Tab · Build
Dependencies
Know which deps you'd lose sleep over before they get compromised. Every build and pipeline dependency — what it does, the risk band, the compromise scenario, the patch path.
See it in motion
Where to find it
- Localhost:
/dependencies.html?repo=<id> - On disk:
.claude/brain/dependencies.md - Keyboard: ⌘ K then
deps - Sidebar: Build → Dependencies
What it does for you
Risk-banded, not alphabetical.Deps are ranked by what would actually hurt you.
next and @anthropic-ai/sdk get a long row; a lockfile-pinned linter helper gets a short one.Compromise scenario per dep.Each high-risk row names what happens if the package is compromised — credential exfil, build-time RCE, supply-chain typo-squat — and the patch path back to safety.
Patch path is written down, not improvised.When CVE-2026-xxxx drops at 11pm, the row already tells you which file to bump and which CI job will catch the regression.
Configure
Nothing — the doc is hand-curated. New runtime dep → new row here in the same PR (per the repo's “don't add a runtime dep without updating integrations + deps” rule).
Use it well
Before adding a runtime dependency, ask: is the existing dep set enough? If yes, don't add. If no, add the row here in the same PR with the risk band and compromise scenario. Quarterly: scan the list for deps you've outgrown.