Security Deps Audit Skill
Purpose
Identify high/critical dependency vulnerabilities and propose minimal fixes.
When to Use
- •Security cadence checks
- •Before releases
- •After dependency updates
Inputs
- •
package-lock.json - •
package.json
Outputs
- •Audit summary under
.agent/artifacts/{conversation-id}/security_deps_audit.md - •Minimal upgrade suggestions (no feature upgrades)
Prerequisites
- •Network access for npm audit (if used)
Tools & Availability
- •
npm audit --production - •
npm audit fix --dry-run(optional) - •If network unavailable, document limitation and perform manual review of known CVEs
Methodology
- •Run
npm audit --productionand capture high/critical items. - •If fixes exist, run
npm audit fix --dry-runto preview changes. - •Propose minimal upgrades only for high/critical issues.
- •Avoid major version bumps unless required for security.
Verification
- • Audit output captured with severity counts
- • Proposed fixes are minimal and scoped to high/critical
- • Any skipped fixes include rationale
Pass/Fail: Pass only if all checks above are satisfied.
Risks & Mitigations
- •Breaking changes from upgrades → prefer minimal versions and note impact
- •False negatives offline → note network limitation explicitly