GitHits
Start for Free
Back to blog A wireframe brain in the GitHits brand style

June 10, 2026 · 3 min read

Package Intelligence: Vet a Dependency Before You Adopt It

A new package skill gives your agent license, dependency, vulnerability, changelog, and upgrade-review data before you add a dependency.

ProductAgentsPackage Intelligence

Adding a dependency is a technical decision and a maintenance decision. Before it lands in your app, you want to know the basics: license, release history, runtime dependencies, known vulnerabilities, and whether the upgrade path looks safe.

Package intelligence gives your agent that context directly. Instead of asking the model to remember a package, GitHits lets it inspect current package metadata and source-grounded package data.

Install the skill

Run the GitHits init flow:

npx githits@latest init

Choose the agent skills path, then install githits-package. That skill gives your agent a package-review workflow for dependency adoption, security checks, changelog review, and upgrade planning.

What githits-package gives your agent

The skill guides your agent through the package questions you usually ask manually.

For package overview, it can pull version, license, repository health, popularity, and download data. For dependency risk, it can inspect direct and transitive dependency graphs. For security review, it can check known CVE and OSV advisories. For release context, it can read changelogs. For upgrades, it can compare the current and target versions across vulnerabilities, release notes, peer dependency changes, and dependency issues.

That turns a vague question like “is this dependency safe to add?” into a concrete review with evidence.

Example: reviewing Drizzle ORM

In the walkthrough, the agent reviews Drizzle ORM before adoption. The useful result is not a blanket yes or no. It is the evidence behind the recommendation.

The review checks the package metadata, inspects the changelog, looks at the dependency shape, and checks for known vulnerabilities. Drizzle ORM has no runtime dependencies, which keeps one category of dependency risk small. The agent also surfaces the package version, license, and relevant usage context so the adoption decision is easier to verify.

Better dependency decisions

Package reviews are easy to skip because the information is spread across registries, changelogs, advisory databases, and docs. githits-package gives your agent a repeatable way to gather that information before a dependency becomes part of your codebase.

Use it when you are adding a new package, investigating a vulnerability report, or deciding whether to accept an upgrade.

Try these prompts

After installing the skill with npx githits@latest init, try prompts like:

  • “Use GitHits to review drizzle-orm before adoption. Check license, dependencies, vulnerabilities, and migration docs.”
  • “Use GitHits to compare the dependency risk of lodash and date-fns for a small frontend project.”
  • “Use GitHits to review whether upgrading express from 4.18.2 to the latest version introduces security or changelog concerns.”
  • “Use GitHits to inspect the transitive dependency footprint for this package and call out anything risky.”