/upkeep-audit
Security audit with intelligent fix recommendations for JavaScript/TypeScript projects.
Overview
This skill helps you:
- •Identify security vulnerabilities in dependencies
- •Understand the severity and impact of each vulnerability
- •Assess the risk of applying fixes
- •Apply fixes safely with testing
Git Workflow Defaults
IMPORTANT: Always follow these defaults unless the user explicitly requests otherwise:
- •
Work in a branch - Never commit directly to main. Create a feature branch:
bashgit checkout -b security/fix-vulnerabilities
- •
Create a PR - After committing fixes, create a pull request:
bashgh pr create --title "fix: resolve security vulnerabilities" --body "## Summary - Fixed X vulnerabilities (Y critical, Z high) ## Vulnerabilities Fixed [list vulnerabilities] ## Testing - All tests passing - Audit re-run shows resolved issues"
- •
No attribution - Do NOT include any of these in commits or PRs:
- •
Co-Authored-By: Claudeor any Claude attribution - •
🤖 Generated with Claude Codeor similar footers - •Any AI/assistant attribution or emoji markers
- •
Prerequisites
- •
./bin/upkeepbinary must be available in this skill's directory
Workflow
Step 1: Run Security Audit
./bin/upkeep audit --json
This returns vulnerabilities with:
- •Package name
- •Severity (critical, high, moderate, low)
- •Title/description
- •Dependency path (how the vulnerable package is reached)
- •Whether a fix is available
- •Fix version
Step 2: Present Vulnerabilities by Severity
Group and present vulnerabilities in order:
- •Critical - Immediate action required
- •High - Should be fixed soon
- •Moderate - Fix when convenient
- •Low - Informational
For each vulnerability, explain:
- •What the vulnerability is
- •How it could be exploited
- •The dependency path (is it direct or transitive?)
Step 3: Assess Fix Risk
For each fixable vulnerability:
./bin/upkeep risk <package> --from <current> --to <fix-version> --json
This helps understand:
- •Is the fix a major/minor/patch update?
- •How widely is this package used in the codebase?
- •Is it used in critical paths?
Step 4: Apply Fixes
For direct dependencies:
<pm> update <package> # or for specific version: <pm> install <package>@<fix-version>
For transitive dependencies: The fix often requires updating a parent dependency. Check which direct dependency pulls in the vulnerable package and update that instead.
Use ./bin/upkeep imports <parent-package> to understand the impact.
Step 5: Verify Fixes
- •Re-run audit:
./bin/upkeep audit --json - •Run tests:
<pm> test - •Check for regressions
Step 6: Handle Unfixable Vulnerabilities
Some vulnerabilities may not have fixes yet. Options:
- •Accept the risk - Document why it's acceptable
- •Find alternatives - Replace the package
- •Override - Use npm/yarn/pnpm override to force a version (risky)
- •Wait - Monitor for a fix
Example Session
User: "Check my project for security issues"
- •Run
./bin/upkeep detect --jsonto understand the project - •Run
./bin/upkeep audit --jsonto scan for vulnerabilities - •Present findings grouped by severity
- •For each fixable vulnerability:
- •Explain the issue
- •Show the dependency path
- •Assess fix risk
- •Offer to apply fix
- •Re-run audit to confirm fixes
- •Summarize changes
Priority Matrix
| Severity | Direct Dep | Transitive Dep |
|---|---|---|
| Critical | Fix immediately | Fix immediately |
| High | Fix soon | Assess risk, fix if low risk |
| Moderate | Schedule fix | Fix if easy, otherwise accept |
| Low | Optional | Usually accept |
Commands Reference
| Command | Purpose |
|---|---|
./bin/upkeep audit | Run security audit |
./bin/upkeep detect | Detect package manager |
./bin/upkeep risk <pkg> | Assess upgrade risk |
./bin/upkeep imports <pkg> | Find package usage |
./bin/upkeep deps | List all outdated packages |
Handling Common Scenarios
Vulnerability in Dev Dependency
Lower priority since it doesn't affect production. Still fix if:
- •It's a build tool that could be exploited during CI
- •It's used in tests that handle sensitive data
Vulnerability with No Fix
- •Check if a fork/patch exists
- •Consider using
npm-force-resolutionsor similar - •Document the accepted risk
- •Set a reminder to check for fixes
Breaking Change Required for Fix
- •Assess impact with
./bin/upkeep risk - •Check migration guides
- •Consider if the security risk outweighs the migration effort
- •For critical vulns, usually worth the effort