dependency-audit

Audit dependencies based on project type:

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "dependency-audit" with this command: npx skills add armanzeroeight/fastagent-plugins/armanzeroeight-fastagent-plugins-dependency-audit

Dependency Audit

Quick Start

Audit dependencies based on project type:

Node.js

npm audit

Python

pip-audit

Go

govulncheck ./...

Instructions

Step 1: Identify Package Manager

Check for manifest files:

  • package.json / package-lock.json → npm/yarn

  • requirements.txt / pyproject.toml → pip

  • go.mod → Go modules

  • Cargo.toml → Cargo (Rust)

  • Gemfile → Bundler (Ruby)

Step 2: Run Audit

Node.js (npm):

npm audit npm audit --json # Machine-readable output

Node.js (yarn):

yarn audit yarn audit --json

Python:

pip install pip-audit pip-audit pip-audit -r requirements.txt

Go:

govulncheck ./...

Ruby:

bundle audit check --update

Step 3: Analyze Results

Categorize by severity:

Severity CVSS Action

Critical 9.0+ Update immediately

High 7.0-8.9 Update within 24h

Moderate 4.0-6.9 Update this sprint

Low < 4.0 Update when convenient

Step 4: Fix Vulnerabilities

npm - Auto-fix:

npm audit fix npm audit fix --force # Breaking changes allowed

npm - Manual update:

npm update vulnerable-package

or specific version

npm install vulnerable-package@2.0.0

Python - Update package:

pip install --upgrade vulnerable-package

or pin safe version in requirements.txt

vulnerable-package>=2.0.0

Step 5: Verify Fixes

Re-run audit to confirm:

npm audit # Should show 0 vulnerabilities pip-audit # Should show no issues

Common Scenarios

Transitive Dependencies

When vulnerability is in a sub-dependency:

Check dependency tree

npm ls vulnerable-package

Force resolution (npm)

Add to package.json:

{ "overrides": { "vulnerable-package": "2.0.0" } }

No Fix Available

When no patched version exists:

  • Check if vulnerability affects your usage

  • Consider alternative packages

  • Implement workarounds if possible

  • Monitor for updates

Breaking Changes

When fix requires major version bump:

  • Review changelog for breaking changes

  • Update code to accommodate changes

  • Run tests thoroughly

  • Consider gradual rollout

Report Format

Dependency Audit Report

Project: my-app Date: 2024-01-15 Total Dependencies: 245 Vulnerabilities Found: 3

Critical (1)

lodash - Prototype Pollution

  • Installed: 4.17.15
  • Fixed in: 4.17.21
  • CVE: CVE-2021-23337
  • Fix: npm install lodash@4.17.21

High (1)

axios - SSRF Vulnerability

  • Installed: 0.21.0
  • Fixed in: 0.21.2
  • CVE: CVE-2021-3749
  • Fix: npm install axios@0.21.2

Moderate (1)

minimist - Prototype Pollution

  • Installed: 1.2.5
  • Fixed in: 1.2.6
  • CVE: CVE-2021-44906
  • Fix: npm audit fix

CI/CD Integration

GitHub Actions

  • name: Audit dependencies run: | npm audit --audit-level=high

    Fails if high or critical vulnerabilities found

Pre-commit

package.json scripts

{ "scripts": { "precommit": "npm audit --audit-level=moderate" } }

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

api-security-checker

No summary provided by upstream source.

Repository SourceNeeds Review
-5
armanzeroeight
Security

security-group-analyzer

No summary provided by upstream source.

Repository SourceNeeds Review
-5
armanzeroeight
Security

vulnerability-scanner

No summary provided by upstream source.

Repository SourceNeeds Review
-5
armanzeroeight