Skip to main content
Glama
millsydotdev

Code-MCP

by millsydotdev
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Hybrid

check_dependencies

Analyze project dependencies to identify security vulnerabilities, deprecations, and outdated packages for maintaining healthy software projects.

Instructions

Analyzes project dependencies for security vulnerabilities, deprecations, and outdated packages. Essential for maintaining healthy projects.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
packageManagerYesPackage manager to check
packageFileNoPath to package file (package.json, requirements.txt, etc.)

Implementation Reference

  • src/tools/fullstack.ts:104-207 (handler)
    The handler function for the 'check_dependencies' tool. It generates a markdown report with commands for auditing, checking outdated packages, and updating dependencies for various package managers (npm, yarn, pnpm, pip, cargo), along with best practices and CI integration examples.
    export function checkDependenciesHandler(args: any) {
    const { packageManager } = args;

    const commands: Record<string, { audit: string; outdated: string; update: string }> = {
        npm: {
            audit: "npm audit",
            outdated: "npm outdated",
            update: "npm update"
        },
        yarn: {
            audit: "yarn audit",
            outdated: "yarn outdated",
            update: "yarn upgrade"
        },
        pnpm: {
            audit: "pnpm audit",
            outdated: "pnpm outdated",
            update: "pnpm update"
        },
        pip: {
            audit: "pip-audit",
            outdated: "pip list --outdated",
            update: "pip install --upgrade"
        },
        cargo: {
            audit: "cargo audit",
            outdated: "cargo outdated",
            update: "cargo update"
        }
    };

    const cmds = commands[packageManager];

    const check = `# Dependency Health Check

## Package Manager: ${packageManager}

---

## Commands to Run

### 1. Security Audit
\`\`\`bash
${cmds.audit}
\`\`\`
Checks for known vulnerabilities in dependencies.

### 2. Check Outdated
\`\`\`bash
${cmds.outdated}
\`\`\`
Lists packages with newer versions available.

### 3. Update Dependencies
\`\`\`bash
${cmds.update}
\`\`\`
Updates to latest compatible versions.

---

## Dependency Best Practices

### Security
- [ ] Run audit before every release
- [ ] Enable Dependabot/Renovate for automatic updates
- [ ] Review changelogs before major updates
- [ ] Pin versions in production

### Maintenance
- [ ] Update dependencies monthly
- [ ] Remove unused dependencies
- [ ] Avoid deprecated packages
- [ ] Lock file committed to git

### Automated Tools
- **Snyk**: Free security scanning
- **Dependabot**: Auto-update PRs
- **Renovate**: Advanced dependency management
- **npm-check**: Interactive updates

## Docker Security Scanning
\`\`\`bash
docker scout cves <image>          # Scan for vulnerabilities
docker scout quickview <image>     # Quick security overview
docker scout recommendations       # Get fix recommendations
\`\`\`

## GitHub Actions Integration
Add to \`.github/workflows/security.yml\`:
\`\`\`yaml
name: Security Scan
on: [push, pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm audit --audit-level=high
\`\`\`
`;

    return { content: [{ type: "text", text: check }] };
}
  • src/tools/fullstack.ts:95-102 (schema)
    The Zod schema definition for the 'check_dependencies' tool, specifying input parameters: packageManager (required enum) and optional packageFile path.
    export const checkDependenciesSchema = {
    name: "check_dependencies",
    description: "Analyzes project dependencies for security vulnerabilities, deprecations, and outdated packages. Essential for maintaining healthy projects.",
    inputSchema: z.object({
        packageManager: z.enum(["npm", "yarn", "pnpm", "pip", "cargo"]).describe("Package manager to check"),
        packageFile: z.string().optional().describe("Path to package file (package.json, requirements.txt, etc.)")
    })
};
  • src/server.ts:119-119 (registration)
    Registration of the 'check_dependencies' tool in the HTTP server's toolRegistry Map, linking schema and handler.
    ["check_dependencies", { schema: checkDependenciesSchema, handler: checkDependenciesHandler }],
  • src/index.ts:114-114 (registration)
    Registration of the 'check_dependencies' tool in the stdio server's toolRegistry Map, linking schema and handler.
    ["check_dependencies", { schema: checkDependenciesSchema, handler: checkDependenciesHandler }],

Tool Definition Quality

B3.2/5.0
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden of behavioral disclosure. While it mentions what the tool analyzes (security vulnerabilities, deprecations, outdated packages), it doesn't describe the output format, whether it requires network access, if it's read-only or has side effects, or any rate limits. For a tool with no annotation coverage, this leaves significant behavioral gaps.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is appropriately concise with two sentences. The first sentence clearly states the purpose, and the second provides contextual importance. There's no wasted verbiage, though it could be slightly more structured by separating analysis targets with commas for better readability.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has 2 parameters with full schema coverage but no annotations and no output schema, the description is moderately complete. It explains what the tool does but lacks details about behavioral traits, output format, and usage differentiation from siblings. For a tool with no output schema, the description should ideally hint at what results to expect, which it doesn't do.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema already fully documents both parameters. The description doesn't add any parameter-specific information beyond what's in the schema. According to the scoring rules, when schema coverage is high (>80%), the baseline is 3 even with no param info in the description, which applies here.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Analyzes project dependencies for security vulnerabilities, deprecations, and outdated packages.' It specifies the verb 'analyzes' and the resource 'project dependencies' with three analysis targets. However, it doesn't explicitly differentiate from sibling tools like 'check_imports' or 'validate_code' that might also analyze code-related aspects.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides implied usage context by stating it's 'Essential for maintaining healthy projects,' suggesting it should be used for project health checks. However, it doesn't explicitly state when to use this tool versus alternatives like 'check_imports' or 'validate_code,' nor does it provide any exclusion criteria or prerequisites for usage.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/millsydotdev/Code-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server