dependency-audit
Systematic workflow for auditing, updating, and cleaning up project dependencies. Covers security vulnerability scanning, outdated package detection, unused dependency removal, and migration from deprecated libraries.
Works with
0
total installs
0
this week
29
GitHub stars
0
upvotes
Install Skill
Run in your terminal
0
installs
0
this week
29
stars
Installation Guide
How to use dependency-audit on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your machine
- ›Node.js 16+ with npm — verify with
node --version - ›Active project directory where you want to add
dependency-audit
Run the install command
Execute the skills CLI command in your project's root directory to begin installation:
Fetches dependency-audit from bobmatnyc/claude-mpm-skills and configures it for Cursor.
Select Cursor when prompted
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate dependency-audit. Access via /dependency-audit in your agent's command palette.
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Documentation
Dependency Audit Skill
Summary
Systematic workflow for auditing, updating, and cleaning up project dependencies. Covers security vulnerability scanning, outdated package detection, unused dependency removal, and migration from deprecated libraries.
When to Use
- Weekly/monthly dependency maintenance
- After security advisories (CVE announcements)
- Before major releases
- When bundle size increases unexpectedly
- During code reviews for dependency changes
- Onboarding to legacy projects
Quick Audit Process
1. Check Outdated Packages
# npm
npm outdated
# pnpm
pnpm outdated
# yarn
yarn outdated
# pip (Python)
pip list --outdated
# poetry (Python)
poetry show --outdated
2. Security Vulnerability Scan
# npm
npm audit
npm audit fix # Auto-fix where possible
npm audit fix --force # Force major version updates (risky)
# pnpm
pnpm audit
pnpm audit --fix
# yarn
yarn audit
yarn audit --fix
# Python
pip-audit # Requires: pip install pip-audit
safety check # Requires: pip install safety
3. Find Unused Dependencies
# JavaScript/TypeScript
npx depcheck
# Output example:
# Unused dependencies
# * lodash
# * moment
# Unused devDependencies
# * @types/old-package
# Python
pip-autoremove --list # Requires: pip install pip-autoremove
Audit Commands
JavaScript/TypeScript/Node.js
npm
# Check what's outdated
npm outdated
# Update within semver range (safe)
npm update
# Update specific package to latest
npm install package@latest
# Check security vulnerabilities
npm audit
# Auto-fix vulnerabilities
npm audit fix
# View dependency tree
npm list
npm list --depth=0 # Top-level only
# Why is this package installed?
npm ls package-name
# Check for duplicate packages
npm dedupe
pnpm
# Check outdated
pnpm outdated
# Update all dependencies
pnpm update
# Update specific package
pnpm update package@latest
# Security audit
pnpm audit
# Deduplicate
pnpm dedupe
# List all packages
pnpm list
yarn
# Check outdated
yarn outdated
# Upgrade interactive (recommended)
yarn upgrade-interactive
# Update all
yarn upgrade
# Security audit
yarn audit
# Why is this here?
yarn why package-name
Python
pip
# List outdated
pip list --outdated
# Update specific package
pip install --upgrade package-name
# Security audit
pip-audit # Install: pip install pip-audit
# Freeze current dependencies
pip freeze > requirements.txt
# Check dependencies of a package
pip show package-name
poetry
# Show outdated
poetry show --outdated
# Update all
poetry update
# Update specific package
poetry update package-name
# Security check
poetry audit # poetry-audit-plugin required
# Show dependency tree
poetry show --tree
pipenv
# Check for security vulnerabilities
pipenv check
# Update all
pipenv update
# Update specific
pipenv update package-name
# Show dependency graph
pipenv graph
Priority Matrix
| Priority | Type | Action | Timeline | Example |
|---|---|---|---|---|
| P0 | Critical CVE (actively exploited) | Patch immediately | Same day | Auth bypass, RCE |
| P1 | High CVE or major framework update | Plan migration | 1-2 weeks | Next.js, React major version |
| P2 | Deprecated with active usage | Find replacement | 2-4 weeks | moment.js → date-fns |
| P3 | Minor/patch updates | Batch update | Monthly | Non-breaking updates |
| P4 | Unused dependencies | Remove | Next cleanup PR | Dead imports |
Priority Decision Tree
Is there a CVE?
├─ Yes → Is it critical/high severity?
│ ├─ Yes → P0 (patch immediately)
│ └─ No → P1 (plan update)
└─ No → Is package deprecated?
├─ Yes → Is it actively used?
│ ├─ Yes → P2 (find replacement)
│ └─ No → P4 (remove)
└─ No → Is it outdated?
├─ Major version → P1 (plan migration)
├─ Minor/patch → P3 (batch update)
└─ Unused → P4 (remove)
Common Replacements
Date/Time Libraries
JavaScript/TypeScript
// ❌ moment.js (deprecated, 288KB minified)
import moment from 'moment';
const formatted = moment().format('YYYY-MM-DD');
const diff = moment(date1).diff(moment(date2), 'days');
// ✅ date-fns (tree-shakeable, 2-5KB per function)
import { format, differenceInDays } from 'date-fns';
const formatted = format(new Date(), 'yyyy-MM-dd');
const diff = differenceInDays(date1, date2);
// ✅ Native Intl (zero bundle cost)
const formatted = new Intl.DateTimeFormat('en-US').format(new Date());
const relative = new Intl.RelativeTimeFormat('en').format(-1, 'day'); // "1 day ago"
Python
# ❌ arrow (overhead for simple tasks)
import arrow
now = arrow.now().format('YYYY-MM-DD')
# ✅ Native datetime
from datetime import datetime
now = datetime.now().strftime('%Y-%m-%d')
# ✅ pendulum (for complex timezone handling)
import pendulum
now = pendulum.now('America/New_York')
Utility Libraries
JavaScript/TypeScript
// ❌ Full lodash import (70KB)
import _ from 'lodash';
const value = _.get(obj, 'path.to.value');
const unique = _.uniq(array);
// ✅ Specific imports (5-10KB)
import get from 'lodash/get';
import uniq from 'lodash/uniq';
// ✅ Native alternatives (0KB)
const value = obj?.path?.to?.value; // Optional chaining
const unique = [...new Set(array)]; // Set
const keys = Object.keys(obj); // Object.keys
const flat = array.flat()List & Monetize Your Skill
Submit your Claude Code skill and start earning
Get started →Use Cases
User Story & Requirements Generation
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Competitive Analysis
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Roadmap Prioritization
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
Make data-driven prioritization decisions faster
Stakeholder Communication
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Implementation Guide
Prerequisites
- ›Claude Desktop or compatible AI client
- ›Access to product documentation and roadmap tools (Jira, Notion, etc.)
- ›Understanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
- ›Stakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Steps
- 1Install product management skill
- 2Start with user story generation for known feature
- 3Progress to competitive analysis: research 2-3 competitors
- 4Use for roadmap prioritization: apply RICE/ICE scoring
- 5Draft stakeholder communications and refine based on feedback
- 6Build template library for recurring PM tasks
- 7Share effective prompts with product team
Common Pitfalls
- ⚠Not validating competitive research—verify facts before sharing
- ⚠Accepting user stories without involving engineering team
- ⚠Over-relying on frameworks without qualitative judgment
- ⚠Not customizing outputs to company culture and communication style
- ⚠Skipping stakeholder validation of generated requirements
Best Practices
✓ Do
- +Validate research and competitive analysis with real data
- +Collaborate with engineering when generating technical requirements
- +Customize frameworks and templates to your company context
- +Use skill for first drafts, refine with stakeholder input
- +Document successful prompt patterns for PM tasks
- +Combine AI efficiency with human judgment and intuition
✗ Don't
- −Don't publish competitive analysis without fact-checking
- −Don't finalize user stories without engineering review
- −Don't make prioritization decisions solely on AI scoring
- −Don't skip customer validation of generated requirements
- −Don't ignore company-specific context and culture
💡 Pro Tips
- ★Provide context: company goals, constraints, customer feedback
- ★Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
- ★Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
- ★Use skill for 70% generation + 30% customization to company needs
When to Use This
✓ Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path
- 1Basic: user stories, feature specs, status updates
- 2Intermediate: competitive analysis, prioritization frameworks, PRDs
- 3Advanced: product strategy, go-to-market planning, OKR setting
- 4Expert: product vision, market positioning, business model innovation
Related Skills
improve
68shadcn/improve
grill-me
388mattpocock/skills
premortem
197parcadei/continuous-claude-v3
deslop
118cursor/plugins
framer-motion
99pproenca/dot-skills
write-a-prd
91mattpocock/skills
Reviews
- MMin Khanna★★★★★Dec 24, 2024
Keeps context tight: dependency-audit is the kind of skill you can hand to a new teammate without a long onboarding doc.
- SShikha Mishra★★★★★Dec 16, 2024
dependency-audit reduced setup friction for our internal harness; good balance of opinion and flexibility.
- NNeel Johnson★★★★★Dec 12, 2024
I recommend dependency-audit for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- MMin Chawla★★★★★Dec 8, 2024
dependency-audit fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- KKiara Reddy★★★★★Dec 4, 2024
dependency-audit has been reliable in day-to-day use. Documentation quality is above average for community skills.
- AAlexander Zhang★★★★★Nov 27, 2024
dependency-audit is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- XXiao Sanchez★★★★★Nov 15, 2024
We added dependency-audit from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- YYash Thakker★★★★★Nov 7, 2024
I recommend dependency-audit for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- TTariq Zhang★★★★★Nov 7, 2024
Solid pick for teams standardizing on skills: dependency-audit is focused, and the summary matches what you get after install.
- CChinedu Anderson★★★★★Nov 3, 2024
dependency-audit reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 56
Discussion
Comments — not star reviews- No comments yet — start the thread.