Agent SkillsAgent Skills
jezweb

dependency-audit

@jezweb/dependency-audit
jezweb
673
52 forks
Updated 3/31/2026
View on GitHub

Comprehensive dependency health auditing for JavaScript/TypeScript projects. Run npm audit, detect outdated packages, check for security advisories, and verify license compliance. Prioritises vulnerabilities by severity and provides actionable fix recommendations. Use when: auditing project dependencies, checking for vulnerabilities, updating packages, preparing for release, or investigating "npm audit" warnings. Keywords: audit, vulnerabilities, outdated, security, npm audit, pnpm audit, CVE, GHSA, license.

Installation

$npx agent-skills-cli install @jezweb/dependency-audit
Claude Code
Cursor
Copilot
Codex
Antigravity

Details

Repositoryjezweb/claude-skills
Pathskills/dependency-audit/SKILL.md
Branchmain
Scoped Name@jezweb/dependency-audit

Usage

After installing, this skill will be available to your AI coding assistant.

Verify installation:

npx agent-skills-cli list

Skill Instructions

name: dependency-audit description: | Comprehensive dependency health auditing for JavaScript/TypeScript projects. Run npm audit, detect outdated packages, check for security advisories, and verify license compliance. Prioritises vulnerabilities by severity and provides actionable fix recommendations.

Use when: auditing project dependencies, checking for vulnerabilities, updating packages, preparing for release, or investigating "npm audit" warnings. Keywords: audit, vulnerabilities, outdated, security, npm audit, pnpm audit, CVE, GHSA, license. license: MIT

Dependency Audit

Status: Production Ready Last Updated: 2026-02-03 Scope: npm, pnpm, yarn projects

Commands

CommandPurpose
/audit-depsRun comprehensive dependency audit with prioritised findings

Quick Start

/audit-deps                    # Full audit
/audit-deps --security-only    # Only security vulnerabilities
/audit-deps --outdated         # Only outdated packages
/audit-deps --fix              # Auto-fix compatible updates

What This Skill Audits

1. Security Vulnerabilities

npm audit / pnpm audit
  • Critical (CVSS 9.0-10.0): Remote code execution, auth bypass
  • High (CVSS 7.0-8.9): Data exposure, privilege escalation
  • Moderate (CVSS 4.0-6.9): DoS, info disclosure
  • Low (CVSS 0.1-3.9): Minor issues

2. Outdated Packages

npm outdated / pnpm outdated

Categories:

  • Major updates: Breaking changes likely (review changelog)
  • Minor updates: New features, backwards compatible
  • Patch updates: Bug fixes, safe to update

3. License Compliance

Checks for:

  • GPL licenses in commercial projects (copyleft risk)
  • Unknown/missing licenses
  • License conflicts

4. Dependency Health

  • Deprecated packages
  • Abandoned packages (no updates in 2+ years)
  • Packages with open security issues

Output Format

═══════════════════════════════════════════════
   DEPENDENCY AUDIT REPORT
═══════════════════════════════════════════════

Project: my-app
Package Manager: pnpm
Total Dependencies: 847 (142 direct, 705 transitive)

───────────────────────────────────────────────
   SECURITY
───────────────────────────────────────────────

🔴 CRITICAL (1)
  lodash@4.17.20
  └─ CVE-2021-23337: Command injection via template()
  └─ Fix: npm update lodash@4.17.21
  └─ Affects: direct dependency

🟠 HIGH (2)
  minimist@1.2.5
  └─ CVE-2021-44906: Prototype pollution
  └─ Fix: Transitive via mkdirp, update parent
  └─ Path: mkdirp → minimist

  node-fetch@2.6.1
  └─ CVE-2022-0235: Exposure of sensitive headers
  └─ Fix: npm update node-fetch@2.6.7

🟡 MODERATE (3)
  [details...]

───────────────────────────────────────────────
   OUTDATED PACKAGES
───────────────────────────────────────────────

Major Updates (review breaking changes):
  react           18.2.0  →  19.1.0   (1 major)
  typescript      5.3.0   →  5.8.0    (5 minor)
  drizzle-orm     0.44.0  →  0.50.0   (6 minor)

Minor Updates (safe, new features):
  @types/node     20.11.0 →  20.14.0
  vitest          1.2.0   →  1.6.0

Patch Updates (recommended):
  [15 packages with patch updates]

───────────────────────────────────────────────
   LICENSE CHECK
───────────────────────────────────────────────

✅ All licenses compatible with MIT

Note: 3 packages use ISC (compatible)

───────────────────────────────────────────────
   SUMMARY
───────────────────────────────────────────────

Security Issues:  6 (1 critical, 2 high, 3 moderate)
Outdated:         23 (3 major, 5 minor, 15 patch)
License Issues:   0

Recommended Actions:
1. Fix critical: npm update lodash
2. Fix high: npm audit fix
3. Review major updates before upgrading

═══════════════════════════════════════════════

Agent

The dep-auditor agent can:

  • Parse npm/pnpm audit JSON output
  • Cross-reference CVE databases
  • Generate detailed fix recommendations
  • Auto-fix safe updates (with confirmation)

CI Integration

GitHub Actions

- name: Audit dependencies
  run: npm audit --audit-level=high
  continue-on-error: true

- name: Check for critical vulnerabilities
  run: |
    CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
    if [ "$CRITICAL" -gt 0 ]; then
      echo "Critical vulnerabilities found!"
      exit 1
    fi

Pre-commit Hook

#!/bin/sh
npm audit --audit-level=critical || {
  echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"
  exit 1
}

Package Manager Commands

Tasknpmpnpmyarn
Auditnpm auditpnpm audityarn audit
Audit JSONnpm audit --jsonpnpm audit --jsonyarn audit --json
Fix autonpm audit fixpnpm audit --fixyarn audit --fix
Fix forcenpm audit fix --forceN/AN/A
Outdatednpm outdatedpnpm outdatedyarn outdated
Whynpm explain <pkg>pnpm why <pkg>yarn why <pkg>

Known Limitations

  • npm audit fix --force: May introduce breaking changes (major version bumps)
  • Transitive dependencies: Some vulnerabilities require updating parent packages
  • False positives: Some advisories may not apply to your usage
  • Private registries: May need auth configuration for auditing

Related Skills

  • cloudflare-worker-base: For Workers projects
  • testing-patterns: Run tests after updates
  • developer-toolbox: For commit-helper after fixes

Version: 1.0.0 Last Updated: 2026-02-03

More by jezweb

View all
shadcn-ui
673

Install and configure shadcn/ui components for React projects. Guides component selection, installation order, dependency management, customisation with semantic tokens, and common UI recipes (forms, data tables, navigation, modals). Use after tailwind-theme-builder has set up the theme infrastructure, when adding components, building forms, creating data tables, or setting up navigation.

electron-base
673

Build secure desktop applications with Electron 33, Vite, React, and TypeScript. Covers type-safe IPC via contextBridge, OAuth with custom protocol handlers, native module compatibility (better-sqlite3, electron-store), and electron-builder packaging. Use when building cross-platform desktop apps, implementing OAuth flows in Electron, handling main/renderer process communication, or packaging with code signing. Prevents: NODE_MODULE_VERSION mismatch, hardcoded encryption keys, context isolation bypasses, sandbox conflicts with native modules.

skill-development
673

Tools for creating, auditing, and maintaining Claude Code skills. Includes /create-skill for scaffolding, /review-skill for quality checks, and /audit commands for bulk verification. Use when: building new skills, maintaining skill quality, or forking claude-skills repo.

d1-drizzle-schema
673

Generate Drizzle ORM schemas for Cloudflare D1 databases with correct D1-specific patterns. Produces schema files, migration commands, type exports, and DATABASE_SCHEMA.md documentation. Handles D1 quirks: foreign keys always enforced, no native BOOLEAN/DATETIME types, 100 bound parameter limit, JSON stored as TEXT. Use when creating a new database, adding tables, or scaffolding a D1 data layer.