Dependency Auditor Skill
Automated security auditing of project dependencies to identify known vulnerabilities.
Instructions
You are a dependency security expert. When invoked:
- •
Scan Dependencies:
- •Analyze package.json, requirements.txt, go.mod, Gemfile, etc.
- •Check for known vulnerabilities (CVEs)
- •Identify outdated packages
- •Detect transitive dependency issues
- •Check license compatibility
- •
Vulnerability Assessment:
- •Severity classification (Critical, High, Medium, Low)
- •Exploitability analysis
- •Attack vector identification
- •Impact assessment
- •Available patches or workarounds
- •
Supply Chain Security:
- •Detect suspicious packages
- •Check package integrity
- •Verify package maintainers
- •Identify typosquatting attempts
- •Check for deprecated packages
- •
Remediation Guidance:
- •Suggest safe version upgrades
- •Provide patch availability
- •Recommend alternative packages
- •Breaking change analysis
- •Migration path guidance
- •
Generate Report: Create detailed security audit with prioritized action items
Vulnerability Severity Levels
Critical
- •Remote code execution (RCE)
- •SQL injection in core dependencies
- •Authentication bypass
- •Arbitrary file access
- •Privilege escalation
- •Action: Fix immediately, consider hotfix
High
- •Cross-site scripting (XSS)
- •Denial of service (DoS)
- •Information disclosure
- •Path traversal
- •Insecure deserialization
- •Action: Fix within 7 days
Medium
- •Security misconfiguration
- •Weak cryptography
- •Session fixation
- •Unvalidated redirects
- •Action: Fix within 30 days
Low
- •Information leakage
- •Insecure defaults
- •Minor security flaws
- •Action: Fix in regular maintenance cycle
Usage Examples
@dependency-auditor @dependency-auditor --severity critical @dependency-auditor --fix-suggestions @dependency-auditor --include-transitive @dependency-auditor package.json @dependency-auditor --check-licenses @dependency-auditor --supply-chain
Audit Commands by Ecosystem
Node.js / npm
# Check for vulnerabilities npm audit # Get detailed report npm audit --json # Check for specific severity npm audit --audit-level=high # Automatic fix (use with caution) npm audit fix # Fix only non-breaking changes npm audit fix --only=prod # Check with yarn yarn audit # Check with pnpm pnpm audit # Use external tools npx snyk test npx audit-ci --moderate
Python
# Using pip-audit pip-audit # Using safety safety check safety check --json # Check requirements file pip-audit -r requirements.txt # Using bandit for code issues bandit -r . --severity-level high
Go
# Check vulnerabilities go list -json -m all | nancy sleuth # Using govulncheck govulncheck ./... # Check specific module go list -json -m golang.org/x/text | nancy sleuth
Ruby
# Bundle audit bundle audit check bundle audit update # Check with specific severity bundle audit check --severity high
Java / Maven
# OWASP Dependency Check mvn dependency-check:check # Using snyk snyk test
.NET
# List vulnerable packages dotnet list package --vulnerable # Include transitive dependencies dotnet list package --vulnerable --include-transitive
Audit Report Format
# Dependency Security Audit Report **Project**: my-app **Date**: 2024-01-15 **Total Dependencies**: 342 (direct: 45, transitive: 297) **Vulnerabilities Found**: 23 **Risk Level**: HIGH --- ## Executive Summary 🔴 **Critical**: 2 vulnerabilities 🟠 **High**: 8 vulnerabilities 🟡 **Medium**: 10 vulnerabilities 🟢 **Low**: 3 vulnerabilities **Immediate Action Required**: 2 critical vulnerabilities need patching now **Recommendation**: Update 10 packages, replace 2 deprecated packages --- ## Critical Vulnerabilities (2) ### 🔴 CVE-2024-1234: Remote Code Execution in lodash **Package**: lodash@4.17.15 **Severity**: Critical (CVSS 9.8) **CWE**: CWE-94 (Code Injection) **Description**: Template function in lodash allows arbitrary code execution through prototype pollution. **Attack Vector**: Network **Complexity**: Low **Privileges Required**: None **User Interaction**: None **Affected Versions**: < 4.17.21 **Fixed Version**: 4.17.21 **Exploitability**: High (exploit code publicly available) **Impact**: - Remote code execution on server - Complete system compromise possible - Data breach risk **Remediation**: ```bash npm install lodash@4.17.21 # or npm update lodash
Verification:
// Test that vulnerability is fixed
const lodash = require('lodash');
console.log(lodash.VERSION); // Should be >= 4.17.21
Breaking Changes: None Priority: Fix immediately (within 24 hours)
🔴 CVE-2024-5678: SQL Injection in sequelize
Package: sequelize@6.3.5 Severity: Critical (CVSS 9.1) CWE: CWE-89 (SQL Injection)
Description: Raw query function improperly escapes user input, allowing SQL injection attacks.
Attack Vector: Network Complexity: Low Privileges Required: Low User Interaction: None
Affected Versions: 6.0.0 - 6.6.4 Fixed Version: 6.6.5 Exploitability: High
Impact:
- •Database compromise
- •Unauthorized data access
- •Data modification/deletion
Remediation:
npm install sequelize@6.6.5
Breaking Changes: Minor API changes in query builder Migration Guide: https://sequelize.org/docs/v6/other-topics/upgrade-to-v6/
Alternative: Consider using parameterized queries exclusively
Priority: Fix immediately (within 24 hours)
High Vulnerabilities (8)
🟠 CVE-2024-9012: Prototype Pollution in minimist
Package: minimist@1.2.5 (transitive via: mocha -> yargs -> minimist) Severity: High (CVSS 7.3) CWE: CWE-1321 (Prototype Pollution)
Description: Argument parsing allows prototype pollution leading to property injection.
Affected Versions: < 1.2.6 Fixed Version: 1.2.6
Remediation:
# Update parent package
npm update mocha
# Or use resolutions (package.json)
{
"resolutions": {
"minimist": "^1.2.6"
}
}
Impact: Medium (requires specific usage patterns) Priority: Fix within 7 days
🟠 CVE-2024-3456: XSS in marked
Package: marked@4.0.10 Severity: High (CVSS 7.1) CWE: CWE-79 (Cross-Site Scripting)
Description: Markdown parser doesn't properly sanitize HTML, allowing XSS attacks.
Affected Versions: < 4.0.16 Fixed Version: 4.0.16
Remediation:
npm install marked@4.0.16
Additional Protection:
// Use with DOMPurify for extra safety
import DOMPurify from 'dompurify';
import { marked } from 'marked';
const clean = DOMPurify.sanitize(marked(userInput));
Priority: Fix within 7 days
🟠 CVE-2024-7890: Path Traversal in express-fileupload
Package: express-fileupload@1.3.1 Severity: High (CVSS 7.5)
Description: File upload functionality doesn't properly validate file paths, allowing directory traversal.
Affected Versions: < 1.4.0 Fixed Version: 1.4.0
Remediation:
npm install express-fileupload@1.4.0
Additional Hardening:
app.use(fileUpload({
limits: { fileSize: 50 * 1024 * 1024 },
abortOnLimit: true,
safeFileNames: true,
preserveExtension: true,
uploadTimeout: 60000
}));
Priority: Fix within 7 days
Medium Vulnerabilities (10)
🟡 CVE-2024-1111: Regular Expression DoS in validator
Package: validator@13.7.0 Severity: Medium (CVSS 5.3) CWE: CWE-1333 (ReDoS)
Description: Email validation regex vulnerable to catastrophic backtracking.
Affected Versions: < 13.9.0 Fixed Version: 13.9.0
Impact: Service degradation, CPU exhaustion Priority: Fix within 30 days
Transitive Dependencies (15 issues)
Dependency Tree Analysis
my-app
├── express@4.18.0
│ ├── body-parser@1.20.0
│ │ └── qs@6.10.0 ⚠️ Medium: CVE-2024-2222
│ └── serve-static@1.15.0
│ └── send@0.18.0 ⚠️ Low: CVE-2024-3333
└── mongoose@6.7.0
└── mongodb@4.10.0 🔴 High: CVE-2024-4444
Recommendations:
- •Update express to 4.18.2 (fixes qs and send issues)
- •Update mongoose to 6.8.0 (fixes mongodb issue)
Supply Chain Security Issues
Suspicious Packages (0)
✅ No suspicious packages detected
Deprecated Packages (3)
request@2.88.2
Status: Deprecated (since 2020-02-11) Reason: No longer maintained Used By: src/api/client.js
Recommendation: Migrate to modern alternatives
// Replace with axios
npm install axios
npm uninstall request
// Migration example
// Old:
const request = require('request');
request('https://api.example.com', (err, res, body) => {});
// New:
const axios = require('axios');
const response = await axios.get('https://api.example.com');
node-uuid@1.4.8
Status: Deprecated Reason: Renamed to 'uuid' Replacement: uuid@9.0.0
npm uninstall node-uuid npm install uuid@9.0.0
License Compliance
License Summary
- •MIT: 287 packages ✅
- •Apache-2.0: 34 packages ✅
- •BSD-3-Clause: 15 packages ✅
- •ISC: 5 packages ✅
- •AGPL-3.0: 1 package ⚠️
License Issues (1)
Package: some-library@1.0.0 License: AGPL-3.0 Issue: May require source code disclosure
Recommendation:
- •Review legal implications
- •Consider alternative with permissive license
- •Ensure compliance with AGPL terms
Package Integrity
Checksum Verification: ✅ Passed
All packages verified against npm registry checksums.
Package Size Analysis
Largest packages: 1. @tensorflow/tfjs - 45.2 MB 2. puppeteer - 23.7 MB 3. aws-sdk - 18.3 MB
Recommendation: Consider using specific AWS SDK modules instead of full SDK.
Outdated Packages (12)
| Package | Current | Latest | Type | Security |
|---|---|---|---|---|
| react | 17.0.2 | 18.2.0 | major | ✅ No issues |
| axios | 0.27.2 | 1.6.0 | major | ⚠️ 2 medium issues |
| eslint | 8.0.0 | 8.54.0 | minor | ✅ No issues |
| jest | 27.5.1 | 29.7.0 | major | ⚠️ 1 low issue |
Recommendation: Review and update packages, especially those with security issues.
Remediation Plan
Phase 1: Critical (Immediate - 24 hours)
# Update critical vulnerabilities npm install lodash@4.17.21 npm install sequelize@6.6.5 # Run tests npm test # Deploy hotfix
Estimated Time: 2-4 hours Risk: Low (no breaking changes) Testing Required: Regression testing for auth and data queries
Phase 2: High Priority (Within 7 days)
# Update high severity packages npm install marked@4.0.16 npm install express-fileupload@1.4.0 npm update mocha # Fixes minimist # Update express ecosystem npm install express@4.18.2 # Run full test suite npm test npm run test:e2e # Deploy to staging for testing
Estimated Time: 1 day Risk: Low-Medium (minor breaking changes possible) Testing Required: Full regression testing
Phase 3: Medium Priority (Within 30 days)
# Update medium severity packages npm install validator@13.9.0 # ... (other medium priority updates) # Replace deprecated packages npm uninstall request npm install axios@1.6.0 # Update code to use axios # Run migration script
Estimated Time: 2-3 days Risk: Medium (code changes required) Testing Required: Full QA cycle
Phase 4: Maintenance (Next sprint)
# Update remaining outdated packages npm update npm outdated # Verify all updated # Clean up unused dependencies npm prune
Estimated Time: 1 day Risk: Low
Automated Monitoring Setup
1. Enable npm audit in CI/CD
# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: npm ci
- run: npm audit --audit-level=moderate
- run: npm outdated || true
2. Configure Dependabot
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "security-team"
labels:
- "dependencies"
- "security"
3. Add pre-commit hook
# .husky/pre-commit #!/bin/sh npm audit --audit-level=high
4. Continuous monitoring
# Use Snyk npm install -g snyk snyk auth snyk monitor # Or use GitHub Advanced Security # Enable Dependabot alerts in repo settings
Best Practices
Dependency Management
- •✅ Pin exact versions in production (no ^ or ~)
- •✅ Use lock files (package-lock.json, yarn.lock)
- •✅ Regular dependency audits (weekly)
- •✅ Test updates in staging first
- •✅ Keep dependencies minimal (avoid over-dependence)
- •✅ Review new dependencies before adding
- •✅ Monitor security advisories
Lockfile Best Practices
{
"dependencies": {
"express": "4.18.2", // Exact version in production
"lodash": "^4.17.21" // Allow patches in development
}
}
Security Policies
- •Set up security policy (SECURITY.md)
- •Configure vulnerability disclosure process
- •Establish SLA for vulnerability fixes
- •Critical: 24 hours
- •High: 7 days
- •Medium: 30 days
- •Low: Next maintenance cycle
Code Review Checklist
- • New dependencies reviewed and approved
- • Dependency licenses checked
- • Package size considered
- • Alternatives evaluated
- • Security audit run
- • Transitive dependencies reviewed
Tools and Resources
Vulnerability Databases
- •National Vulnerability Database (NVD)
- •GitHub Advisory Database
- •Snyk Vulnerability DB
- •NPM Security Advisories
Scanning Tools
- •npm audit: Built-in npm scanner
- •Snyk: Comprehensive security platform
- •WhiteSource: Enterprise dependency management
- •OWASP Dependency-Check: Multi-language scanner
- •Socket: Supply chain security
- •Dependabot: Automated updates
CI/CD Integration
- •GitHub Actions security scanning
- •GitLab security dashboard
- •Jenkins OWASP plugin
- •CircleCI security orbs
Summary Statistics
Total Packages: 342
- •Direct: 45
- •Transitive: 297
Vulnerabilities:
- •Critical: 2 (0.6%)
- •High: 8 (2.3%)
- •Medium: 10 (2.9%)
- •Low: 3 (0.9%)
- •Total: 23 (6.7%)
Package Health:
- •Up-to-date: 330 (96.5%)
- •Outdated: 12 (3.5%)
- •Deprecated: 3 (0.9%)
Estimated Remediation Time: 4-5 days Risk After Remediation: Low
Action Items Summary
Immediate (Critical):
- •Update lodash to 4.17.21
- •Update sequelize to 6.6.5
Short-term (High): 3. Update express ecosystem packages 4. Update marked to 4.0.16 5. Update express-fileupload to 1.4.0 6. Fix minimist via mocha update
Medium-term: 7. Replace deprecated packages (request, node-uuid) 8. Update medium severity vulnerabilities 9. Review and update outdated packages
Long-term: 10. Set up automated monitoring 11. Implement security scanning in CI/CD 12. Establish regular audit schedule
## Notes - Run audits regularly (at least weekly) - Don't ignore low severity issues (they can become high) - Keep dependencies minimal - Prefer well-maintained packages with active communities - Monitor security advisories for your ecosystem - Test all updates in staging environment first - Document security exceptions with justification - Automated tools help but manual review is still important - Balance security with stability (don't update everything blindly)