version checks

Example Output

Post-Merge Dependency Checker
  File modified: package.json
  Running npm audit...
    0 critical, 1 high, 3 moderate vulnerabilities
  Running version check...
    2 major updates available:
      react: 18.2.0 → 19.1.0
      next: 14.1.0 → 15.2.0
    5 minor updates available
  License check: All dependencies MIT/Apache-2.0 compatible
Dependency audit complete: 1 high vulnerability requires attention

Core Concepts

Audit Coverage Overview

Aspect	Details
npm/yarn	npm audit for Node.js projects
pip/Python	safety check for Python requirements
Cargo/Rust	cargo audit for Rust projects
Maven/Gradle	Dependency check plugins for Java
Multi-Package	Detects package manager from manifest file name

Audit Workflow

Dependency File Modified
         |
   Detect Package Manager
    /      |      \
  npm    pip    cargo
   |      |      |
audit  safety  cargo
       check   audit
   |      |      |
   └──────┼──────┘
          |
   Version Check
          |
   License Check
          |
   Report Findings

Configuration

Parameter	Type	Default	Description
manifest_files	string[]	["package.json","requirements.txt","Cargo.toml","pom.xml","Gemfile"]	Dependency files that trigger auditing
block_on_critical	boolean	false	Block edits when critical vulnerabilities are found
check_outdated	boolean	true	Report available version updates
license_allowlist	string[]	["MIT","Apache-2.0","BSD-3-Clause","ISC"]	Accepted license types
timeout_sec	number	60	Maximum time for audit commands to complete

Best Practices

1. Run Audit After Every Dependency Change - Do not wait for CI to catch vulnerabilities. Running npm audit immediately after editing package.json provides instant feedback.

2. Differentiate Severity Levels - Block on critical and high vulnerabilities but only warn on moderate and low. Not all vulnerabilities are equally urgent, and over-blocking creates fatigue.

3. Track License Compliance - Maintain an allowlist of approved licenses. When a new dependency introduces a copyleft license (GPL, AGPL) in a proprietary project, the checker should flag it immediately.

4. Check Transitivity - Direct dependencies may be clean, but their transitive dependencies can introduce vulnerabilities. Use npm audit with full tree analysis rather than checking only direct dependencies.

5. Cache Audit Results - If the dependency file has not changed since the last audit, skip re-running. Network calls to vulnerability databases add latency that caching eliminates.

Common Issues

1. npm audit False Positives - Some reported vulnerabilities do not apply in your usage context. Use npm audit --omit=dev to skip devDependencies and maintain an .nsprc ignore file for known exceptions.

2. Network Timeout on Audit - Vulnerability database queries require network access and can timeout on slow connections. Set a generous timeout and cache results for offline development.

3. Lock File Drift - Editing package.json without running npm install leaves the lock file out of sync. The checker should warn when the manifest and lock file are inconsistent.