dependency-auditor

Audit npm dependencies for security vulnerabilities, outdated packages, and unused dependencies. Use when checking for security issues, updating packages, or cleaning up dependencies.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "dependency-auditor" with this command: npx skills add onewave-ai/claude-skills/onewave-ai-claude-skills-dependency-auditor

Dependency Auditor

Instructions

When auditing dependencies:

Run security audit
Check for outdated packages
Find unused dependencies
Analyze bundle size impact
Review and update

Security Audit

# NPM audit
npm audit

# Get JSON output for processing
npm audit --json

# Fix automatically (safe fixes only)
npm audit fix

# Force fix (may have breaking changes)
npm audit fix --force

# PNPM
pnpm audit

# Yarn
yarn audit

Check Outdated Packages

# NPM
npm outdated

# Interactive update
npx npm-check-updates -i

# Update all to latest
npx npm-check-updates -u
npm install

# Check specific package
npm view <package> versions

Find Unused Dependencies

# Using depcheck
npx depcheck

# With details
npx depcheck --detailed

# Ignore patterns
npx depcheck --ignores="@types/*,eslint-*"

Common False Positives

Depcheck may flag these as unused when they're actually needed:

@types/* packages (used by TypeScript)
ESLint/Prettier plugins (referenced in config)
PostCSS plugins (referenced in config)
Next.js plugins
Babel presets

Analyze Bundle Size

# For Next.js
npx @next/bundle-analyzer

# General purpose
npx source-map-explorer dist/**/*.js

# Check package size before installing
npx package-phobia <package-name>

# Compare alternatives
npx bundlephobia-cli compare lodash ramda

Dependency Review Checklist

Security

No critical/high vulnerabilities
Dependencies actively maintained
No known malicious packages
Lock file committed

Freshness

No major version behind (unless intentional)
Security patches applied
Deprecated packages replaced

Cleanliness

No unused dependencies
No duplicate packages (check lock file)
devDependencies vs dependencies correct

Update Strategies

Conservative (Recommended)

# Update patch versions only
npm update

# Update specific package
npm install package@latest

Aggressive

# Update everything
npx npm-check-updates -u
npm install
npm test

Interactive

npx npm-check-updates -i

# Options:
# a - update all
# space - toggle selection
# enter - apply selected

Package.json Cleanup

{
  "dependencies": {
    // Runtime dependencies only
  },
  "devDependencies": {
    // Build/test tools only
  },
  "peerDependencies": {
    // For libraries only
  },
  "optionalDependencies": {
    // Platform-specific (rare)
  }
}

Lock File Best Practices

Always commit lock files (package-lock.json, pnpm-lock.yaml, yarn.lock)
Use npm ci in CI/CD (not npm install)
Regenerate if corrupted: delete lock file + node_modules, reinstall
Single lock file per project (don't mix package managers)

Automated Monitoring

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    groups:
      dev-dependencies:
        dependency-type: "development"

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHub Open in ClawHub

Related Skills

Related by shared tags or category signals.

Security

dependency-auditor

No summary provided by upstream source.

Repository SourceNeeds Review

39-borghei

Security

accessibility-auditor

No summary provided by upstream source.

Repository SourceNeeds Review

22-onewave-ai

Coding

code-review-pro

No summary provided by upstream source.

Repository SourceNeeds Review

1.6K-onewave-ai

General

landing-page-copywriter

No summary provided by upstream source.

Repository SourceNeeds Review

1.3K-onewave-ai