review-dependencylisted

# Dependency Security Review Perform a security-focused review of a dependency update. **Argument**: `$ARGUMENTS` — the dependency name (e.g., `github.com/lib/pq`, `express`, `tokio`), optionally with version range (e.g., `github.com/lib/pq 1.11.1..1.11.2`). If empty, auto-detect from the current branch by diffing the dependency manifest against the main branch. ## 1. Identify the Dependency Change Detect the project ecosystem and locate the dependency manifest: | Ecosystem | Manifest files | |---|---| | Go | `go.mod`, `go.sum` | | Rust | `Cargo.toml`, `Cargo.lock` | | Python | `pyproject.toml`, `requirements*.txt`, `Pipfile.lock`, `poetry.lock` | | Node.js | `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` | | Other | Identify automatically | Diff the manifest against the base branch to extract: package name, old version, new version, and any other dependency changes bundled in the same commit. ## 2. Gather Upstream Intelligence Run these steps in parallel: ### 2a. Changelog and Diff - Fetch release notes from the upstream repository's releases/tags page - Fetch the comparison between old and new versions - Summarize: what changed, how many commits, which files, nature of changes ### 2b. Clone the Library Create a session temp dir (if not already created) and clone the new version into it. ```bash SESSION_DIR=$(mkdir -p /tmp/claude && mktemp -d /tmp/claude/XXXXXX) ``` **Input validation**: Before using the package name in any shell command, vali