Back to Details

dependency-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependency Audit

依赖项审计

Status: Production Ready Last Updated: 2026-02-03 Scope: npm, pnpm, yarn projects
状态:已就绪可用于生产环境 最后更新:2026-02-03 适用范围:npm、pnpm、yarn 项目

Commands

命令

CommandPurpose
/audit-deps
Run comprehensive dependency audit with prioritised findings
命令用途
/audit-deps
运行全面的依赖项审计并按优先级展示结果

Quick Start

快速开始

/audit-deps                    # Full audit
/audit-deps --security-only    # Only security vulnerabilities
/audit-deps --outdated         # Only outdated packages
/audit-deps --fix              # Auto-fix compatible updates
/audit-deps                    # 完整审计
/audit-deps --security-only    # 仅检测安全漏洞
/audit-deps --outdated         # 仅检测过时包
/audit-deps --fix              # 自动修复兼容的更新

What This Skill Audits

本工具审计的内容

1. Security Vulnerabilities

1. 安全漏洞

npm audit / pnpm audit
  • Critical (CVSS 9.0-10.0): Remote code execution, auth bypass
  • High (CVSS 7.0-8.9): Data exposure, privilege escalation
  • Moderate (CVSS 4.0-6.9): DoS, info disclosure
  • Low (CVSS 0.1-3.9): Minor issues
npm audit / pnpm audit
  • 严重(CVSS 9.0-10.0):远程代码执行、身份验证绕过
  • 高风险(CVSS 7.0-8.9):数据泄露、权限提升
  • 中等风险(CVSS 4.0-6.9):拒绝服务、信息披露
  • 低风险(CVSS 0.1-3.9):次要问题

2. Outdated Packages

2. 过时包

npm outdated / pnpm outdated
Categories:
  • Major updates: Breaking changes likely (review changelog)
  • Minor updates: New features, backwards compatible
  • Patch updates: Bug fixes, safe to update
npm outdated / pnpm outdated
分类:
  • 大版本更新:可能包含破坏性变更(需查看更新日志)
  • 小版本更新:新增功能,向后兼容
  • 补丁更新:修复Bug,可安全更新

3. License Compliance

3. 许可证合规性

Checks for:
  • GPL licenses in commercial projects (copyleft risk)
  • Unknown/missing licenses
  • License conflicts
检查内容:
  • 商业项目中的GPL许可证(Copyleft风险)
  • 未知/缺失的许可证
  • 许可证冲突

4. Dependency Health

4. 依赖项健康状态

  • Deprecated packages
  • Abandoned packages (no updates in 2+ years)
  • Packages with open security issues
  • 已弃用的包
  • 已无人维护的包(2年以上未更新)
  • 存在未修复安全问题的包

Output Format

输出格式

═══════════════════════════════════════════════
   DEPENDENCY AUDIT REPORT
═══════════════════════════════════════════════

Project: my-app
Package Manager: pnpm
Total Dependencies: 847 (142 direct, 705 transitive)

───────────────────────────────────────────────
   SECURITY
───────────────────────────────────────────────

🔴 CRITICAL (1)
  lodash@4.17.20
  └─ CVE-2021-23337: Command injection via template()
  └─ Fix: npm update lodash@4.17.21
  └─ Affects: direct dependency

🟠 HIGH (2)
  minimist@1.2.5
  └─ CVE-2021-44906: Prototype pollution
  └─ Fix: Transitive via mkdirp, update parent
  └─ Path: mkdirp → minimist

  node-fetch@2.6.1
  └─ CVE-2022-0235: Exposure of sensitive headers
  └─ Fix: npm update node-fetch@2.6.7

🟡 MODERATE (3)
  [details...]

───────────────────────────────────────────────
   OUTDATED PACKAGES
───────────────────────────────────────────────

Major Updates (review breaking changes):
  react           18.2.0  →  19.1.0   (1 major)
  typescript      5.3.0   →  5.8.0    (5 minor)
  drizzle-orm     0.44.0  →  0.50.0   (6 minor)

Minor Updates (safe, new features):
  @types/node     20.11.0 →  20.14.0
  vitest          1.2.0   →  1.6.0

Patch Updates (recommended):
  [15 packages with patch updates]

───────────────────────────────────────────────
   LICENSE CHECK
───────────────────────────────────────────────

✅ All licenses compatible with MIT

Note: 3 packages use ISC (compatible)

───────────────────────────────────────────────
   SUMMARY
───────────────────────────────────────────────

Security Issues:  6 (1 critical, 2 high, 3 moderate)
Outdated:         23 (3 major, 5 minor, 15 patch)
License Issues:   0

Recommended Actions:
1. Fix critical: npm update lodash
2. Fix high: npm audit fix
3. Review major updates before upgrading

═══════════════════════════════════════════════
═══════════════════════════════════════════════
   依赖项审计报告
═══════════════════════════════════════════════

项目:my-app
包管理器:pnpm
总依赖项数:847(142个直接依赖,705个间接依赖)

───────────────────────────────────────────────
   安全检测
───────────────────────────────────────────────

🔴 严重(1个)
  lodash@4.17.20
  └─ CVE-2021-23337:通过template()注入命令
  └─ 修复方案:npm update lodash@4.17.21
  └─ 影响范围:直接依赖

🟠 高风险(2个)
  minimist@1.2.5
  └─ CVE-2021-44906:原型污染
  └─ 修复方案:通过更新父依赖mkdirp来修复间接依赖
  └─ 依赖路径:mkdirp → minimist

  node-fetch@2.6.1
  └─ CVE-2022-0235:敏感头信息泄露
  └─ 修复方案:npm update node-fetch@2.6.7

🟡 中等风险(3个)
  [详细信息...]

───────────────────────────────────────────────
   过时包检测
───────────────────────────────────────────────

大版本更新(需检查破坏性变更):
  react           18.2.0  →  19.1.0  (1个大版本)
  typescript      5.3.0   →  5.8.0   (5个小版本)
  drizzle-orm     0.44.0  →  0.50.0  (6个小版本)

小版本更新(安全,含新功能):
  @types/node     20.11.0 →  20.14.0
  vitest          1.2.0   →  1.6.0

补丁更新(推荐执行):
  [15个包有补丁更新]

───────────────────────────────────────────────
   许可证检查
───────────────────────────────────────────────

✅ 所有许可证均与MIT兼容

注意:3个包使用ISC许可证(兼容)

───────────────────────────────────────────────
   总结
───────────────────────────────────────────────

安全问题:6个(1个严重,2个高风险,3个中等风险)
过时包:23个(3个大版本,5个小版本,15个补丁)
许可证问题:0个

推荐操作:
1. 修复严重问题:npm update lodash
2. 修复高风险问题:npm audit fix
3. 升级前先评估大版本更新内容

═══════════════════════════════════════════════

Agent

Agent

The 
dep-auditor
agent can:
  • Parse npm/pnpm audit JSON output
  • Cross-reference CVE databases
  • Generate detailed fix recommendations
  • Auto-fix safe updates (with confirmation)
dep-auditor
Agent 可:
  • 解析npm/pnpm audit的JSON输出
  • 交叉引用CVE数据库
  • 生成详细的修复建议
  • 自动修复安全的更新(需确认)

CI Integration

CI集成

GitHub Actions

GitHub Actions

yaml
- name: Audit dependencies
  run: npm audit --audit-level=high
  continue-on-error: true

- name: Check for critical vulnerabilities
  run: |
    CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
    if [ "$CRITICAL" -gt 0 ]; then
      echo "Critical vulnerabilities found!"
      exit 1
    fi
yaml
- name: Audit dependencies
  run: npm audit --audit-level=high
  continue-on-error: true

- name: Check for critical vulnerabilities
  run: |
    CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
    if [ "$CRITICAL" -gt 0 ]; then
      echo "Critical vulnerabilities found!"
      exit 1
    fi

Pre-commit Hook

预提交钩子

bash
#!/bin/sh
npm audit --audit-level=critical || {
  echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"
  exit 1
}
bash
#!/bin/sh
npm audit --audit-level=critical || {
  echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"
  exit 1
}

Package Manager Commands

包管理器命令对照表

Tasknpmpnpmyarn
Audit
npm audit
pnpm audit
yarn audit
Audit JSON
npm audit --json
pnpm audit --json
yarn audit --json
Fix auto
npm audit fix
pnpm audit --fix
yarn audit --fix
Fix force
npm audit fix --force
N/AN/A
Outdated
npm outdated
pnpm outdated
yarn outdated
Why
npm explain <pkg>
pnpm why <pkg>
yarn why <pkg>
任务npmpnpmyarn
审计
npm audit
pnpm audit
yarn audit
审计JSON输出
npm audit --json
pnpm audit --json
yarn audit --json
自动修复
npm audit fix
pnpm audit --fix
yarn audit --fix
强制修复
npm audit fix --force
N/AN/A
检测过时包
npm outdated
pnpm outdated
yarn outdated
查看依赖原因
npm explain <pkg>
pnpm why <pkg>
yarn why <pkg>

Known Limitations

已知限制

  • npm audit fix --force: May introduce breaking changes (major version bumps)
  • Transitive dependencies: Some vulnerabilities require updating parent packages
  • False positives: Some advisories may not apply to your usage
  • Private registries: May need auth configuration for auditing
  • npm audit fix --force:可能引入破坏性变更(大版本升级)
  • 间接依赖:部分漏洞需要更新父依赖才能修复
  • 误报:部分安全公告可能不适用于你的使用场景
  • 私有仓库:可能需要配置权限才能进行审计

Related Skills

相关技能

  • cloudflare-worker-base: For Workers projects
  • testing-patterns: Run tests after updates
  • developer-toolbox: For commit-helper after fixes
Version: 1.0.0 Last Updated: 2026-02-03
  • cloudflare-worker-base:适用于Workers项目
  • testing-patterns:更新后运行测试
  • developer-toolbox:修复后使用提交助手
版本:1.0.0 最后更新:2026-02-03