Supply-chain security watchdog for npm, rubygems and rust ecosystems.
Scans your projects for known vulnerabilities using the GitHub Advisory Database API. Zero runtime dependencies — built entirely with Node.js 22 built-ins.
# Clone and link
cd ressources/cli/depwatch
npm link
# Setup config (manual)
mkdir -p ~/.depwatch
cat > ~/.depwatch/config.json << 'EOF'
{
"basePath": "/path/to/your/workbench",
"tokenSource": "gh-cli",
"cacheTTL": 86400,
"ecosystems": ["npm", "rubygems", "rust"],
"lockFiles": {
"npm": "package-lock.json",
"rubygems": "Gemfile.lock",
"rust": "Cargo.lock"
},
"ignore": [
"**/node_modules/**",
"**/.trash/**",
"**/vendor/**"
]
}
EOF
# First scan
depwatch scan --all- Zero runtime dependencies — only Node.js 22 built-ins
- Scans package-lock.json, Gemfile.lock, and Cargo.lock
- Batch queries via GitHub Advisory API
affectsparameter (up to 150 packages per call) - Classifies advisories as CRITICAL / WARNING / INFO
- Maintains a global watchlist across all projects
- Caches API responses (configurable TTL, default 24h)
- Colored terminal output (respects NO_COLOR)
- Claude Code integration via SessionStart hook
Check the current project at session start. Finds lock-files, updates the watchlist, and runs an advisory check.
depwatch session # Full report
depwatch session --quiet # Status line only
depwatch session --no-cache # Force fresh API call
depwatch session --path /dir # Specify project pathCheck a single package before installation. Ecosystem is required.
depwatch lookup npm axios
depwatch lookup rubygems rails
depwatch lookup rust anchor-langScan the entire workbench and rebuild the watchlist from scratch. Also includes global npm packages.
depwatch scan --allShow the latest advisories for configured ecosystems.
depwatch news # All ecosystems
depwatch news --eco npm # npm onlyConfig lives at ~/.depwatch/config.json (created manually).
| Field | Type | Description |
|---|---|---|
basePath |
string | Root path to scan (e.g., your workbench) |
tokenSource |
string | "gh-cli" — reads token from gh auth token |
cacheTTL |
number | Cache duration in seconds (default: 86400 = 24h) |
ecosystems |
string[] | Ecosystems to scan: npm, rubygems, rust |
lockFiles |
object | Lock-file names per ecosystem |
ignore |
string[] | Glob patterns to ignore |
| File | Location | Purpose |
|---|---|---|
config.json |
~/.depwatch/ |
Configuration |
watchlist.json |
~/.depwatch/ |
All packages across all projects |
last-check.json |
~/.depwatch/ |
Last advisory check result |
advisories-cache.json |
~/.depwatch/ |
Cached API responses |
| Level | Meaning |
|---|---|
| CRITICAL | Your installed version is affected |
| WARNING | Package has advisory, different version affected |
| INFO | Advisory was withdrawn or patched |
Add to ~/.claude/settings.json:
{
"hooks": {
"SessionStart": [
{
"hooks": [
{
"type": "command",
"command": "depwatch session --quiet 2>/dev/null || true",
"timeout": 30,
"statusMessage": "Running security check..."
}
]
}
]
}
}A companion skill at ~/.claude/skills/npm-security/ provides Claude with security rules: run depwatch lookup before installing, handle ignore-scripts, warn on CRITICAL.
MIT