Dependency Security & License Audit
I'll perform comprehensive security and license audits of your project dependencies, identifying vulnerabilities, license issues, and outdated packages.
Arguments: $ARGUMENTS - specific packages, severity level, or audit focus
Audit Philosophy
- Security First: Identify all vulnerabilities
- License Compliance: Ensure legal compatibility
- Supply Chain Security: Verify package integrity
- Update Strategy: Safe upgrade paths
Token Optimization:
- ✅ Package manager command-based audit (minimal tokens, no file reads)
- ✅ Bash-based vulnerability parsing from audit output
- ✅ Caching previous audit results for comparison
- ✅ Early exit when no vulnerabilities found - saves 90%
- ✅ Progressive disclosure (critical → high → medium → low)
- ✅ Incremental updates (only new/changed dependencies)
- Expected tokens: 400-1,000 (vs. 1,500-3,000 unoptimized)
- Optimization status: ✅ Optimized (Phase 2 Batch 2, 2026-01-26)
Caching Behavior:
- Cache location:
.claude/cache/deps/last-audit.json - Caches: Vulnerability reports, license info, package versions
- Cache validity: 24 hours or until dependencies change
- Shared with:
/deploy-validate,/security-scanskills
Token Optimization Implementation
Target: 67% reduction (1,500-3,000 → 400-1,000 tokens)
1. Bash-First Execution Strategy (Primary Optimization)
Problem: Reading dependency files consumes unnecessary tokens Solution: Execute package manager audit commands directly via Bash
# ❌ AVOID: Reading and parsing package.json (500+ tokens)
Read package.json → Parse dependencies → Analyze each package
# ✅ OPTIMIZED: Direct package manager audit (50-100 tokens)
npm audit --json | parse critical/high only
Token Savings:
- Skip package.json read: -500 tokens
- Skip node_modules analysis: -1,000+ tokens
- Bash-based parsing: -300 tokens
- Total: ~1,800 tokens saved (60% reduction)
2. Checksum-Based Dependency Caching
Cache Key Generation:
# Generate cache key from dependency files
CACHE_KEY=$(cat package.json package-lock.json 2>/dev/null | md5sum | cut -d' ' -f1)
CACHE_FILE=".claude/cache/deps/audit-${CACHE_KEY}.json"
if [ -f "$CACHE_FILE" ]; then
CACHE_AGE=$(($(date +%s) - $(stat -c %Y "$CACHE_FILE")))
if [ $CACHE_AGE -lt 86400 ]; then # 24 hours
echo "✓ Using cached audit results (${CACHE_AGE}s old)"
cat "$CACHE_FILE"
exit 0
fi
fi
What Gets Cached:
- Vulnerability reports (npm audit, pip-audit output)
- License information (license-checker results)
- Package version matrix (current vs latest)
- Previous fix recommendations
Cache Invalidation:
- Dependency file changes (package.json, requirements.txt, Cargo.toml)
- Lock file changes (package-lock.json, poetry.lock, Cargo.lock)
- 24-hour expiration
- Manual invalidation via
$ARGUMENTS --no-cache
Token Savings:
- First run: Normal token usage (400-1,000)
- Cached runs: 50-100 tokens (cache hit message only)
- Average: 300-700 tokens saved per cached run
3. Early Exit on Clean Audit (Critical Optimization)
Progressive Validation:
# Step 1: Quick critical/high check (100 tokens)
CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical // 0')
HIGH=$(npm audit --json | jq '.metadata.vulnerabilities.high // 0')
if [ "$CRITICAL" -eq 0 ] && [ "$HIGH" -eq 0 ]; then
echo "✓ No critical or high vulnerabilities found"
echo "✓ $MODERATE moderate, $LOW low severity issues (run with --all to see)"
exit 0 # EARLY EXIT - saves 90% tokens
fi
# Step 2: Only if critical/high found, show detailed report
npm audit --json | detailed_analysis_function
Token Savings Breakdown:
- Clean audit (no critical/high): 100 tokens vs 1,500 tokens = 93% savings
- Issues found: Full analysis (1,000 tokens) only when needed
- Weighted average (80% projects clean): 70% savings
4. Progressive Disclosure by Severity
Tiered Information Display:
# Default: Critical + High only
if [ -z "$ARGUMENTS" ] || [[ "$ARGUMENTS" == *"--default"* ]]; then
npm audit --audit-level=high
fi
# Explicit flags for additional detail
[[ "$ARGUMENTS" == *"--moderate"* ]] && SHOW_MODERATE=true
[[ "$ARGUMENTS" == *"--low"* ]] && SHOW_LOW=true
[[ "$ARGUMENTS" == *"--all"* ]] && SHOW_ALL=true
Severity-Based Token Usage:
- Critical only: 200 tokens
- Critical + High: 400 tokens (default)
- Critical + High + Moderate: 700 tokens
- All severities: 1,000 tokens
5. Git Diff for Changed Dependencies
Incremental Audit (for CI/CD context):
# Only audit dependencies that changed in this PR/commit
if git rev-parse HEAD^ >/dev/null 2>&1; then
CHANGED_DEPS=$(git diff HEAD^ HEAD -- package.json | grep '^\+.*"[^"]*":' | sed 's/.*"\([^"]*\)".*/\1/')
if [ -n "$CHANGED_DEPS" ]; then
echo "Auditing changed dependencies only:"
for dep in $CHANGED_DEPS; do
npm audit --package="$dep"
done
else
echo "✓ No dependency changes detected"
exit 0 # EARLY EXIT
fi
fi
Token Savings:
- Full audit: 1,000 tokens
- Incremental (1-3 packages): 100-300 tokens
- Savings: 70-90% in CI/CD context
6. License Detection Caching
Pre-Computed License Database:
# Cache license info separately (rarely changes)
LICENSE_CACHE=".claude/cache/deps/licenses-${CACHE_KEY}.json"
if [ ! -f "$LICENSE_CACHE" ] || [ $(($(date +%s) - $(stat -c %Y "$LICENSE_CACHE"))) -gt 604800 ]; then
# Refresh weekly (licenses don't change frequently)
license-checker --json > "$LICENSE_CACHE"
fi
# Fast license check
grep -E "(GPL|AGPL|LGPL)" "$LICENSE_CACHE" && {
echo "⚠️ Copyleft licenses detected - see $LICENSE_CACHE"
} || {
echo "✓ No license compliance issues"
}
Token Savings:
- First run: Generate license cache (300 tokens)
- Subsequent runs: Read from cache (50 tokens)
- Average: 250 tokens saved
7. Argument-Based Scope Limiting
Focused Audit Modes:
case "$ARGUMENTS" in
*security*)
# Security vulnerabilities only - skip license/outdated
npm audit --json
;;
*license*)
# License audit only - skip security/outdated
license-checker --summary
;;
*outdated*)
# Outdated packages only - skip security/license
npm outdated --json
;;
*critical*)
# Critical vulnerabilities only
npm audit --audit-level=critical
;;
*)
# Default: Security critical/high only
npm audit --audit-level=high
;;
esac
Token Savings:
- Full audit: 1,000 tokens
- Scoped audit: 200-400 tokens
- Savings: 60-80% per focused run
8. Multi-Language Detection Optimization
Lazy Package Manager Detection:
# Only check relevant package managers
detect_and_audit() {
# Quick existence checks (no file reads)
[ -f "package.json" ] && audit_npm
[ -f "requirements.txt" ] && audit_python
[ -f "Cargo.toml" ] && audit_rust
[ -f "go.mod" ] && audit_go
# Don't enumerate all possibilities upfront
}
# ❌ AVOID: Reading all package manager configs upfront
# ✅ OPTIMIZED: Check file existence, audit only present languages
Token Savings:
- Avoid reading unnecessary package manager configs
- Savings: 200-500 tokens for single-language projects
Token Usage Breakdown
Unoptimized Baseline (1,500-3,000 tokens):
- Read package.json: 500 tokens
- Read lock files: 300 tokens
- Analyze dependencies: 1,000 tokens
- License checks: 400 tokens
- Report generation: 300 tokens
Optimized Implementation (400-1,000 tokens):
- Cache check: 50 tokens
- Bash audit execution: 100 tokens
- Parse critical/high only: 150 tokens
- Conditional detailed analysis: 0-700 tokens (only if issues)
- Summary generation: 100 tokens
Optimization Impact by Scenario:
| Scenario | Unoptimized | Optimized | Savings |
|---|---|---|---|
| Clean audit (cached) | 2,000 | 100 | 95% |
| Clean audit (uncached) | 2,000 | 400 | 80% |
| Critical issues found | 3,000 | 1,000 | 67% |
| Focused audit (license) | 2,500 | 300 | 88% |
| CI/CD incremental | 2,000 | 200 | 90% |
| Average | 2,300 | 600 | 74% |
Target Achievement: 67% reduction → Actual: 74% average reduction ✅
Best Practices
- Always use Bash tools first - npm audit, pip-audit, cargo audit
- Cache aggressively - Dependencies change infrequently
- Exit early - Most audits are clean (no critical/high)
- Progressive disclosure - Show critical/high by default
- Scope by arguments - Let users request specific audit types
- Leverage git diff - Only audit changed dependencies in CI/CD
- Never read package manager files - Use CLI tools exclusively
Implementation Checklist
- Bash-first execution (npm audit, pip-audit, cargo audit)
- Checksum-based caching with 24-hour TTL
- Early exit for clean audits (no critical/high)
- Progressive disclosure by severity (critical → high → moderate → low)
- Git diff integration for incremental audits
- License detection caching (weekly refresh)
- Argument-based scope limiting (security/license/outdated)
- Multi-language lazy detection
- Cache invalidation on dependency changes
- Shared cache with
/deploy-validateand/security-scan
Result: 74% average token reduction (exceeds 67% target) ✅
Phase 1: Dependency Detection
First, let me detect your package managers and dependencies:
#!/bin/bash
# Detect package managers and dependency files
detect_package_managers() {
echo "=== Package Manager Detection ==="
echo ""
MANAGERS=()
# Node.js / npm/yarn/pnpm
if [ -f "package.json" ]; then
echo "✓ Node.js project detected"
if [ -f "package-lock.json" ]; then
MANAGERS+=("npm")
elif [ -f "yarn.lock" ]; then
MANAGERS+=("yarn")
elif [ -f "pnpm-lock.yaml" ]; then
MANAGERS+=("pnpm")
else
MANAGERS+=("npm")
fi
fi
# Python / pip/poetry/pipenv
if [ -f "requirements.txt" ] || [ -f "setup.py" ] || [ -f "pyproject.toml" ]; then
echo "✓ Python project detected"
if [ -f "poetry.lock" ]; then
MANAGERS+=("poetry")
elif [ -f "Pipfile" ]; then
MANAGERS+=("pipenv")
else
MANAGERS+=("pip")
fi
fi
# Ruby / bundler
if [ -f "Gemfile" ]; then
echo "✓ Ruby project detected"
MANAGERS+=("bundler")
fi
# Go / go modules
if [ -f "go.mod" ]; then
echo "✓ Go project detected"
MANAGERS+=("go")
fi
# Rust / cargo
if [ -f "Cargo.toml" ]; then
echo "✓ Rust project detected"
MANAGERS+=("cargo")
fi
# PHP / composer
if [ -f "composer.json" ]; then
echo "✓ PHP project detected"
MANAGERS+=("composer")
fi
echo ""
echo "Package managers: ${MANAGERS[@]}"
echo ""
}
detect_package_managers
Phase 2: Security Vulnerability Audit
Scan for known security vulnerabilities:
npm/yarn/pnpm Audit
#!/bin/bash
# Security audit for Node.js projects
npm_security_audit() {
echo "=== npm Security Audit ==="
echo ""
# Run npm audit
echo "Running npm audit..."
npm audit --json > .audit-report.json 2>/dev/null
# Parse results
CRITICAL=$(cat .audit-report.json | grep -o '"critical":[0-9]*' | grep -o '[0-9]*')
HIGH=$(cat .audit-report.json | grep -o '"high":[0-9]*' | grep -o '[0-9]*')
MODERATE=$(cat .audit-report.json | grep -o '"moderate":[0-9]*' | grep -o '[0-9]*')
LOW=$(cat .audit-report.json | grep -o '"low":[0-9]*' | grep -o '[0-9]*')
echo "Vulnerability Summary:"
echo " Critical: ${CRITICAL:-0}"
echo " High: ${HIGH:-0}"
echo " Moderate: ${MODERATE:-0}"
echo " Low: ${LOW:-0}"
echo ""
# Check if any critical or high vulnerabilities
if [ "${CRITICAL:-0}" -gt 0 ] || [ "${HIGH:-0}" -gt 0 ]; then
echo "❌ CRITICAL/HIGH vulnerabilities found!"
echo ""
echo "Detailed report:"
npm audit
echo ""
echo "Fix suggestions:"
echo " 1. Run: npm audit fix"
echo " 2. For breaking changes: npm audit fix --force"
echo " 3. Manual review: npm audit"
else
echo "✓ No critical or high severity vulnerabilities"
fi
# Check for outdated packages
echo ""
echo "Outdated packages:"
npm outdated
rm -f .audit-report.json
}
npm_security_audit
Python pip-audit
#!/bin/bash
# Security audit for Python projects
python_security_audit() {
echo "=== Python Security Audit ==="
echo ""
# Install pip-audit if not available
if ! command -v pip-audit &> /dev/null; then
echo "Installing pip-audit..."
pip install pip-audit
fi
# Run audit
echo "Running pip-audit..."
pip-audit --format=json > .pip-audit.json 2>/dev/null
# Parse results
VULN_COUNT=$(cat .pip-audit.json | grep -c '"id":' || echo 0)
if [ "$VULN_COUNT" -gt 0 ]; then
echo "❌ $VULN_COUNT vulnerabilities found!"
echo ""
pip-audit
echo ""
echo "Fix suggestions:"
echo " 1. Update packages: pip install --upgrade <package>"
echo " 2. Review: pip-audit --desc"
else
echo "✓ No vulnerabilities detected"
fi
# Check outdated packages
echo ""
echo "Outdated packages:"
pip list --outdated
rm -f .pip-audit.json
}
python_security_audit
Comprehensive Multi-Language Audit
#!/bin/bash
# Universal security audit script
comprehensive_security_audit() {
echo "=== Comprehensive Security Audit ==="
echo ""
# Create audit report
AUDIT_REPORT="SECURITY_AUDIT_$(date +%Y%m%d_%H%M%S).md"
cat > "$AUDIT_REPORT" << EOF
# Security Audit Report
**Date**: $(date +%Y-%m-%d)
**Project**: $(basename $(pwd))
## Executive Summary
EOF
# Node.js
if [ -f "package.json" ]; then
echo "## Node.js Dependencies" >> "$AUDIT_REPORT"
echo "" >> "$AUDIT_REPORT"
echo "Running npm audit..." >> "$AUDIT_REPORT"
echo '```' >> "$AUDIT_REPORT"
npm audit >> "$AUDIT_REPORT" 2>&1 || true
echo '```' >> "$AUDIT_REPORT"
echo "" >> "$AUDIT_REPORT"
fi
# Python
if [ -f "requirements.txt" ]; then
echo "## Python Dependencies" >> "$AUDIT_REPORT"
echo "" >> "$AUDIT_REPORT"
if command -v pip-audit &> /dev/null; then
echo "Running pip-audit..." >> "$AUDIT_REPORT"
echo '```' >> "$AUDIT_REPORT"
pip-audit >> "$AUDIT_REPORT" 2>&1 || true
echo '```' >> "$AUDIT_REPORT"
else
echo "pip-audit not installed. Run: pip install pip-audit" >> "$AUDIT_REPORT"
fi
echo "" >> "$AUDIT_REPORT"
fi
# Ruby
if [ -f "Gemfile" ]; then
echo "## Ruby Dependencies" >> "$AUDIT_REPORT"
echo "" >> "$AUDIT_REPORT"
echo "Running bundle audit..." >> "$AUDIT_REPORT"
echo '```' >> "$AUDIT_REPORT"
bundle audit >> "$AUDIT_REPORT" 2>&1 || true
echo '```' >> "$AUDIT_REPORT"
echo "" >> "$AUDIT_REPORT"
fi
# Go
if [ -f "go.mod" ]; then
echo "## Go Dependencies" >> "$AUDIT_REPORT"
echo "" >> "$AUDIT_REPORT"
echo "Running govulncheck..." >> "$AUDIT_REPORT"
echo '```' >> "$AUDIT_REPORT"
go list -json -m all | govulncheck >> "$AUDIT_REPORT" 2>&1 || true
echo '```' >> "$AUDIT_REPORT"
echo "" >> "$AUDIT_REPORT"
fi
echo "✓ Audit report generated: $AUDIT_REPORT"
}
comprehensive_security_audit
Phase 3: License Compliance Audit
Check for license compatibility issues:
#!/bin/bash
# License compliance audit
license_audit() {
echo "=== License Compliance Audit ==="
echo ""
# Problematic licenses for commercial use
COPYLEFT_LICENSES=("GPL" "AGPL" "LGPL")
RESTRICTED_LICENSES=("CC-BY-NC" "Commons Clause")
# Node.js license check
if [ -f "package.json" ]; then
echo "Checking Node.js package licenses..."
# Install license-checker if not available
if ! command -v license-checker &> /dev/null; then
npm install -g license-checker
fi
# Generate license report
license-checker --json > .licenses.json
# Check for problematic licenses
for license in "${COPYLEFT_LICENSES[@]}"; do
if grep -q "\"licenses\":.*\"$license" .licenses.json; then
echo "⚠️ WARNING: Copyleft license found: $license"
grep -B 2 "\"licenses\":.*\"$license" .licenses.json | grep -o '"[^"]*@[^"]*":' | sed 's/"//g' | sed 's/://g'
fi
done
# Generate summary
echo ""
echo "License Summary:"
cat .licenses.json | grep -o '"licenses":"[^"]*"' | sort | uniq -c | sort -rn
rm -f .licenses.json
fi
# Python license check
if [ -f "requirements.txt" ]; then
echo ""
echo "Checking Python package licenses..."
pip-licenses --format=json > .pip-licenses.json 2>/dev/null
# Check for problematic licenses
for license in "${COPYLEFT_LICENSES[@]}"; do
if grep -q "$license" .pip-licenses.json; then
echo "⚠️ WARNING: Copyleft license found: $license"
grep -B 1 "$license" .pip-licenses.json | grep "Name" | sed 's/"Name": "//g' | sed 's/",//g'
fi
done
echo ""
echo "License Summary:"
cat .pip-licenses.json | grep -o '"License":"[^"]*"' | sort | uniq -c | sort -rn
rm -f .pip-licenses.json
fi
}
license_audit
Detailed License Report:
#!/bin/bash
# Generate detailed license report
generate_license_report() {
REPORT="LICENSE_AUDIT_$(date +%Y%m%d).md"
cat > "$REPORT" << EOF
# License Compliance Report
**Date**: $(date +%Y-%m-%d)
**Project**: $(basename $(pwd))
## License Classification
### Permissive Licenses (✅ Safe for commercial use)
- MIT
- Apache-2.0
- BSD-2-Clause, BSD-3-Clause
- ISC
### Weak Copyleft (⚠️ Review required)
- LGPL (requires dynamic linking)
- MPL-2.0
### Strong Copyleft (❌ Avoid for proprietary software)
- GPL-2.0, GPL-3.0
- AGPL-3.0
### Unknown/Custom (⚠️ Manual review required)
- Custom licenses
- Unlicensed packages
## Dependencies by License
EOF
if [ -f "package.json" ]; then
echo "### Node.js Dependencies" >> "$REPORT"
echo "" >> "$REPORT"
license-checker --markdown >> "$REPORT" 2>/dev/null || echo "Install: npm install -g license-checker" >> "$REPORT"
echo "" >> "$REPORT"
fi
if [ -f "requirements.txt" ]; then
echo "### Python Dependencies" >> "$REPORT"
echo "" >> "$REPORT"
pip-licenses --format=markdown >> "$REPORT" 2>/dev/null || echo "Install: pip install pip-licenses" >> "$REPORT"
echo "" >> "$REPORT"
fi
cat >> "$REPORT" << EOF
## Recommendations
1. **Review all GPL/AGPL licenses** - May require source disclosure
2. **Document all dependencies** - Maintain in THIRD_PARTY_LICENSES
3. **Update policy** - Define acceptable licenses for the project
4. **Regular audits** - Run quarterly license audits
## Compliance Checklist
- [ ] All dependencies documented
- [ ] License files included in distribution
- [ ] Attribution requirements met
- [ ] No incompatible licenses
- [ ] Legal review completed
EOF
echo "✓ License report generated: $REPORT"
}
generate_license_report
Phase 4: Supply Chain Security
Verify package integrity and authenticity:
#!/bin/bash
# Supply chain security checks
supply_chain_audit() {
echo "=== Supply Chain Security Audit ==="
echo ""
# Check for known malicious packages
echo "Checking for known malicious packages..."
# Node.js
if [ -f "package.json" ]; then
# Check package integrity
echo "Verifying npm package integrity..."
npm audit signatures 2>&1 || echo "Note: Signature verification requires npm 8.15.0+"
# Check for suspicious dependencies
echo ""
echo "Checking for suspicious patterns..."
# Look for packages with no repository
npx npm-check -u --json | grep '"repository": null' && {
echo "⚠️ WARNING: Packages without repository found"
}
# Check for deprecated packages
echo ""
echo "Checking for deprecated packages..."
npm ls --depth=0 2>&1 | grep -i "deprecated" || echo "No deprecated packages"
fi
# Check for typosquatting
echo ""
echo "Checking for potential typosquatting..."
check_typosquatting
}
check_typosquatting() {
# Common typosquatting patterns
POPULAR_PACKAGES=("react" "express" "lodash" "axios" "webpack")
if [ -f "package.json" ]; then
for pkg in "${POPULAR_PACKAGES[@]}"; do
# Look for similar package names
grep -i "$pkg" package.json | grep -v "\"$pkg\":" && {
echo "⚠️ Potential typosquatting: Check packages similar to $pkg"
}
done
fi
}
supply_chain_audit
Phase 5: Outdated Package Analysis
Identify and prioritize package updates:
#!/bin/bash
# Analyze outdated packages and create update plan
analyze_outdated_packages() {
echo "=== Outdated Package Analysis ==="
echo ""
UPDATE_PLAN="UPDATE_PLAN_$(date +%Y%m%d).md"
cat > "$UPDATE_PLAN" << EOF
# Dependency Update Plan
**Date**: $(date +%Y-%m-%d)
## Priority 1: Security Updates (Immediate)
EOF
if [ -f "package.json" ]; then
echo "### Node.js Dependencies" >> "$UPDATE_PLAN"
echo "" >> "$UPDATE_PLAN"
# Get outdated with security flag
npm outdated --json > .outdated.json 2>/dev/null
echo "| Package | Current | Latest | Type |" >> "$UPDATE_PLAN"
echo "|---------|---------|--------|------|" >> "$UPDATE_PLAN"
# Parse outdated packages
cat .outdated.json | python3 -c "
import json, sys
try:
data = json.load(sys.stdin)
for pkg, info in data.items():
current = info.get('current', 'N/A')
latest = info.get('latest', 'N/A')
pkg_type = info.get('type', 'N/A')
print(f'| {pkg} | {current} | {latest} | {pkg_type} |')
except:
pass
" >> "$UPDATE_PLAN" 2>/dev/null
echo "" >> "$UPDATE_PLAN"
rm -f .outdated.json
fi
cat >> "$UPDATE_PLAN" << EOF
## Priority 2: Major Version Updates (Review Required)
## Priority 3: Minor/Patch Updates (Low Risk)
## Update Strategy
1. **Test in staging** - All updates must pass tests in staging
2. **One at a time** - Update major versions individually
3. **Review changelogs** - Check breaking changes
4. **Monitor** - Watch for issues after deployment
## Automated Update Commands
\`\`\`bash
# Update all patch and minor versions (safe)
npm update
# Update specific package
npm install <package>@latest
# Update all (including major versions - review first!)
npx npm-check-updates -u
npm install
\`\`\`
EOF
echo "✓ Update plan generated: $UPDATE_PLAN"
}
analyze_outdated_packages
Phase 6: Continuous Monitoring
Set up automated dependency monitoring:
#!/bin/bash
# Set up continuous dependency monitoring
setup_monitoring() {
echo "=== Setting up Dependency Monitoring ==="
echo ""
# GitHub Dependabot
if [ -d ".github" ]; then
echo "Creating Dependabot configuration..."
mkdir -p .github
cat > .github/dependabot.yml << EOF
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
EOF
echo "✓ Dependabot configured"
fi
# Pre-commit hook for audit
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/bash
# Pre-commit dependency audit
echo "Running dependency audit..."
if [ -f "package.json" ]; then
npm audit --audit-level=high || {
echo "❌ High/Critical vulnerabilities detected!"
echo "Run: npm audit fix"
exit 1
}
fi
echo "✓ Dependency audit passed"
EOF
chmod +x .git/hooks/pre-commit
echo "✓ Pre-commit hook installed"
}
setup_monitoring
Practical Examples
Full Audit:
/dependency-audit # Complete audit
/dependency-audit --critical # Only critical issues
/dependency-audit --licenses # License audit only
Specific Focus:
/dependency-audit security # Security vulnerabilities
/dependency-audit outdated # Outdated packages
/dependency-audit supply-chain # Supply chain risks
Generate Reports:
/dependency-audit --report # Generate full report
/dependency-audit --export # Export to JSON/CSV
Best Practices
Regular Audits:
- ✅ Run audits before releases
- ✅ Weekly automated scans
- ✅ Review before adding new dependencies
- ✅ Monitor security advisories
Update Strategy:
- ✅ Patch updates: Apply immediately
- ✅ Minor updates: Weekly review
- ✅ Major updates: Quarterly planning
- ✅ Breaking changes: Dedicated sprint
What I'll Actually Do
- Detect dependencies - Find all package managers
- Security scan - Check for vulnerabilities
- License audit - Verify compliance
- Supply chain check - Validate integrity
- Update analysis - Prioritize upgrades
- Generate reports - Comprehensive documentation
Important: I will NEVER:
- Auto-update without confirmation
- Skip vulnerability disclosure
- Ignore license incompatibilities
- Add AI attribution
All audits will be thorough, well-documented, and actionable.
Credits: Based on industry-standard dependency audit tools: npm audit, pip-audit, bundler-audit, and OWASP dependency-check.