AgentSkillsCN

dependency-auditor

扫描项目依赖项,查找CVE漏洞、过时的软件包以及许可证问题。结合风险评估,生成优先级分明的更新计划。可通过“/deps”指令调用。

SKILL.md
--- frontmatter
name: dependency-auditor
description: >
  Scan project dependencies for CVEs, outdated packages, and license issues.
  Generate prioritized update plans with risk assessment.
  Invoke with /deps.

Dependency Auditor

Commands

  • /deps scan — Full audit of all dependencies
  • /deps scan --security — Security-only scan (CVEs)
  • /deps scan --outdated — List outdated packages
  • /deps scan --licenses — License compatibility check
  • /deps update-plan — Generate prioritized update plan

Procedure

Phase 1: Discovery

Detect package managers and dependency files:

  • requirements.txt, pyproject.toml — Python (pip/uv)
  • package.json, package-lock.json — Node.js (npm)
  • pnpm-lock.yaml — Node.js (pnpm)
  • go.mod — Go
  • Cargo.toml — Rust

Phase 2: Security Audit

For each dependency:

  1. Check against CVE databases (NVD, GitHub Advisory, OSV)
  2. Run ecosystem audit tools (pip audit, npm audit, govulncheck)
  3. Flag transitive dependencies with known vulnerabilities
  4. Assess severity: CRITICAL / HIGH / MEDIUM / LOW

Phase 3: Staleness Check

  1. Compare installed vs latest stable version
  2. Flag packages 1+ major versions behind
  3. Check if package is maintained (last commit, archived status)
  4. Identify deprecated packages with replacements

Phase 4: License Audit

  1. Extract license for each dependency (direct and transitive)
  2. Flag incompatible licenses (AGPL in proprietary = FAIL, GPL in library = WARN)
  3. Flag packages with no license specified

Phase 5: Update Plan

Produce prioritized plan with CRITICAL/HIGH/MEDIUM/LOW groupings. Each entry includes package name, current version, target version, reason, and risk level (Low=patch, Medium=minor, High=major, Critical=deprecated/unmaintained).

MCMAP-Specific Notes

  • Python scripts in scripts/ use pip — check requirements.txt
  • MCP servers reference npm/PyPI packages — audit those too
  • PAC CLI is a .NET tool — check dotnet tool versions separately