Loading...
Loading...
Comprehensive dependency health auditing for JavaScript/TypeScript projects. Run npm audit, detect outdated packages, check for security advisories, and verify license compliance. Prioritises vulnerabilities by severity and provides actionable fix recommendations. Use when: auditing project dependencies, checking for vulnerabilities, updating packages, preparing for release, or investigating "npm audit" warnings. Keywords: audit, vulnerabilities, outdated, security, npm audit, pnpm audit, CVE, GHSA, license.
npx skill4agent add jezweb/claude-skills dependency-audit| Command | Purpose |
|---|---|
| Run comprehensive dependency audit with prioritised findings |
/audit-deps # Full audit
/audit-deps --security-only # Only security vulnerabilities
/audit-deps --outdated # Only outdated packages
/audit-deps --fix # Auto-fix compatible updatesnpm audit / pnpm auditnpm outdated / pnpm outdated═══════════════════════════════════════════════
DEPENDENCY AUDIT REPORT
═══════════════════════════════════════════════
Project: my-app
Package Manager: pnpm
Total Dependencies: 847 (142 direct, 705 transitive)
───────────────────────────────────────────────
SECURITY
───────────────────────────────────────────────
🔴 CRITICAL (1)
lodash@4.17.20
└─ CVE-2021-23337: Command injection via template()
└─ Fix: npm update lodash@4.17.21
└─ Affects: direct dependency
🟠 HIGH (2)
minimist@1.2.5
└─ CVE-2021-44906: Prototype pollution
└─ Fix: Transitive via mkdirp, update parent
└─ Path: mkdirp → minimist
node-fetch@2.6.1
└─ CVE-2022-0235: Exposure of sensitive headers
└─ Fix: npm update node-fetch@2.6.7
🟡 MODERATE (3)
[details...]
───────────────────────────────────────────────
OUTDATED PACKAGES
───────────────────────────────────────────────
Major Updates (review breaking changes):
react 18.2.0 → 19.1.0 (1 major)
typescript 5.3.0 → 5.8.0 (5 minor)
drizzle-orm 0.44.0 → 0.50.0 (6 minor)
Minor Updates (safe, new features):
@types/node 20.11.0 → 20.14.0
vitest 1.2.0 → 1.6.0
Patch Updates (recommended):
[15 packages with patch updates]
───────────────────────────────────────────────
LICENSE CHECK
───────────────────────────────────────────────
✅ All licenses compatible with MIT
Note: 3 packages use ISC (compatible)
───────────────────────────────────────────────
SUMMARY
───────────────────────────────────────────────
Security Issues: 6 (1 critical, 2 high, 3 moderate)
Outdated: 23 (3 major, 5 minor, 15 patch)
License Issues: 0
Recommended Actions:
1. Fix critical: npm update lodash
2. Fix high: npm audit fix
3. Review major updates before upgrading
═══════════════════════════════════════════════dep-auditor- name: Audit dependencies
run: npm audit --audit-level=high
continue-on-error: true
- name: Check for critical vulnerabilities
run: |
CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
if [ "$CRITICAL" -gt 0 ]; then
echo "Critical vulnerabilities found!"
exit 1
fi#!/bin/sh
npm audit --audit-level=critical || {
echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"
exit 1
}| Task | npm | pnpm | yarn |
|---|---|---|---|
| Audit | | | |
| Audit JSON | | | |
| Fix auto | | | |
| Fix force | | N/A | N/A |
| Outdated | | | |
| Why | | | |