dependency-audit
热门Comprehensive dependency health auditing for JavaScript/TypeScript projects. Run npm audit, detect outdated packages, check for security advisories, and verify license compliance. Prioritises vulnerabilities by severity and provides actionable fix recommendations. Use when: auditing project dependencies, checking for vulnerabilities, updating packages, preparing for release, or investigating "npm audit" warnings. Keywords: audit, vulnerabilities, outdated, security, npm audit, pnpm audit, CVE, GHSA, license.
|
Dependency Audit
Status: Production Ready
Last Updated: 2026-02-03
Scope: npm, pnpm, yarn projects
Commands
| Command | Purpose |
|---|---|
/audit-deps |
Run comprehensive dependency audit with prioritised findings |
Quick Start
/audit-deps # Full audit
/audit-deps --security-only # Only security vulnerabilities
/audit-deps --outdated # Only outdated packages
/audit-deps --fix # Auto-fix compatible updates
What This Skill Audits
1. Security Vulnerabilities
npm audit / pnpm audit
- Critical (CVSS 9.0-10.0): Remote code execution, auth bypass
- High (CVSS 7.0-8.9): Data exposure, privilege escalation
- Moderate (CVSS 4.0-6.9): DoS, info disclosure
- Low (CVSS 0.1-3.9): Minor issues
2. Outdated Packages
npm outdated / pnpm outdated
Categories:
- Major updates: Breaking changes likely (review changelog)
- Minor updates: New features, backwards compatible
- Patch updates: Bug fixes, safe to update
3. License Compliance
Checks for:
- GPL licenses in commercial projects (copyleft risk)
- Unknown/missing licenses
- License conflicts
4. Dependency Health
- Deprecated packages
- Abandoned packages (no updates in 2+ years)
- Packages with open security issues
Output Format
═══════════════════════════════════════════════
DEPENDENCY AUDIT REPORT
═══════════════════════════════════════════════
Project: my-app
Package Manager: pnpm
Total Dependencies: 847 (142 direct, 705 transitive)
───────────────────────────────────────────────
SECURITY
───────────────────────────────────────────────
🔴 CRITICAL (1)
lodash@4.17.20
└─ CVE-2021-23337: Command injection via template()
└─ Fix: npm update lodash@4.17.21
└─ Affects: direct dependency
🟠 HIGH (2)
minimist@1.2.5
└─ CVE-2021-44906: Prototype pollution
└─ Fix: Transitive via mkdirp, update parent
└─ Path: mkdirp → minimist
node-fetch@2.6.1
└─ CVE-2022-0235: Exposure of sensitive headers
└─ Fix: npm update node-fetch@2.6.7
🟡 MODERATE (3)
[details...]
───────────────────────────────────────────────
OUTDATED PACKAGES
───────────────────────────────────────────────
Major Updates (review breaking changes):
react 18.2.0 → 19.1.0 (1 major)
typescript 5.3.0 → 5.8.0 (5 minor)
drizzle-orm 0.44.0 → 0.50.0 (6 minor)
Minor Updates (safe, new features):
@types/node 20.11.0 → 20.14.0
vitest 1.2.0 → 1.6.0
Patch Updates (recommended):
[15 packages with patch updates]
───────────────────────────────────────────────
LICENSE CHECK
───────────────────────────────────────────────
✅ All licenses compatible with MIT
Note: 3 packages use ISC (compatible)
───────────────────────────────────────────────
SUMMARY
───────────────────────────────────────────────
Security Issues: 6 (1 critical, 2 high, 3 moderate)
Outdated: 23 (3 major, 5 minor, 15 patch)
License Issues: 0
Recommended Actions:
1. Fix critical: npm update lodash
2. Fix high: npm audit fix
3. Review major updates before upgrading
═══════════════════════════════════════════════
Agent
The dep-auditor agent can:
- Parse npm/pnpm audit JSON output
- Cross-reference CVE databases
- Generate detailed fix recommendations
- Auto-fix safe updates (with confirmation)
CI Integration
GitHub Actions
- name: Audit dependencies
run: npm audit --audit-level=high
continue-on-error: true
- name: Check for critical vulnerabilities
run: |
CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
if [ "$CRITICAL" -gt 0 ]; then
echo "Critical vulnerabilities found!"
exit 1
fi
Pre-commit Hook
#!/bin/sh
npm audit --audit-level=critical || {
echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"
exit 1
}
Package Manager Commands
| Task | npm | pnpm | yarn |
|---|---|---|---|
| Audit | npm audit |
pnpm audit |
yarn audit |
| Audit JSON | npm audit --json |
pnpm audit --json |
yarn audit --json |
| Fix auto | npm audit fix |
pnpm audit --fix |
yarn audit --fix |
| Fix force | npm audit fix --force |
N/A | N/A |
| Outdated | npm outdated |
pnpm outdated |
yarn outdated |
| Why | npm explain <pkg> |
pnpm why <pkg> |
yarn why <pkg> |
Known Limitations
- npm audit fix --force: May introduce breaking changes (major version bumps)
- Transitive dependencies: Some vulnerabilities require updating parent packages
- False positives: Some advisories may not apply to your usage
- Private registries: May need auth configuration for auditing
Related Skills
- cloudflare-worker-base: For Workers projects
- testing-patterns: Run tests after updates
- developer-toolbox: For commit-helper after fixes
Version: 1.0.0
Last Updated: 2026-02-03
You Might Also Like
Related Skills
verify
Use when you want to validate changes before committing, or when you need to check all React contribution requirements.
facebooktest
Use when you need to run tests for React core. Supports source, www, stable, and experimental channels.
facebookfeature-flags
Use when feature flag tests fail, flags need updating, understanding @gate pragmas, debugging channel-specific test failures, or adding new flags to React.
facebookextract-errors
Use when adding new error messages to React, or seeing "unknown error code" warnings.
facebook