Dependency Audit Assistant
This skill helps audit project dependencies for security vulnerabilities, outdated packages, and license compliance issues.
When to Use This Skill
- User requests a dependency audit or security check
- Before major releases or deployments
- User asks about outdated packages or vulnerabilities
- License compliance review needed
- User mentions "npm audit", "security", "dependencies", or "vulnerabilities"
Instructions
1. Detect Package Manager
Identify which package manager(s) the project uses:
JavaScript/Node.js:
- npm:
package.json+package-lock.json - Yarn:
package.json+yarn.lock - pnpm:
package.json+pnpm-lock.yaml
Python:
- pip:
requirements.txtorsetup.py - Poetry:
pyproject.toml+poetry.lock - Pipenv:
Pipfile+Pipfile.lock
Ruby:
- Bundler:
Gemfile+Gemfile.lock
Java:
- Maven:
pom.xml - Gradle:
build.gradleorbuild.gradle.kts
Go:
- Go modules:
go.mod+go.sum
Rust:
- Cargo:
Cargo.toml+Cargo.lock
PHP:
- Composer:
composer.json+composer.lock
Use Glob to find these files.
2. Run Security Audit
Execute the appropriate audit command based on package manager:
npm: npm audit --json or npm audit
Yarn: yarn audit --json or yarn audit
pnpm: pnpm audit --json
pip: pip-audit or safety check
Poetry: poetry check
Bundler: bundle audit check --update
Maven: mvn dependency:tree + OWASP Dependency Check
Go: go list -m all + govulncheck
Cargo: cargo audit
Composer: composer audit
Parse the output to identify:
- Number of vulnerabilities by severity (critical, high, moderate, low)
- Affected packages and versions
- Available fixes (updates or patches)
- CVE identifiers
3. Check for Outdated Packages
Identify packages that have newer versions available:
npm: npm outdated --json
Yarn: yarn outdated --json
pip: pip list --outdated
Poetry: poetry show --outdated
Bundler: bundle outdated
Cargo: cargo outdated
Go: go list -u -m all
Categorize updates:
- Patch updates (1.0.0 → 1.0.1): Bug fixes, safe to update
- Minor updates (1.0.0 → 1.1.0): New features, usually safe
- Major updates (1.0.0 → 2.0.0): Breaking changes, needs testing
4. License Compliance Check
Review licenses of all dependencies:
Steps:
- Extract licenses from package metadata
- Identify license types (MIT, Apache-2.0, GPL, etc.)
- Flag potentially problematic licenses (GPL, AGPL in commercial projects)
- Check for unlicensed or unknown licenses
- Reference the license compatibility matrix in
reference/licenses.md
Tools:
- npm:
npx license-checker --jsonornpm-license-crawler - Python:
pip-licenses - Ruby:
license_finder - Go:
go-licenses
License categories:
- Permissive: MIT, Apache-2.0, BSD - Usually safe
- Weak copyleft: LGPL, MPL - Requires review
- Strong copyleft: GPL, AGPL - May restrict commercial use
- Unknown: Missing or custom licenses - Needs investigation
5. Analyze Dependency Tree
Understand the dependency structure:
Direct vs Transitive:
- Direct: Listed in package.json/requirements.txt
- Transitive: Dependencies of dependencies
Identify issues:
- Duplicate packages at different versions
- Deep dependency trees (potential for conflicts)
- Abandoned packages (no updates in >2 years)
- High-risk transitive dependencies
Commands:
- npm:
npm ls --all - Yarn:
yarn why <package> - pip:
pipdeptree - Maven:
mvn dependency:tree
6. Priority Vulnerabilities
Prioritize vulnerabilities based on:
Severity levels:
- Critical: Remote code execution, privilege escalation
- High: SQL injection, XSS, authentication bypass
- Moderate: DoS, information disclosure
- Low: Minor issues, edge cases
Exploitability:
- Known exploits in the wild
- PoC (Proof of Concept) available
- Requires special conditions
Exposure:
- Production dependencies vs dev dependencies
- Direct dependencies vs deep transitive dependencies
- Code paths actually used in the application
7. Generate Recommendations
For each issue found, provide:
Vulnerabilities:
Package: lodash@4.17.15
Severity: High
CVE: CVE-2020-8203
Issue: Prototype pollution
Recommendation: Upgrade to lodash@4.17.21 or higher
Command: npm install lodash@4.17.21
Outdated packages:
Package: react@16.14.0
Current: 16.14.0
Latest: 18.2.0
Type: Major update
Recommendation: Test thoroughly before upgrading (breaking changes)
Notes: Review migration guide at https://react.dev/blog/2022/03/08/react-18-upgrade-guide
License issues:
Package: some-gpl-library@1.0.0
License: GPL-3.0
Issue: GPL license may conflict with proprietary code
Recommendation: Find alternative with permissive license or consult legal
Alternatives: [list of similar packages with MIT/Apache licenses]
8. Update Strategy
Suggest an update approach:
Safe updates (automated):
- Patch updates with no breaking changes
- Security fixes for vulnerabilities
- Update:
npm updateornpm audit fix
Careful updates (manual testing):
- Minor version bumps
- Major updates to well-maintained packages
- Update individually and test
Research needed:
- Major breaking changes
- Abandoned packages (find alternatives)
- License conflicts
9. Generate Summary Report
Provide a comprehensive audit summary:
Dependency Audit Report
=======================
Overview:
- Total dependencies: 150 (120 direct, 30 transitive)
- Vulnerabilities: 5 (1 high, 3 moderate, 1 low)
- Outdated packages: 23
- License issues: 2
Security Vulnerabilities:
[List by severity with fix recommendations]
Outdated Packages:
[Categorized by update type: patch/minor/major]
License Compliance:
[List of licenses with any concerns]
Recommended Actions:
1. [Immediate] Fix high-severity vulnerabilities
2. [Soon] Update packages with moderate vulnerabilities
3. [Review] Address license compliance issues
4. [Optional] Update outdated packages to latest
Commands to run:
npm audit fix # Fix vulnerabilities automatically
npm update # Update to latest compatible versions
10. Continuous Monitoring
Suggest ongoing practices:
- Automated audits: Run in CI/CD pipeline
- Dependabot/Renovate: Auto-create PRs for updates
- Regular reviews: Monthly or quarterly audits
- Security alerts: Enable GitHub/GitLab security alerts
- Lock files: Commit lock files for reproducible builds
Best Practices
- Fix vulnerabilities promptly: Especially high/critical severity
- Test updates: Even patch updates can cause issues
- Read changelogs: Understand what changed before updating
- Use lock files: Ensure consistent installations across environments
- Minimize dependencies: Fewer deps = smaller attack surface
- Review new additions: Audit before adding new dependencies
- Stay current: Regular updates are easier than large jumps
- Document decisions: Why certain packages are pinned or not updated
Security Best Practices
- Never commit secrets in dependencies or env files
- Review dependency source code for popular/critical packages
- Use private registries for internal packages
- Enable 2FA on package registry accounts
- Use SRI (Subresource Integrity) for CDN resources
- Scan container images if using Docker
Supporting Files
scripts/check-licenses.sh: Extract and check license informationreference/licenses.md: License compatibility matrixreference/common-vulnerabilities.md: Common vulnerability patterns
Common Commands Reference
npm:
npm audit # Show vulnerabilities
npm audit fix # Auto-fix vulnerabilities
npm audit fix --force # Force major updates
npm outdated # Check for outdated packages
npm update # Update to latest compatible
Yarn:
yarn audit # Show vulnerabilities
yarn upgrade-interactive # Interactive update
yarn outdated # Check for outdated
pip:
pip-audit # Audit vulnerabilities
pip list --outdated # Check outdated
pip install --upgrade # Update package
Poetry:
poetry check # Check lock file
poetry show --outdated # Show outdated
poetry update # Update packages
Cargo:
cargo audit # Audit vulnerabilities
cargo outdated # Check outdated
cargo update # Update packages