AgentSkillsCN

dependency-audit

审计依赖项是否存在漏洞,并制定升级计划

SKILL.md
--- frontmatter
name: dependency-audit
description: Audit dependencies for vulnerabilities and plan upgrades
allowed-tools: Read, Write, Bash, Glob, Grep

Dependency Audit Skill

Structured workflow for scanning dependencies, checking for CVEs, assessing upgrade difficulty, generating upgrade task files with compatibility testing plans, and tracking deprecation timelines.

Workflow

Step 1: Inventory Dependencies

Scan the project for all dependency manifests:

FileEcosystemScan Command
go.mod / go.sumGogo list -m all
package.json / package-lock.jsonNode.jsnpm ls --all
yarn.lockNode.js (Yarn)yarn list
pnpm-lock.yamlNode.js (pnpm)pnpm ls --depth Infinity
requirements.txt / pyproject.tomlPythonpip list
Cargo.toml / Cargo.lockRustcargo tree
DockerfileContainer base imagesParse FROM lines
docker-compose.ymlService imagesParse image fields
.github/workflows/*.ymlGitHub ActionsParse uses fields

For each dependency, record:

  • Name: Package/module name
  • Current version: What's installed
  • Latest version: What's available
  • Version gap: How many major/minor/patch versions behind
  • Direct vs transitive: Is it a direct dependency or pulled in transitively?
  • License: License type (MIT, Apache-2.0, GPL, etc.)

Output: Dependency inventory table sorted by version gap (largest first).

Step 2: Vulnerability Scan

Run vulnerability scanners for each ecosystem:

Go:

bash
# Built-in vulnerability database
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

# Module verification
go mod verify

Node.js:

bash
# npm audit with JSON output for parsing
npm audit --json

# Or with yarn
yarn audit --json

# Or with Snyk (if available)
snyk test --json

Container Images:

bash
# Trivy for container scanning (if available)
trivy image {image-name}

# Or grype
grype {image-name}

GitHub Actions:

bash
# Check for pinned versions vs floating tags
# Grep for uses: without @sha

For each vulnerability found, record:

FieldDescription
CVE IDCVE-YYYY-NNNNN
SeverityCritical / High / Medium / Low
Affected packagePackage name and vulnerable version range
Fixed versionMinimum version that fixes the vulnerability
CVSS ScoreNumeric severity score
ExploitabilityIs there a known exploit? Is it remotely exploitable?
ImpactWhat can an attacker do? (RCE, data leak, DoS)
Affected code pathsDoes our code actually call the vulnerable function?

Output: Vulnerability report sorted by severity, with affected code path analysis.

Step 3: Assess Upgrade Difficulty

For each dependency that needs upgrading, assess the effort:

FactorLow EffortMedium EffortHigh Effort
Version jumpPatch (1.2.3 -> 1.2.4)Minor (1.2 -> 1.3)Major (1.x -> 2.x)
Breaking changesNoneDeprecations to addressAPI changes, removed features
Usage scopeUsed in 1-2 filesUsed across a packageUsed everywhere
Test coverage>80% on affected code50-80%<50%
Changelog qualityClear migration guideRelease notes onlyMinimal docs

Categorize each upgrade:

code
Upgrade Assessment:
| Package | Current | Target | Difficulty | Breaking Changes | Effort |
|---------|---------|--------|-----------|-----------------|--------|
| chi     | v5.0.0  | v5.1.0 | Low       | None            | 1 hour |
| gorm    | v1.25   | v2.0   | High      | Major API change | 2 days |

Step 4: Prioritize Upgrades

Assign priority based on risk and effort:

PriorityCriteriaAction
P0 - ImmediateCritical/High CVE with known exploit, or CVE in code path we useUpgrade now, create hotfix task
P1 - This SprintHigh CVE without known exploit, or medium CVE in critical pathCreate task for current sprint
P2 - Next SprintMedium CVE, or major version behind with useful featuresSchedule for next sprint
P3 - BacklogLow CVE, or minor version behind with no security impactAdd to backlog, batch with other upgrades
P4 - MonitorNo CVE, but approaching end-of-life or deprecationTrack timeline, plan before EOL

Step 5: Generate Upgrade Task Files

For each P0-P2 upgrade, create a task file in docs/spec/.llm/tasks/backlog/:

markdown
# Task: Upgrade {package} from {current} to {target}

## Priority: {P0/P1/P2}
## Reason: {CVE-YYYY-NNNNN / End-of-life / Feature needed}
## Estimated Effort: {hours/days}

## Context
- Current version: {current}
- Target version: {target}
- Breaking changes: {list or "None"}
- Changelog: {URL}
- Migration guide: {URL or "Not available"}

## Steps
1. Read the changelog and migration guide
2. Update version in {manifest file}
3. Address breaking changes:
   - {specific change 1}
   - {specific change 2}
4. Run build to identify compile errors
5. Fix compile errors
6. Run tests to identify behavioral changes
7. Fix test failures
8. Run linter to catch deprecation warnings
9. Address deprecation warnings
10. Run full quality gates

## Compatibility Testing Plan
- [ ] Build succeeds with no new warnings
- [ ] All existing tests pass
- [ ] No new deprecation warnings
- [ ] Integration tests pass (if applicable)
- [ ] Performance benchmark shows no regression (if applicable)

## Rollback
Revert the version change in {manifest file} and re-run dependency install.

Set ## Dependencies: headers to enforce upgrade ordering (e.g., upgrade shared libraries before dependent packages).

Step 6: Track Deprecation Timelines

Create a deprecation tracking document:

markdown
## Deprecation Timeline

| Package | Current | EOL Date | Replacement | Upgrade Deadline | Status |
|---------|---------|----------|-------------|-----------------|--------|
| Node 18 | 18.x   | 2025-04  | Node 22     | 2025-02          | TODO   |
| Go 1.21 | 1.21    | 2025-08  | Go 1.23     | 2025-06          | TODO   |
| React 17| 17.x   | N/A      | React 19    | When convenient   | Watch  |

Write to: docs/spec/.llm/completed/dependency-audit-YYYY-MM-DD.md

Step 7: Generate Audit Report

Produce a summary report:

markdown
## Dependency Audit Report -- {Date}

### Summary
- Total dependencies: {N}
- Direct dependencies: {N}
- Vulnerabilities found: {N critical, N high, N medium, N low}
- Upgrades needed: {N}
- License issues: {N}

### Critical Actions Required
1. {P0 item}
2. {P1 item}

### Upgrade Plan
| Priority | Count | Estimated Total Effort |
|----------|-------|----------------------|
| P0       | {N}   | {hours}              |
| P1       | {N}   | {hours}              |
| P2       | {N}   | {hours}              |
| P3       | {N}   | {hours}              |

### License Compliance
| License | Count | Status |
|---------|-------|--------|
| MIT     | {N}   | OK     |
| Apache-2.0 | {N} | OK   |
| GPL-3.0 | {N}   | REVIEW -- may conflict with proprietary code |

### Next Audit
Schedule next audit for: {Date + 30 days}

Present the report to the user and create task files for all P0-P2 items.

Key Principles

  • Audit regularly: Monthly for active projects, quarterly for maintenance mode
  • Fix critical vulnerabilities immediately: P0 items should not wait for a sprint boundary
  • Batch minor upgrades: Combine P3 upgrades into a single "dependency update" task
  • Pin versions: Use exact versions in lock files, not floating ranges
  • Verify before upgrading: Check that the upgrade doesn't introduce new vulnerabilities
  • Test after every upgrade: Never assume an upgrade is safe without running the test suite

Arguments

$ARGUMENTS