dependency-audit

Status: Production Ready Last Updated: 2026-02-03 Scope: npm, pnpm, yarn projects

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "dependency-audit" with this command: npx skills add jezweb/claude-skills/jezweb-claude-skills-dependency-audit

Dependency Audit

Status: Production Ready Last Updated: 2026-02-03 Scope: npm, pnpm, yarn projects

Commands

Command Purpose

/audit-deps

Run comprehensive dependency audit with prioritised findings

Quick Start

/audit-deps # Full audit /audit-deps --security-only # Only security vulnerabilities /audit-deps --outdated # Only outdated packages /audit-deps --fix # Auto-fix compatible updates

What This Skill Audits

  1. Security Vulnerabilities

npm audit / pnpm audit

  • Critical (CVSS 9.0-10.0): Remote code execution, auth bypass

  • High (CVSS 7.0-8.9): Data exposure, privilege escalation

  • Moderate (CVSS 4.0-6.9): DoS, info disclosure

  • Low (CVSS 0.1-3.9): Minor issues

  1. Outdated Packages

npm outdated / pnpm outdated

Categories:

  • Major updates: Breaking changes likely (review changelog)

  • Minor updates: New features, backwards compatible

  • Patch updates: Bug fixes, safe to update

  1. License Compliance

Checks for:

  • GPL licenses in commercial projects (copyleft risk)

  • Unknown/missing licenses

  • License conflicts

  1. Dependency Health

  • Deprecated packages

  • Abandoned packages (no updates in 2+ years)

  • Packages with open security issues

Output Format

═══════════════════════════════════════════════ DEPENDENCY AUDIT REPORT ═══════════════════════════════════════════════

Project: my-app Package Manager: pnpm Total Dependencies: 847 (142 direct, 705 transitive)

─────────────────────────────────────────────── SECURITY ───────────────────────────────────────────────

🔴 CRITICAL (1) lodash@4.17.20 └─ CVE-2021-23337: Command injection via template() └─ Fix: npm update lodash@4.17.21 └─ Affects: direct dependency

🟠 HIGH (2) minimist@1.2.5 └─ CVE-2021-44906: Prototype pollution └─ Fix: Transitive via mkdirp, update parent └─ Path: mkdirp → minimist

node-fetch@2.6.1 └─ CVE-2022-0235: Exposure of sensitive headers └─ Fix: npm update node-fetch@2.6.7

🟡 MODERATE (3) [details...]

─────────────────────────────────────────────── OUTDATED PACKAGES ───────────────────────────────────────────────

Major Updates (review breaking changes): react 18.2.0 → 19.1.0 (1 major) typescript 5.3.0 → 5.8.0 (5 minor) drizzle-orm 0.44.0 → 0.50.0 (6 minor)

Minor Updates (safe, new features): @types/node 20.11.0 → 20.14.0 vitest 1.2.0 → 1.6.0

Patch Updates (recommended): [15 packages with patch updates]

─────────────────────────────────────────────── LICENSE CHECK ───────────────────────────────────────────────

✅ All licenses compatible with MIT

Note: 3 packages use ISC (compatible)

─────────────────────────────────────────────── SUMMARY ───────────────────────────────────────────────

Security Issues: 6 (1 critical, 2 high, 3 moderate) Outdated: 23 (3 major, 5 minor, 15 patch) License Issues: 0

Recommended Actions:

  1. Fix critical: npm update lodash
  2. Fix high: npm audit fix
  3. Review major updates before upgrading

═══════════════════════════════════════════════

Agent

The dep-auditor agent can:

  • Parse npm/pnpm audit JSON output

  • Cross-reference CVE databases

  • Generate detailed fix recommendations

  • Auto-fix safe updates (with confirmation)

CI Integration

GitHub Actions

  • name: Audit dependencies run: npm audit --audit-level=high continue-on-error: true

  • name: Check for critical vulnerabilities run: | CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical') if [ "$CRITICAL" -gt 0 ]; then echo "Critical vulnerabilities found!" exit 1 fi

Pre-commit Hook

#!/bin/sh npm audit --audit-level=critical || { echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'" exit 1 }

Package Manager Commands

Task npm pnpm yarn

Audit npm audit

pnpm audit

yarn audit

Audit JSON npm audit --json

pnpm audit --json

yarn audit --json

Fix auto npm audit fix

pnpm audit --fix

yarn audit --fix

Fix force npm audit fix --force

N/A N/A

Outdated npm outdated

pnpm outdated

yarn outdated

Why npm explain <pkg>

pnpm why <pkg>

yarn why <pkg>

Known Limitations

  • npm audit fix --force: May introduce breaking changes (major version bumps)

  • Transitive dependencies: Some vulnerabilities require updating parent packages

  • False positives: Some advisories may not apply to your usage

  • Private registries: May need auth configuration for auditing

Related Skills

  • cloudflare-worker-base: For Workers projects

  • testing-patterns: Run tests after updates

  • developer-toolbox: For commit-helper after fixes

Version: 1.0.0 Last Updated: 2026-02-03

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

ux-audit

No summary provided by upstream source.

Repository SourceNeeds Review
483-jezweb
General

tailwind-v4-shadcn

No summary provided by upstream source.

Repository SourceNeeds Review
2.7K-jezweb
General

tanstack-query

No summary provided by upstream source.

Repository SourceNeeds Review
2.5K-jezweb
General

fastapi

No summary provided by upstream source.

Repository SourceNeeds Review
2K-jezweb