Dependency Management with Claude Code: Auditing, Updating, and Staying Secure

Dependencies are both a productivity tool and a security surface. Claude Code can help audit, update, and manage them systematically — when you give it the right instructions. CLAUDE.md for Dependency Management ## Dependency Rules ### Adding Dependencies - Before adding: check npm/PyPI page, GitHub stars, last commit date - Prefer established packages (>1M weekly downloads, active maintenance) - Never install packages without checking them against these criteria - postinstall scripts in packages are suspicious — check before allowing ### Version Management - Pin exact versions in package.json (use =1.2.3, not ^1.2.3 or ~1.2.3) - Lock file (package-lock.json / pnpm-lock.yaml) must be committed - Never manually edit lock files ### Security - Run `npm audit` after any dependency change - Fail CI if high/critical vulnerabilities exist - CVE threshold: block on High or Critical severity ### Allowed Package Additions (pre-approved) - Utility: lodash, date-fns, zod, uuid - DB: prisma, pg, re