June 10, 2026 · 3 min read
A new package skill gives your agent license, dependency, vulnerability, changelog, and upgrade-review data before you add a dependency.
Adding a dependency is a technical decision and a maintenance decision. Before it lands in your app, you want to know the basics: license, release history, runtime dependencies, known vulnerabilities, and whether the upgrade path looks safe.
Package intelligence gives your agent that context directly. Instead of asking the model to remember a package, GitHits lets it inspect current package metadata and source-grounded package data.
Install the skill #
Run the GitHits init flow:
npx githits@latest init
Choose the agent skills path, then install ** githits-package**. That skill gives your agent a package-review workflow for dependency adoption, security checks, changelog review, and upgrade planning.
What githits-package #
gives your agent
The skill guides your agent through the package questions you usually ask manually.
For package overview, it can pull version, license, repository health, popularity, and download data. For dependency risk, it can inspect direct and transitive dependency graphs. For security review, it can check known CVE and OSV advisories. For release context, it can read changelogs. For upgrades, it can compare the current and target versions across vulnerabilities, release notes, peer dependency changes, and dependency issues.
That turns a vague question like “is this dependency safe to add?” into a concrete review with evidence.
Example: reviewing Drizzle ORM #
In the walkthrough, the agent reviews Drizzle ORM before adoption. The useful result is not a blanket yes or no. It is the evidence behind the recommendation.
The review checks the package metadata, inspects the changelog, looks at the dependency shape, and checks for known vulnerabilities. Drizzle ORM has no runtime dependencies, which keeps one category of dependency risk small. The agent also surfaces the package version, license, and relevant usage context so the adoption decision is easier to verify.
Better dependency decisions #
Package reviews are easy to skip because the information is spread across registries, changelogs, advisory databases, and docs. ** githits-package** gives your agent a repeatable way to gather that information before a dependency becomes part of your codebase.
Use it when you are adding a new package, investigating a vulnerability report, or deciding whether to accept an upgrade.
Try these prompts #
After installing the skill with npx githits@latest init
, try prompts like:
- “Use GitHits to review drizzle-orm before adoption. Check license, dependencies, vulnerabilities, and migration docs.”
- “Use GitHits to compare the dependency risk of lodash and date-fns for a small frontend project.”
- “Use GitHits to review whether upgrading express from 4.18.2 to the latest version introduces security or changelog concerns.”
- “Use GitHits to inspect the transitive dependency footprint for this package and call out anything risky.”