Dependency Audit
Status: Production Ready
Last Updated: 2026-02-03
Scope: npm, pnpm, yarn projects
Commands
| Command |
Purpose |
/audit-deps |
Run comprehensive dependency audit with prioritised findings |
Quick Start
/audit-deps # Full audit
/audit-deps --security-only # Only security vulnerabilities
/audit-deps --outdated # Only outdated packages
/audit-deps --fix # Auto-fix compatible updates
What This Skill Audits
1. Security Vulnerabilities
npm audit / pnpm audit
- Critical (CVSS 9.0-10.0): Remote code execution, auth bypass
- High (CVSS 7.0-8.9): Data exposure, privilege escalation
- Moderate (CVSS 4.0-6.9): DoS, info disclosure
- Low (CVSS 0.1-3.9): Minor issues
2. Outdated Packages
npm outdated / pnpm outdated
Categories:
- Major updates: Breaking changes likely (review changelog)
- Minor updates: New features, backwards compatible
- Patch updates: Bug fixes, safe to update
3. License Compliance
Checks for:
- GPL licenses in commercial projects (copyleft risk)
- Unknown/missing licenses
- License conflicts
4. Dependency Health
- Deprecated packages
- Abandoned packages (no updates in 2+ years)
- Packages with open security issues
Output Format
βββββββββββββββββββββββββββββββββββββββββββββββ
DEPENDENCY AUDIT REPORT
βββββββββββββββββββββββββββββββββββββββββββββββ
Project: my-app
Package Manager: pnpm
Total Dependencies: 847 (142 direct, 705 transitive)
βββββββββββββββββββββββββββββββββββββββββββββββ
SECURITY
βββββββββββββββββββββββββββββββββββββββββββββββ
π΄ CRITICAL (1)
[email protected]
ββ CVE-2021-23337: Command injection via template()
ββ Fix: npm update [email protected]
ββ Affects: direct dependency
π HIGH (2)
[email protected]
ββ CVE-2021-44906: Prototype pollution
ββ Fix: Transitive via mkdirp, update parent
ββ Path: mkdirp β minimist
[email protected]
ββ CVE-2022-0235: Exposure of sensitive headers
ββ Fix: npm update [email protected]
π‘ MODERATE (3)
[details...]
βββββββββββββββββββββββββββββββββββββββββββββββ
OUTDATED PACKAGES
βββββββββββββββββββββββββββββββββββββββββββββββ
Major Updates (review breaking changes):
react 18.2.0 β 19.1.0 (1 major)
typescript 5.3.0 β 5.8.0 (5 minor)
drizzle-orm 0.44.0 β 0.50.0 (6 minor)
Minor Updates (safe, new features):
@types/node 20.11.0 β 20.14.0
vitest 1.2.0 β 1.6.0
Patch Updates (recommended):
[15 packages with patch updates]
βββββββββββββββββββββββββββββββββββββββββββββββ
LICENSE CHECK
βββββββββββββββββββββββββββββββββββββββββββββββ
β
All licenses compatible with MIT
Note: 3 packages use ISC (compatible)
βββββββββββββββββββββββββββββββββββββββββββββββ
SUMMARY
βββββββββββββββββββββββββββββββββββββββββββββββ
Security Issues: 6 (1 critical, 2 high, 3 moderate)
Outdated: 23 (3 major, 5 minor, 15 patch)
License Issues: 0
Recommended Actions:
1. Fix critical: npm update lodash
2. Fix high: npm audit fix
3. Review major updates before upgrading
βββββββββββββββββββββββββββββββββββββββββββββββ
Agent
The dep-auditor agent can:
- Parse npm/pnpm audit JSON output
- Cross-reference CVE databases
- Generate detailed fix recommendations
- Auto-fix safe updates (with confirmation)
CI Integration
GitHub Actions
- name: Audit dependencies
run: npm audit --audit-level=high
continue-on-error: true
- name: Check for critical vulnerabilities
run: |
CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
if [ "$CRITICAL" -gt 0 ]; then
echo "Critical vulnerabilities found!"
exit 1
fi
Pre-commit Hook
#!/bin/sh
npm audit --audit-level=critical || {
echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"
exit 1
}
Package Manager Commands
| Task |
npm |
pnpm |
yarn |
| Audit |
npm audit |
pnpm audit |
yarn audit |
| Audit JSON |
npm audit --json |
pnpm audit --json |
yarn audit --json |
| Fix auto |
npm audit fix |
pnpm audit --fix |
yarn audit --fix |
| Fix force |
npm audit fix --force |
N/A |
N/A |
| Outdated |
npm outdated |
pnpm outdated |
yarn outdated |
| Why |
npm explain <pkg> |
pnpm why <pkg> |
yarn why <pkg> |
Known Limitations
- npm audit fix --force: May introduce breaking changes (major version bumps)
- Transitive dependencies: Some vulnerabilities require updating parent packages
- False positives: Some advisories may not apply to your usage
- Private registries: May need auth configuration for auditing
Related Skills
- cloudflare-worker-base: For Workers projects
- testing-patterns: Run tests after updates
- developer-toolbox: For commit-helper after fixes
Version: 1.0.0
Last Updated: 2026-02-03
