Dependency Audit Assistant
This skill helps audit project dependencies for security vulnerabilities, outdated packages, and license compliance issues.
When to Use This Skill
- •User requests a dependency audit or security check
- •Before major releases or deployments
- •User asks about outdated packages or vulnerabilities
- •License compliance review needed
- •User mentions "npm audit", "security", "dependencies", or "vulnerabilities"
Instructions
1. Detect Package Manager
Identify which package manager(s) the project uses:
JavaScript/Node.js:
- •npm:
package.json+package-lock.json - •Yarn:
package.json+yarn.lock - •pnpm:
package.json+pnpm-lock.yaml
Python:
- •pip:
requirements.txtorsetup.py - •Poetry:
pyproject.toml+poetry.lock - •Pipenv:
Pipfile+Pipfile.lock
Ruby:
- •Bundler:
Gemfile+Gemfile.lock
Java:
- •Maven:
pom.xml - •Gradle:
build.gradleorbuild.gradle.kts
Go:
- •Go modules:
go.mod+go.sum
Rust:
- •Cargo:
Cargo.toml+Cargo.lock
PHP:
- •Composer:
composer.json+composer.lock
Use Glob to find these files.
2. Run Security Audit
Execute the appropriate audit command based on package manager:
npm: npm audit --json or npm audit
Yarn: yarn audit --json or yarn audit
pnpm: pnpm audit --json
pip: pip-audit or safety check
Poetry: poetry check
Bundler: bundle audit check --update
Maven: mvn dependency:tree + OWASP Dependency Check
Go: go list -m all + govulncheck
Cargo: cargo audit
Composer: composer audit
Parse the output to identify:
- •Number of vulnerabilities by severity (critical, high, moderate, low)
- •Affected packages and versions
- •Available fixes (updates or patches)
- •CVE identifiers
3. Check for Outdated Packages
Identify packages that have newer versions available:
npm: npm outdated --json
Yarn: yarn outdated --json
pip: pip list --outdated
Poetry: poetry show --outdated
Bundler: bundle outdated
Cargo: cargo outdated
Go: go list -u -m all
Categorize updates:
- •Patch updates (1.0.0 → 1.0.1): Bug fixes, safe to update
- •Minor updates (1.0.0 → 1.1.0): New features, usually safe
- •Major updates (1.0.0 → 2.0.0): Breaking changes, needs testing
4. License Compliance Check
Review licenses of all dependencies:
Steps:
- •Extract licenses from package metadata
- •Identify license types (MIT, Apache-2.0, GPL, etc.)
- •Flag potentially problematic licenses (GPL, AGPL in commercial projects)
- •Check for unlicensed or unknown licenses
- •Reference the license compatibility matrix in
reference/licenses.md
Tools:
- •npm:
npx license-checker --jsonornpm-license-crawler - •Python:
pip-licenses - •Ruby:
license_finder - •Go:
go-licenses
License categories:
- •Permissive: MIT, Apache-2.0, BSD - Usually safe
- •Weak copyleft: LGPL, MPL - Requires review
- •Strong copyleft: GPL, AGPL - May restrict commercial use
- •Unknown: Missing or custom licenses - Needs investigation
5. Analyze Dependency Tree
Understand the dependency structure:
Direct vs Transitive:
- •Direct: Listed in package.json/requirements.txt
- •Transitive: Dependencies of dependencies
Identify issues:
- •Duplicate packages at different versions
- •Deep dependency trees (potential for conflicts)
- •Abandoned packages (no updates in >2 years)
- •High-risk transitive dependencies
Commands:
- •npm:
npm ls --all - •Yarn:
yarn why <package> - •pip:
pipdeptree - •Maven:
mvn dependency:tree
6. Priority Vulnerabilities
Prioritize vulnerabilities based on:
Severity levels:
- •Critical: Remote code execution, privilege escalation
- •High: SQL injection, XSS, authentication bypass
- •Moderate: DoS, information disclosure
- •Low: Minor issues, edge cases
Exploitability:
- •Known exploits in the wild
- •PoC (Proof of Concept) available
- •Requires special conditions
Exposure:
- •Production dependencies vs dev dependencies
- •Direct dependencies vs deep transitive dependencies
- •Code paths actually used in the application
7. Generate Recommendations
For each issue found, provide:
Vulnerabilities:
Package: lodash@4.17.15 Severity: High CVE: CVE-2020-8203 Issue: Prototype pollution Recommendation: Upgrade to lodash@4.17.21 or higher Command: npm install lodash@4.17.21
Outdated packages:
Package: react@16.14.0 Current: 16.14.0 Latest: 18.2.0 Type: Major update Recommendation: Test thoroughly before upgrading (breaking changes) Notes: Review migration guide at https://react.dev/blog/2022/03/08/react-18-upgrade-guide
License issues:
Package: some-gpl-library@1.0.0 License: GPL-3.0 Issue: GPL license may conflict with proprietary code Recommendation: Find alternative with permissive license or consult legal Alternatives: [list of similar packages with MIT/Apache licenses]
8. Update Strategy
Suggest an update approach:
Safe updates (automated):
- •Patch updates with no breaking changes
- •Security fixes for vulnerabilities
- •Update:
npm updateornpm audit fix
Careful updates (manual testing):
- •Minor version bumps
- •Major updates to well-maintained packages
- •Update individually and test
Research needed:
- •Major breaking changes
- •Abandoned packages (find alternatives)
- •License conflicts
9. Generate Summary Report
Provide a comprehensive audit summary:
Dependency Audit Report ======================= Overview: - Total dependencies: 150 (120 direct, 30 transitive) - Vulnerabilities: 5 (1 high, 3 moderate, 1 low) - Outdated packages: 23 - License issues: 2 Security Vulnerabilities: [List by severity with fix recommendations] Outdated Packages: [Categorized by update type: patch/minor/major] License Compliance: [List of licenses with any concerns] Recommended Actions: 1. [Immediate] Fix high-severity vulnerabilities 2. [Soon] Update packages with moderate vulnerabilities 3. [Review] Address license compliance issues 4. [Optional] Update outdated packages to latest Commands to run: npm audit fix # Fix vulnerabilities automatically npm update # Update to latest compatible versions
10. Continuous Monitoring
Suggest ongoing practices:
- •Automated audits: Run in CI/CD pipeline
- •Dependabot/Renovate: Auto-create PRs for updates
- •Regular reviews: Monthly or quarterly audits
- •Security alerts: Enable GitHub/GitLab security alerts
- •Lock files: Commit lock files for reproducible builds
Best Practices
- •Fix vulnerabilities promptly: Especially high/critical severity
- •Test updates: Even patch updates can cause issues
- •Read changelogs: Understand what changed before updating
- •Use lock files: Ensure consistent installations across environments
- •Minimize dependencies: Fewer deps = smaller attack surface
- •Review new additions: Audit before adding new dependencies
- •Stay current: Regular updates are easier than large jumps
- •Document decisions: Why certain packages are pinned or not updated
Security Best Practices
- •Never commit secrets in dependencies or env files
- •Review dependency source code for popular/critical packages
- •Use private registries for internal packages
- •Enable 2FA on package registry accounts
- •Use SRI (Subresource Integrity) for CDN resources
- •Scan container images if using Docker
Supporting Files
- •
scripts/check-licenses.sh: Extract and check license information - •
reference/licenses.md: License compatibility matrix - •
reference/common-vulnerabilities.md: Common vulnerability patterns
Common Commands Reference
npm:
npm audit # Show vulnerabilities npm audit fix # Auto-fix vulnerabilities npm audit fix --force # Force major updates npm outdated # Check for outdated packages npm update # Update to latest compatible
Yarn:
yarn audit # Show vulnerabilities yarn upgrade-interactive # Interactive update yarn outdated # Check for outdated
pip:
pip-audit # Audit vulnerabilities pip list --outdated # Check outdated pip install --upgrade # Update package
Poetry:
poetry check # Check lock file poetry show --outdated # Show outdated poetry update # Update packages
Cargo:
cargo audit # Audit vulnerabilities cargo outdated # Check outdated cargo update # Update packages