AgentSkillsCN

Security Deps Audit

聚焦依赖项漏洞审查,采用最小化变更的修复方案。

SKILL.md
--- frontmatter
name: Security Deps Audit
description: Focused dependency vulnerability review with minimal-change fixes
owner: Undangan team
last_updated: 2026-01-24

Security Deps Audit Skill

Purpose

Identify high/critical dependency vulnerabilities and propose minimal fixes.

When to Use

  • Security cadence checks
  • Before releases
  • After dependency updates

Inputs

  • package-lock.json
  • package.json

Outputs

  • Audit summary under .agent/artifacts/{conversation-id}/security_deps_audit.md
  • Minimal upgrade suggestions (no feature upgrades)

Prerequisites

  • Network access for npm audit (if used)

Tools & Availability

  • npm audit --production
  • npm audit fix --dry-run (optional)
  • If network unavailable, document limitation and perform manual review of known CVEs

Methodology

  1. Run npm audit --production and capture high/critical items.
  2. If fixes exist, run npm audit fix --dry-run to preview changes.
  3. Propose minimal upgrades only for high/critical issues.
  4. Avoid major version bumps unless required for security.

Verification

  • Audit output captured with severity counts
  • Proposed fixes are minimal and scoped to high/critical
  • Any skipped fixes include rationale

Pass/Fail: Pass only if all checks above are satisfied.

Risks & Mitigations

  • Breaking changes from upgrades → prefer minimal versions and note impact
  • False negatives offline → note network limitation explicitly