MUST use before installing, adding, or upgrading any dependency. Trigger when: running pip install, npm install, cargo add, go get, or any package manager command; adding a package to requirements.txt, package.json, pyproject.toml, Cargo.toml, go.mod, pom.xml, build.gradle, or Gemfile; choosing which library to use for a task; upgrading or changing dependency versions; or auditing existing dependencies. Uses the Sonatype Guide MCP server to check vulnerabilities, Developer Trust Scores, license risks, malicious package detection, and policy compliance. Do not install or recommend a dependency without checking it here first.
From sonatype-guidenpx claudepluginhub sonatype/guide-claude-pluginThis skill uses the workspace's default tool permissions.
references/purl-ecosystems.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
When a user provides their current version, every recommendation must be >= that version. The MCP returns versions ranked by Developer Trust Score, which can include older versions — filter these out before presenting results.
Only two exceptions exist:
If neither exception applies, do not mention older versions at all.
If malicious: true, warn the user immediately. Never recommend, never suggest "with caution" — there is no safe use of a malicious package.
All tools accept Package URLs. Format: pkg:<type>/<namespace>/<name>@<version>
| Ecosystem | Format | Example |
|---|---|---|
| Maven | pkg:maven/<groupId>/<artifactId>@<version> | pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1 |
| NPM | pkg:npm/<name>@<version> | pkg:npm/express@4.18.2 |
| PyPI | pkg:pypi/<name>@<version> | pkg:pypi/requests@2.31.0 |
| NuGet | pkg:nuget/<name>@<version> | pkg:nuget/Newtonsoft.Json@13.0.3 |
| Go | pkg:golang/<module>@<version> | pkg:golang/github.com/gin-gonic/gin@1.9.1 |
For scoped NPM packages, Cargo, RubyGems, and other ecosystems see references/purl-ecosystems.md.
Three MCP tools available via sonatype-guide. All accept arrays of up to 20 PURLs.
If an MCP call fails or returns unexpected data, tell the user the check could not be completed and suggest they verify manually. Do not silently skip the check or assume the component is safe.
Sonatype's proprietary quality metric (0-100) factoring security, license compliance, quality, and maintainability.
| Range | Action |
|---|---|
| 90+ | Safe for production |
| 80-89 | Generally safe, minor issues |
| 70-79 | Upgrade recommended |
| Below 70 | Upgrade urgently |
Use standard NVD CVSS v3.x severity ratings. Treat Critical (9.0+) and High (7.0+) as actionable — always highlight these in output.
getComponentVersion returns a vulnerabilities object with a flat cves array:
vulnerabilities: {
cves: [
{ id: "CVE-2021-44228", cvssScore: 10.0 },
{ id: "CVE-2021-45046", cvssScore: 9.0 },
...
]
}
The API does not distinguish between direct and transitive vulnerabilities — all CVEs are returned in a single list. Present them sorted by CVSS score (highest first). When reporting, state the total CVE count and highlight any with CVSS >= 7.0.
getComponentVersion returns a policyCompliance object indicating whether the component passes organizational policies:
policyCompliance: {
compliant: true/false,
conditions: [
{ conditionId: "cvss-threshold", conditionName: "CVSS < 7.0", passing: true/false },
{ conditionId: "license-threat-group", conditionName: "No Copyleft Licenses", passing: true/false },
{ conditionId: "malware", conditionName: "No Malware", passing: true/false }
]
}
Surface this in audit and evaluation workflows — it gives users a quick pass/fail for enterprise governance. When compliant: false, call out which specific conditions failed.
malicious: true — Supply chain attack. Do NOT use. Warn immediately.endOfLife: true — No longer maintained. Plan migration.licenseThreatLevels — Map of license to threat score. 0 = no concern. Higher = more restrictive.catalogDate — Epoch milliseconds when the version was cataloged. Ignore unless the user specifically asks about it.These have distinct meanings — do not conflate them:
| Field | null | "0" or 0 | [] empty array |
|---|---|---|---|
breakingChangesCount | Not analyzed — unknown risk, do NOT say "no breaking changes" | Analyzed, confirmed no breaking changes | N/A |
vulnerableMethods | Not checked | N/A | Checked, none found |
vulnerableMethods[].methodSignatures | N/A | N/A | CVE confirmed but specific affected methods not yet mapped |
When breakingChangesCount is null, tell the user: "Breaking changes have not been analyzed for this upgrade path — review the changelog before upgrading."
When recommending versions from getRecommendedComponentVersions results:
toVersion where the version is lower than fromVersion.breakingChangesCount is null for a major version jump, explicitly warn that breaking change analysis is unavailable and recommend reviewing the migration guide.Example prioritization for a user on express@4.18.2:
Trigger: Adding a new dependency, asking "is X safe", or choosing a version.
sonatype-guide:getRecommendedComponentVersions.sonatype-guide:getComponentVersion for full details including policy compliance, and present trade-offs.malicious and endOfLife.Output:
| Version | Trust Score | CVEs | Critical/High | License | Policy |
|---------|-------------|------|---------------|---------|--------|
| x.y.z | 99 | 0 | 0 | MIT | Pass |
Recommendation: ...
Trigger: Upgrading a dependency, asking "should I upgrade X", or responding to a known vulnerability.
sonatype-guide:getRecommendedComponentVersions.fromVersion (current) against remaining toVersions.vulnerableMethods data exists for the current version, mention affected methods to help assess exposure.Output:
Current: <package>@<version> (Trust Score: X, CVEs: N, Critical/High: M)
Recommended (same major):
1. <version> (Trust Score: Y) — <rationale>
Also available (major upgrade):
2. <version> (Trust Score: Z) — <rationale, breaking change warning>
Breaking changes to review: N (or "not analyzed — review changelog")
Trigger: "Audit dependencies", "check for vulnerabilities", "scan for security issues", or dependency health report requests.
sonatype-guide:getComponentVersion (up to 20 per call). For larger projects, prioritize direct dependencies.sonatype-guide:getRecommendedComponentVersions to suggest fixes — only recommend upgrades, never downgrades.Output: Start with a one-line summary (scanned count, issue count, policy violations). Group findings by severity (Critical, then Warnings). For each issue, show package@version, the issue, CVSS score, and recommended upgrade. End with a summary counts table.
Trigger: Choosing between alternatives ("axios vs got", "which library for X"), or evaluating competing packages.
sonatype-guide:getLatestComponentVersion first.sonatype-guide:getRecommendedComponentVersions on each to get Trust Scores.sonatype-guide:getComponentVersion on each for policy compliance details.Output:
| Metric | lib A | lib B | lib C |
|--------|-------|-------|-------|
| Latest Version | x.y.z | a.b.c | d.e.f |
| Trust Score | 99 | 85 | 72 |
| CVEs | 0 | 1 | 3 |
| Critical/High CVEs | 0 | 1 | 2 |
| License | MIT | Apache-2.0 | GPL-3.0 |
| Policy Compliant | Yes | Yes | No |
Recommendation: <lib A> — <rationale>
User: "Add requests to this project"
Expected behavior: Build pkg:pypi/requests, call getRecommendedComponentVersions, check the top result for CVEs/malicious/EOL, and recommend a specific version with its Trust Score before the user runs pip install.
User: "Upgrade express — we're on 4.18.2"
Expected behavior: Build pkg:npm/express@4.18.2, call getRecommendedComponentVersions, filter out anything below 4.18.2, present the best 4.x option as primary and any 5.x option as secondary with breaking change warnings.