dependency-auditor

Dependency Auditor Skill

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "dependency-auditor" with this command: npx skills add alirezarezvani/claude-code-tresor/alirezarezvani-claude-code-tresor-dependency-auditor

Dependency Auditor Skill

Automatic dependency vulnerability checking.

When I Activate

  • ✅ package.json modified

  • ✅ requirements.txt changed

  • ✅ Gemfile or pom.xml modified

  • ✅ User mentions dependencies or vulnerabilities

  • ✅ Before deployments

  • ✅ yarn.lock or package-lock.json changes

What I Check

Dependency Vulnerabilities

  • Known CVEs in packages

  • Outdated dependencies with security fixes

  • Malicious packages

  • License compatibility issues

  • Deprecated packages

Package Managers Supported

  • Node.js: npm, yarn, pnpm

  • Python: pip, pipenv, poetry

  • Ruby: bundler

  • Java: Maven, Gradle

  • Go: go modules

  • PHP: composer

Example Alerts

NPM Vulnerability

You run: npm install lodash

I automatically audit:

🚨 HIGH: Prototype Pollution in lodash 📍 Package: lodash@4.17.15 📦 Vulnerable versions: < 4.17.21 🔧 Fix: npm update lodash 📖 CVE-2020-8203 https://nvd.nist.gov/vuln/detail/CVE-2020-8203

Recommendation: Update to lodash@4.17.21 or higher

Python Vulnerability

You modify requirements.txt: django==2.2.0

I alert:

🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0 📍 Package: Django@2.2.0 📦 Vulnerable versions: < 2.2.28 🔧 Fix: Update requirements.txt to Django==2.2.28 📖 CVEs: CVE-2021-33203, CVE-2021-33571

Affected: SQL injection, XSS vulnerabilities Recommendation: Update immediately to Django@2.2.28+

Multiple Vulnerabilities

After npm install:

🚨 Dependency audit found 8 vulnerabilities:

  • 3 CRITICAL
  • 2 HIGH
  • 2 MEDIUM
  • 1 LOW

Critical issues:

  1. axios@0.21.0 - SSRF vulnerability Fix: npm install axios@latest

  2. ajv@6.10.0 - Prototype pollution Fix: npm install ajv@^8.0.0

  3. node-fetch@2.6.0 - Information disclosure Fix: npm install node-fetch@^2.6.7

Run 'npm audit fix' to automatically fix 6/8 issues

Automatic Actions

On Dependency Changes

  1. Detect package manager (npm, pip, etc.)
  2. Run security audit command
  3. Parse vulnerability results
  4. Categorize by severity
  5. Suggest fixes
  6. Flag breaking changes

Audit Commands

Node.js

npm audit npm audit --json # Structured output

Python

pip-audit safety check

Ruby

bundle audit

Java (Maven)

mvn dependency-check:check

Severity Classification

CRITICAL 🚨

  • Remote code execution

  • SQL injection

  • Authentication bypass

  • Publicly exploitable

HIGH ⚠️

  • Cross-site scripting

  • Denial of service

  • Information disclosure

  • Wide attack surface

MEDIUM 📋

  • Limited impact vulnerabilities

  • Requires specific conditions

  • Difficult to exploit

LOW 💡

  • Minor security improvements

  • Best practice violations

  • Minimal risk

Fix Strategies

Automatic Updates

Safe automatic fixes

npm audit fix

May include breaking changes

npm audit fix --force

Manual Updates

Check what will change

npm outdated

Update specific package

npm update lodash

Major version update

npm install lodash@latest

Alternative Packages

Vulnerable: request@2.88.0 (deprecated) Alternative: axios or node-fetch Migration guide: [link]

Integration with CI/CD

Block Deployments

.github/workflows/security.yml

  • name: Dependency audit run: | npm audit --audit-level=high

    Fails if HIGH or CRITICAL found

Scheduled Audits

Weekly dependency check

on: schedule: - cron: '0 0 * * 0' jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - run: npm audit

Sandboxing Compatibility

Works without sandboxing: ✅ Yes Works with sandboxing: ⚙️ Needs npm/pip registry access

Sandbox config:

{ "network": { "allowedDomains": [ "registry.npmjs.org", "pypi.org", "rubygems.org", "repo.maven.apache.org" ] } }

License Checking

I also check license compatibility:

⚠️ License issue: GPL-3.0 package in commercial project 📦 Package: some-gpl-package@1.0.0 📖 GPL-3.0 requires source code disclosure 🔧 Consider: Find MIT/Apache-2.0 alternative

Best Practices

  • Regular audits: Run weekly or on every dependency change

  • Update frequently: Keep dependencies current

  • Review breaking changes: Test before major updates

  • Pin versions: Use exact versions in production

  • Audit lock files: Commit and audit lock files

Related Tools

  • security-auditor skill: Code vulnerability detection

  • @architect sub-agent: Dependency strategy

  • /review command: Pre-deployment security check

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security-auditor

No summary provided by upstream source.

Repository SourceNeeds Review
7-alirezarezvani
Coding

code-reviewer

No summary provided by upstream source.

Repository SourceNeeds Review
219-alirezarezvani
Coding

test-generator

No summary provided by upstream source.

Repository SourceNeeds Review
10-alirezarezvani
Coding

api-documenter

No summary provided by upstream source.

Repository SourceNeeds Review
8-alirezarezvani