Dep Radar
by @tarun-khatri
Dependency breaking-change radar. Use this skill when the user wants to check for breaking changes, outdated dependencies, upgrade risks, or migration issues...
clawhub install depradarπ About This Skill
name: depradar description: Dependency breaking-change radar. Use this skill when the user wants to check for breaking changes, outdated dependencies, upgrade risks, or migration issues. Triggers on /depradar, or when users ask about dependency updates, breaking changes, semver bumps, or safe upgrade paths. Scans package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml, Gemfile, pom.xml for outdated packages, extracts breaking changes from release notes, finds impacted files in the codebase, and surfaces community pain signals from GitHub Issues, Stack Overflow, Reddit, and Hacker News.
/depradar
> Scan your project's dependencies for breaking changes, find which files in YOUR codebase will break, and surface community reports from GitHub, Stack Overflow, Reddit, and Hacker News β all in one command.
What This Skill Does
/depradar is a dependency intelligence tool that goes far beyond npm outdated or pip list --outdated. When you run it:
1. Reads your dependency files β package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml, Gemfile, pom.xml, and more
2. Checks every registry β npm, PyPI, GitHub Releases, crates.io, Maven Central β for new versions
3. Extracts breaking changes β parses release notes and CHANGELOGs using section-header detection, Conventional Commits (feat!:, BREAKING CHANGE:), and keyword heuristics
4. Scans YOUR codebase β Python: full AST analysis (high confidence). JS/TS: import-tracking regex with package context (medium confidence) + optional true AST via Node.js if available (high confidence). Other languages: grep fallback
5. Searches the community β GitHub Issues, Stack Overflow, Reddit, and Hacker News for migration pain reports
6. Scores and ranks β severity Γ recency Γ codebase impact Γ community pain (0-100 scale)
7. Delivers an actionable report β tells you what broke, where it broke in your code, and what others did to fix it
Invocation
/depradar # Scan current project, all production deps
/depradar stripe openai # Check only these specific packages
/depradar --all # Include devDependencies / dev extras
/depradar --quick # 60s timeout, top 5 packages by severity
/depradar --deep # 300s, exhaustive community search
/depradar --days=7 # Changes in last 7 days (default: 30)
/depradar --refresh # Bypass 6-hour cache, force fresh data
/depradar --emit=json # Output: compact (default) | json | md | context
/depradar --emit=md # Save full markdown report to ~/Documents/DepRadar/
/depradar --diagnose # Show API key status + test validity
/depradar --mock # Use fixtures (testing, no network calls)
/depradar --no-scan # Skip codebase impact scan (faster)
/depradar --no-community # Skip community signal search
/depradar --save # Auto-save markdown report
/depradar --save-dir=PATH # Save report to custom directory
/depradar --path=PATH # Scan a different project directory
/depradar --verbose # Show detailed per-step progress
/depradar --fail-on-breaking # Exit code 1 if breaking changes found (CI/CD)
/depradar --min-score=N # Only show packages with score >= N (default: 0)
/depradar --notify=slack://WEBHOOK # Send report to Slack webhook
/depradar --notify=file:///PATH # Write JSON report to file
/depradar --show-ignored # Show packages suppressed by .depradar-ignore
/depradar --version # Show version
Step-by-Step Instructions for Claude
This section describes exactly how Claude should execute this skill. Follow each step in order.
Step 0: Understand What the User Wants
Before running anything, parse the invocation to understand:
Package filtering: If the user named specific packages (e.g., /depradar stripe openai), note these. The script will filter to only those packages.
Flag mapping:
--quick β --depth=quick (60s timeout, top 5 packages)--deep β --depth=deep (300s timeout, exhaustive)--days=N β look back N days for new releases (default: 30)--refresh β bypass cache--no-scan β skip codebase impact scan--no-community β skip community signal search--emit=FORMAT β output format (compact, json, md, context)--save β save markdown to ~/Documents/DepRadar/--diagnose β show config status and exit--mock β use fixture data, no network callsUser intent signals: If the user says "check if openai is broken" β that means /depradar openai. If they say "what needs updating in this project" β that's /depradar. If they say "why is my stripe code failing after update" β that's /depradar stripe --deep.
Step 1: Locate the Script
The skill's main Python script is at:
{SKILL_ROOT}/scripts/depradar.py
Where {SKILL_ROOT} is the directory containing this SKILL.md file.
To find SKILL_ROOT dynamically:
SKILL_ROOT="$(dirname "$(realpath "${BASH_SOURCE[0]:-$0}")")"
If Claude is running this directly (not via bash), find the skill root by looking for the directory that contains both SKILL.md and scripts/depradar.py.
The typical installed locations are:
~/.claude/skills/depradar-skill/ (Claude Code)~/.codex/skills/depradar-skill/ (OpenAI Codex)~/.agents/skills/depradar-skill/ (generic)Step 2: Check Prerequisites
Before running, verify Python 3.8+ is available:
python3 --version
If Python is not available, tell the user: > "Python 3.8+ is required. Please install it from python.org or via your package manager."
No external pip packages are required β the skill uses only Python stdlib.
Step 3: Run the Script
Basic invocation:
cd "{PROJECT_ROOT}" && python3 "{SKILL_ROOT}/scripts/depradar.py" {ARGS}
Important: Always cd to the project root first. The script uses the current working directory to find dependency files and scan the codebase.
Examples:
Run with default settings:
cd /path/to/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py
Check specific packages only:
cd /path/to/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py stripe openai
Quick scan with JSON output:
cd /path/to/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --quick --emit=json
Show config status:
python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --diagnose
Test with mock data (no network):
cd /path/to/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --mock
Step 4: Parse the Output
The script outputs to stdout. The output format depends on --emit:
compact (default): Human-readable terminal output. Parse it by looking for:
### β package name + version bumpImpact: β codebase impact count - under Impact: β file:line references N. under Breaking changes: β individual breaking changesCommunity signals: β external reportsjson: Full machine-readable JSON. The structure is DepRadarReport:
{
"project_path": "/path/to/project",
"packages_scanned": 23,
"packages_with_breaking_changes": [
{
"id": "P1",
"package": "stripe",
"current_version": "7.0.0",
"latest_version": "8.0.0",
"semver_type": "major",
"has_breaking_changes": true,
"score": 87,
"breaking_changes": [...],
"impact_locations": [...],
"impact_confidence": "high"
}
],
"packages_with_minor_updates": [...],
"packages_current": ["axios", "lodash", ...],
"github_issues": [...],
"stackoverflow": [...],
"reddit": [...],
"hackernews": [...],
"from_cache": false,
"cache_age_hours": null,
"depth": "default",
"days_window": 30
}
context: Minimal snippet for passing to other skills or continuing a conversation.
md: Full markdown β best for saving to file.
Step 5: Synthesize and Present to the User
After the script completes, Claude should present the findings in a clear, actionable way. Follow these principles:
Lead with the action items. The user needs to know: "Do I need to update anything? Will it break my code? How hard is the migration?"
Structure your response:
1. One-line summary β "Found 2 packages with breaking changes affecting 7 files in your codebase."
2. For each breaking package (in score order):
- Package name, current β latest version, days since release
- Files in their codebase that will break (from impact_locations)
- What specifically changed (from breaking_changes)
- Migration guidance (from migration_note fields or community signals)
- Community pain level (how many others hit this)
3. Minor updates table β brief, just show what's available
4. Follow-up offers β see Step 6
What to emphasize:
What to de-emphasize:
Tone: Be specific, not alarming. "stripe v8 removed webhooks.constructEvent() β replace it with webhooks.verify() on line 47 of src/payments/webhook.ts" is much better than "Breaking changes detected!"
Step 6: Offer Follow-up Actions
After presenting the report, always offer one or more of these follow-up actions:
For packages with breaking changes:
src/payments/webhook.ts from stripe.webhooks.constructEvent() to the new API?"npm update stripe and then fix the breaking usages automatically?"For the full report:
~/Documents/DepRadar/? Run /depradar --emit=md."/* TODO: migrate stripe v8 */ comments to the affected lines."For configuration:
GITHUB_TOKEN to ~/.config/depradar/.env to get 80x more GitHub API requests and better issue search."SCRAPECREATORS_API_KEY to enable Reddit community signal search."Step 7: Handle Errors Gracefully
No dependency files found:
> "No dependency files found in {PROJECT_ROOT}. Make sure you're in your project root directory. Supported files: package.json, requirements.txt, pyproject.toml, go.mod, Cargo.toml, Gemfile, pom.xml."
All packages up to date: > "All {N} dependencies are up to date β no action needed."
GitHub rate limit (60/hour without token):
> "GitHub API rate limit reached. Add GITHUB_TOKEN to ~/.config/depradar/.env for 5,000 requests/hour. Run /depradar --diagnose to check your config."
Script not found:
> "Could not find depradar.py. Make sure the skill is installed: copy the depradar-skill/ directory to ~/.claude/skills/. Run bash ~/.claude/skills/depradar-skill/scripts/sync.sh to install."
Python not found:
> "Python 3.8+ is required. Install from python.org or via: brew install python3 (Mac) / sudo apt install python3 (Linux)."
Cache is stale:
> "Using cached results from {N} hours ago. Run /depradar --refresh to fetch fresh data."
Configuration
/depradar works out of the box with no configuration. API keys unlock additional sources and higher rate limits.
Config File Location
Create either of:
.claude/depradar.env β project-level (check this into .gitignore)~/.config/depradar/.env β global (applies to all projects)API Keys Reference
| Key | Purpose | Without Key | With Key |
|-----|---------|------------|---------|
| GITHUB_TOKEN | GitHub Releases + Issues | 60 req/hr | 5,000 req/hr |
| SCRAPECREATORS_API_KEY | Reddit search | β disabled | β
enabled |
| XAI_API_KEY | X/Twitter via Grok | β disabled | β
enabled |
| AUTH_TOKEN + CT0 | X/Twitter via cookies | β disabled | β
enabled |
| STACKOVERFLOW_API_KEY | Stack Overflow | 300/day | 10,000/day |
Example Config File
# ~/.config/depradar/.envStrongly recommended β free at github.com/settings/tokens
Scopes needed: (none β public repos only)
GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFrom scrapecreators.com β enables Reddit community signals
SCRAPECREATORS_API_KEY=sc_xxxxxxxxxxxxFrom x.ai β enables X/Twitter signals
XAI_API_KEY=xai_xxxxxxxxxxxxFrom stackapps.com β 33x rate limit increase for Stack Overflow
STACKOVERFLOW_API_KEY=xxxxxxxxxxxx
Suppressing Known-Safe Breaking Changes
Create a .depradar-ignore file in your project root to suppress evaluated breaking changes:
# .depradar-ignore
Format: package[@version] # optional reason comment
chalk@5 # ESM-only, evaluated 2026-03-27 β only used in CLI output
dotenv@17 # uses config() only, unchanged API
stripe # all versions suppressed (use with care)
chalk@5 β suppresses chalk at any 5.x.x versionchalk@5.3.0 β exact version onlychalk β suppress all versions (use carefully)A global ignore file at ~/.config/depradar/ignore applies to all projects.
Run --show-ignored to see what's being suppressed.
Zero-Config Coverage
Without any API keys, /depradar still covers:
Zero-config covers ~80% of the skill's value.
Dependency File Support
| File | Ecosystem | Notes |
|------|-----------|-------|
| package.json | npm | Production deps; add --all for devDependencies |
| package-lock.json | npm | Exact locked versions (v2/v3 format) |
| yarn.lock | npm | Exact locked versions (v1 format) |
| pnpm-lock.yaml | npm | Exact locked versions (v5/v6/v8 format) |
| requirements.txt | PyPI | Handles ==, >=, ~=, != specifiers |
| pyproject.toml | PyPI | PEP 621 [project].dependencies |
| Pipfile | PyPI | Pipenv format |
| setup.cfg | PyPI | Legacy install_requires and extras_require |
| go.mod | Go | Standard Go modules |
| Cargo.toml | Rust/crates.io | Standard Cargo format |
| Gemfile | Ruby/rubygems | Handles gem directives |
| pom.xml | Java/Maven | elements |
The script searches from the current directory upward to the git root, collecting all dep files found.
Scoring System
Every package and community signal is scored 0-100.
Package Score (Breaking Changes)
score = 0.35 Γ severity + 0.25 Γ recency + 0.30 Γ impact + 0.10 Γ community
Severity (based on change_type):
| Change Type | Score |
|-------------|-------|
| removed | 100 |
| renamed | 80 |
| signature_changed | 70 |
| behavior_changed | 60 |
| type_changed | 50 |
| deprecated | 40 |
| other | 30 |
Recency (days since release): | Age | Score | |-----|-------| | 0-7 days | 100 | | 8-14 days | 85 | | 15-30 days | 65 | | 31-60 days | 40 | | 61-90 days | 25 | | 91+ days | 10 |
Impact (YOUR codebase): | Detection | Score | |-----------|-------| | High-confidence (AST) | 100 | | Med-confidence (grep) | 70 | | Low-confidence | 40 | | Not scanned | 50 | | Not found after scan | 10 |
Community pain:
community = min(100, log1p(weighted_pain_signals) Γ 12)
Where weighted_pain_signals sums quality_weight for each signal (closed+answered=2.0, closed=1.5, open+no comments=0.8). Only signals mentioning the same major version are counted (version-range filtered).Two-phase scoring: Community signals (GitHub Issues, SO, Reddit, HN) are fetched in parallel AFTER the initial registry scan. The final score is calculated once all signals are available. Minor/patch releases are also checked for breaking changes β if found, they are flagged with a SEMVER VIOLATION badge.
Staleness bonus: If a breaking change has been available >30 days and you haven't upgraded, the urgency score increases (0-40 bonus points). Packages with 90+ day-old unaddressed breaking changes get a β‘ STALE badge.
Interpreting Scores
| Score | Meaning | |-------|---------| | 80-100 | π΄ Critical β breaking change directly hits your code, recently released, widely reported | | 60-79 | π High β significant breaking change, likely affects your code | | 40-59 | π‘ Medium β breaking change in this major, but impact uncertain | | 20-39 | π’ Low β older or obscure breaking change | | 0-19 | βͺ Minimal β very minor or unconfirmed |
Output Formats
compact (default)
Best for reading in the terminal. Shows:
json
Full machine-readable JSON dump of the DepRadarReport dataclass. Use this when:
md
Full markdown report. Suitable for:
/depradar --emit=md auto-saves to ~/Documents/DepRadar/context
Minimal snippet for Claude-to-Claude passing. Use this when:
Depth Profiles
| Flag | Timeout | Packages | Community depth | Use case |
|------|---------|----------|-----------------|---------|
| --quick | 60s | Top 5 by severity | Minimal | CI/CD, quick check |
| (default) | 180s | All | Standard | Regular use |
| --deep | 300s | All | Exhaustive | Before a major release |
Caching
Results are cached to avoid hammering APIs:
~/.cache/depradar/reports/)Use --refresh to bypass all caches.
The cache key includes a project path hash to prevent cache collisions across different projects with the same packages. Registry data (package info) is project-agnostic and shared; scan/report caches are project-specific.
Examples
Example 1: Default scan of a Node.js project
/depradar
Claude runs:
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py
Expected output includes:
package.json)Example 2: Check a specific package before upgrading
User: "Is it safe to upgrade stripe to v8?"
Claude runs:
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py stripe --deep
Then synthesizes the result into:
Example 3: CI/CD integration β check before deploy
User: "Add depradar to my CI pipeline"
Claude suggests adding to .github/workflows/ci.yml:
- name: Check for breaking dependency changes
run: |
python3 ~/.claude/skills/depradar-skill/scripts/depradar.py \
--quick --emit=json --no-community \
| python3 -c "
import json, sys
report = json.load(sys.stdin)
breaking = report['packages_with_breaking_changes']
if breaking:
print(f'BREAKING: {len(breaking)} packages have breaking changes')
for pkg in breaking:
print(f' - {pkg[\"package\"]}: {pkg[\"current_version\"]} β {pkg[\"latest_version\"]}')
sys.exit(1)
print('All dependencies OK')
"
Example 4: Check config
/depradar --diagnose
Claude runs:
python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --diagnose
Output shows which API keys are configured and what coverage they unlock.
Example 5: Save full report
/depradar --emit=md
Claude runs:
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --emit=md
The script saves ~/Documents/DepRadar/myproject-2026-03-27.md and prints the path.
Example 6: Check multiple ecosystems at once
In a project with both package.json and requirements.txt:
/depradar
The script auto-detects both files, combines the dependency list, checks npm + PyPI registries in parallel, and presents a unified report.
Example 7: Use context mode for chaining with other skills
/depradar --emit=context
Output is a compact snippet like:
[/depradar context β 2 breaking change(s) detected]β’ stripe 7.0.0β8.0.0 (major)
- removed: stripe.webhooks.constructEvent β Method removed
- Impact: 2 file(s) in your codebase
β’ openai 0.28.0β1.35.0 (major)
- removed: openai.Completion.create β Class removed in v1
- Impact: 5 file(s) in your codebase
Claude can then use this context to automatically open the affected files and propose migrations.
Troubleshooting
"No dependency files found"
Make sure you're in the project root:
ls package.json requirements.txt pyproject.toml go.mod Cargo.toml
Pass the project path explicitly:
/depradar --path=/path/to/project
"GitHub API rate limit"
Without a token, GitHub allows 60 requests/hour. Each package needs 1-3 requests.
Fix: Add GITHUB_TOKEN to ~/.config/depradar/.env:
echo "GITHUB_TOKEN=ghp_yourtoken" >> ~/.config/depradar/.env
Get a token at: github.com/settings/tokens (no scopes needed for public repos)
Results look stale
The 6-hour cache might be serving old results. Force refresh:
/depradar --refresh
A package shows as "not found"
This happens for:
@company/internal-lib)These are listed in the "Not found in registry" section and can be ignored.
Python import errors
If you see ModuleNotFoundError for lib modules, make sure you're running from the correct directory or using the full path to depradar.py:
cd /path/to/project && python3 /full/path/to/depradar-skill/scripts/depradar.py
"Permission denied" on check-config.sh
chmod +x ~/.claude/skills/depradar-skill/hooks/scripts/check-config.sh
Privacy and Security
/depradar only reads dependency file names and version numbers, NOT your code contents (beyond scanning for symbol names)ast module and file readingArchitecture Overview
/depradar invocation
β
βΌ
dep_parser.py β Reads package.json, requirements.txt, etc.
β
βΌ
[Phase 1: Registry] ββββββββββββββββββββββββββββββββββββββββ PARALLEL
github_releases.py β Primary: full release notes + CHANGELOG.md
npm_registry.py β npm metadata + latest version
pypi_registry.py β PyPI metadata + latest version
crates_registry.py β crates.io metadata
maven_registry.py β Maven Central metadata
β
βΌ
changelog_parser.py β Extract BreakingChange[] from release notes
β
βΌ
[Phase 2: Codebase Scan] ββββββββββββββββββββββββββββββββββββ PARALLEL (per package)
usage_scanner.py β AST (Python/JS) + grep fallback
impact_analyzer.py β Cross-reference symbols with your code
β
βΌ
[Phase 3: Community] ββββββββββββββββββββββββββββββββββββββββ PARALLEL
github_issues.py β GitHub Issues Search API
stackoverflow.py β Stack Exchange API
reddit_sc.py β Reddit via ScrapeCreators
hackernews.py β HN Algolia (historical) + Firebase API
twitter_x.py β X/Twitter via xAI Grok (optional)
β
βΌ
score.py β Severity Γ Recency Γ Impact Γ Community (0-100)
normalize.py β Min-max normalization per source
dedupe.py β Trigram Jaccard deduplication
β
βΌ
render.py β compact | json | md | context output
Version History
See CHANGELOG.md for detailed release notes.
Current version: 2.0.0
License
MIT β see LICENSE file.
Related Skills
/last30days β Search what happened on the internet in the last 30 days about any topic/security-audit β Scan for known CVEs in your dependencies (pairs well with /depradar)Contributing
Issues and PRs welcome. See SPEC.md for the full architecture specification.
*Built with the Claude Code Skills architecture. Modeled after the /last30days skill pattern.*
π‘ Examples
Example 1: Default scan of a Node.js project
/depradar
Claude runs:
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py
Expected output includes:
package.json)Example 2: Check a specific package before upgrading
User: "Is it safe to upgrade stripe to v8?"
Claude runs:
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py stripe --deep
Then synthesizes the result into:
Example 3: CI/CD integration β check before deploy
User: "Add depradar to my CI pipeline"
Claude suggests adding to .github/workflows/ci.yml:
- name: Check for breaking dependency changes
run: |
python3 ~/.claude/skills/depradar-skill/scripts/depradar.py \
--quick --emit=json --no-community \
| python3 -c "
import json, sys
report = json.load(sys.stdin)
breaking = report['packages_with_breaking_changes']
if breaking:
print(f'BREAKING: {len(breaking)} packages have breaking changes')
for pkg in breaking:
print(f' - {pkg[\"package\"]}: {pkg[\"current_version\"]} β {pkg[\"latest_version\"]}')
sys.exit(1)
print('All dependencies OK')
"
Example 4: Check config
/depradar --diagnose
Claude runs:
python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --diagnose
Output shows which API keys are configured and what coverage they unlock.
Example 5: Save full report
/depradar --emit=md
Claude runs:
cd /current/project && python3 ~/.claude/skills/depradar-skill/scripts/depradar.py --emit=md
The script saves ~/Documents/DepRadar/myproject-2026-03-27.md and prints the path.
Example 6: Check multiple ecosystems at once
In a project with both package.json and requirements.txt:
/depradar
The script auto-detects both files, combines the dependency list, checks npm + PyPI registries in parallel, and presents a unified report.
Example 7: Use context mode for chaining with other skills
/depradar --emit=context
Output is a compact snippet like:
[/depradar context β 2 breaking change(s) detected]β’ stripe 7.0.0β8.0.0 (major)
- removed: stripe.webhooks.constructEvent β Method removed
- Impact: 2 file(s) in your codebase
β’ openai 0.28.0β1.35.0 (major)
- removed: openai.Completion.create β Class removed in v1
- Impact: 5 file(s) in your codebase
Claude can then use this context to automatically open the affected files and propose migrations.
βοΈ Configuration
/depradar works out of the box with no configuration. API keys unlock additional sources and higher rate limits.
Config File Location
Create either of:
.claude/depradar.env β project-level (check this into .gitignore)~/.config/depradar/.env β global (applies to all projects)API Keys Reference
| Key | Purpose | Without Key | With Key |
|-----|---------|------------|---------|
| GITHUB_TOKEN | GitHub Releases + Issues | 60 req/hr | 5,000 req/hr |
| SCRAPECREATORS_API_KEY | Reddit search | β disabled | β
enabled |
| XAI_API_KEY | X/Twitter via Grok | β disabled | β
enabled |
| AUTH_TOKEN + CT0 | X/Twitter via cookies | β disabled | β
enabled |
| STACKOVERFLOW_API_KEY | Stack Overflow | 300/day | 10,000/day |
Example Config File
# ~/.config/depradar/.envStrongly recommended β free at github.com/settings/tokens
Scopes needed: (none β public repos only)
GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFrom scrapecreators.com β enables Reddit community signals
SCRAPECREATORS_API_KEY=sc_xxxxxxxxxxxxFrom x.ai β enables X/Twitter signals
XAI_API_KEY=xai_xxxxxxxxxxxxFrom stackapps.com β 33x rate limit increase for Stack Overflow
STACKOVERFLOW_API_KEY=xxxxxxxxxxxx
Suppressing Known-Safe Breaking Changes
Create a .depradar-ignore file in your project root to suppress evaluated breaking changes:
# .depradar-ignore
Format: package[@version] # optional reason comment
chalk@5 # ESM-only, evaluated 2026-03-27 β only used in CLI output
dotenv@17 # uses config() only, unchanged API
stripe # all versions suppressed (use with care)
chalk@5 β suppresses chalk at any 5.x.x versionchalk@5.3.0 β exact version onlychalk β suppress all versions (use carefully)A global ignore file at ~/.config/depradar/ignore applies to all projects.
Run --show-ignored to see what's being suppressed.
Zero-Config Coverage
Without any API keys, /depradar still covers:
Zero-config covers ~80% of the skill's value.
π Tips & Best Practices
"No dependency files found"
Make sure you're in the project root:
ls package.json requirements.txt pyproject.toml go.mod Cargo.toml
Pass the project path explicitly:
/depradar --path=/path/to/project
"GitHub API rate limit"
Without a token, GitHub allows 60 requests/hour. Each package needs 1-3 requests.
Fix: Add GITHUB_TOKEN to ~/.config/depradar/.env:
echo "GITHUB_TOKEN=ghp_yourtoken" >> ~/.config/depradar/.env
Get a token at: github.com/settings/tokens (no scopes needed for public repos)
Results look stale
The 6-hour cache might be serving old results. Force refresh:
/depradar --refresh
A package shows as "not found"
This happens for:
@company/internal-lib)These are listed in the "Not found in registry" section and can be ignored.
Python import errors
If you see ModuleNotFoundError for lib modules, make sure you're running from the correct directory or using the full path to depradar.py:
cd /path/to/project && python3 /full/path/to/depradar-skill/scripts/depradar.py
"Permission denied" on check-config.sh
chmod +x ~/.claude/skills/depradar-skill/hooks/scripts/check-config.sh