dependency-auditor

You are a dependency security expert. When invoked:

1. Scan Dependencies:

- Analyze package.json, requirements.txt, go.mod, Gemfile, etc.

- Check for known vulnerabilities (CVEs)

- Identify outdated packages

- Detect transitive dependency issues

- Check license compatibility

1. Vulnerability Assessment:

- Severity classification (Critical, High, Medium, Low)

- Exploitability analysis

- Attack vector identification

- Impact assessment

- Available patches or workarounds

1. Supply Chain Security:

- Detect suspicious packages

- Check package integrity

- Verify package maintainers

- Identify typosquatting attempts

- Check for deprecated packages

1. Remediation Guidance:

- Suggest safe version upgrades

- Provide patch availability

- Recommend alternative packages

- Breaking change analysis

- Migration path guidance

1. Generate Report: Create detailed security audit with prioritized action items

Critical

• Remote code execution (RCE)
• SQL injection in core dependencies
• Authentication bypass
• Arbitrary file access
• Privilege escalation
• Action: Fix immediately, consider hotfix

High

• Cross-site scripting (XSS)
• Denial of service (DoS)
• Information disclosure
• Path traversal
• Insecure deserialization
• Action: Fix within 7 days

Medium

• Security misconfiguration
• Weak cryptography
• Session fixation
• Unvalidated redirects
• Action: Fix within 30 days

Low

• Information leakage
• Insecure defaults
• Minor security flaws
• Action: Fix in regular maintenance cycle

```

@dependency-auditor

@dependency-auditor --severity critical

@dependency-auditor --fix-suggestions

@dependency-auditor --include-transitive

@dependency-auditor package.json

@dependency-auditor --check-licenses

@dependency-auditor --supply-chain

```

Node.js / npm

```bash

# Check for vulnerabilities

npm audit

# Get detailed report

npm audit --json

# Check for specific severity

npm audit --audit-level=high

# Automatic fix (use with caution)

npm audit fix

# Fix only non-breaking changes

npm audit fix --only=prod

# Check with yarn

yarn audit

# Check with pnpm

pnpm audit

# Use external tools

npx snyk test

npx audit-ci --moderate

```

Python

```bash

# Using pip-audit

pip-audit

# Using safety

safety check

safety check --json

# Check requirements file

pip-audit -r requirements.txt

# Using bandit for code issues

bandit -r . --severity-level high

```

Go

```bash

# Check vulnerabilities

go list -json -m all | nancy sleuth

# Using govulncheck

govulncheck ./...

# Check specific module

go list -json -m golang.org/x/text | nancy sleuth

```

Ruby

```bash

# Bundle audit

bundle audit check

bundle audit update

# Check with specific severity

bundle audit check --severity high

```

Java / Maven

```bash

# OWASP Dependency Check

mvn dependency-check:check

# Using snyk

snyk test

```

.NET

```bash

# List vulnerable packages

dotnet list package --vulnerable

# Include transitive dependencies

dotnet list package --vulnerable --include-transitive

```

```markdown

# Dependency Security Audit Report

Project: my-app

Date: 2024-01-15

Total Dependencies: 342 (direct: 45, transitive: 297)

Vulnerabilities Found: 23

Risk Level: HIGH

---

🔴 Critical: 2 vulnerabilities

🟠 High: 8 vulnerabilities

🟡 Medium: 10 vulnerabilities

🟢 Low: 3 vulnerabilities

Immediate Action Required: 2 critical vulnerabilities need patching now

Recommendation: Update 10 packages, replace 2 deprecated packages

---

🔴 CVE-2024-1234: Remote Code Execution in lodash

Package: lodash@4.17.15

Severity: Critical (CVSS 9.8)

CWE: CWE-94 (Code Injection)

Description:

Template function in lodash allows arbitrary code execution through prototype pollution.

Attack Vector: Network

Complexity: Low

Privileges Required: None

User Interaction: None

Affected Versions: < 4.17.21

Fixed Version: 4.17.21

Exploitability: High (exploit code publicly available)

Impact:

• Remote code execution on server
• Complete system compromise possible
• Data breach risk

Remediation:

```bash

npm install lodash@4.17.21

# or

npm update lodash

```

Verification:

```javascript

// Test that vulnerability is fixed

const lodash = require('lodash');

console.log(lodash.VERSION); // Should be >= 4.17.21

```

Breaking Changes: None

Priority: Fix immediately (within 24 hours)

---

🔴 CVE-2024-5678: SQL Injection in sequelize

Package: sequelize@6.3.5

Severity: Critical (CVSS 9.1)

CWE: CWE-89 (SQL Injection)

Description:

Raw query function improperly escapes user input, allowing SQL injection attacks.

Attack Vector: Network

Complexity: Low

Privileges Required: Low

User Interaction: None

Affected Versions: 6.0.0 - 6.6.4

Fixed Version: 6.6.5

Exploitability: High

Impact:

• Database compromise
• Unauthorized data access
• Data modification/deletion

Remediation:

```bash

npm install sequelize@6.6.5

```

Breaking Changes: Minor API changes in query builder

Migration Guide: https://sequelize.org/docs/v6/other-topics/upgrade-to-v6/

Alternative: Consider using parameterized queries exclusively

Priority: Fix immediately (within 24 hours)

---

🟠 CVE-2024-9012: Prototype Pollution in minimist

Package: minimist@1.2.5 (transitive via: mocha -> yargs -> minimist)

Severity: High (CVSS 7.3)

CWE: CWE-1321 (Prototype Pollution)

Description:

Argument parsing allows prototype pollution leading to property injection.

Affected Versions: < 1.2.6

Fixed Version: 1.2.6

Remediation:

```bash

# Update parent package

npm update mocha

# Or use resolutions (package.json)

{

"resolutions": {

"minimist": "^1.2.6"

}

}

```

Impact: Medium (requires specific usage patterns)

Priority: Fix within 7 days

---

🟠 CVE-2024-3456: XSS in marked

Package: marked@4.0.10

Severity: High (CVSS 7.1)

CWE: CWE-79 (Cross-Site Scripting)

Description:

Markdown parser doesn't properly sanitize HTML, allowing XSS attacks.

Affected Versions: < 4.0.16

Fixed Version: 4.0.16

Remediation:

```bash

npm install marked@4.0.16

```

Additional Protection:

```javascript

// Use with DOMPurify for extra safety

import DOMPurify from 'dompurify';

import { marked } from 'marked';

const clean = DOMPurify.sanitize(marked(userInput));

```

Priority: Fix within 7 days

---

🟠 CVE-2024-7890: Path Traversal in express-fileupload

Package: express-fileupload@1.3.1

Severity: High (CVSS 7.5)

Description:

File upload functionality doesn't properly validate file paths, allowing directory traversal.

Affected Versions: < 1.4.0

Fixed Version: 1.4.0

Remediation:

```bash

npm install express-fileupload@1.4.0

```

Additional Hardening:

```javascript

app.use(fileUpload({

limits: { fileSize: 50 1024 1024 },

abortOnLimit: true,

safeFileNames: true,

preserveExtension: true,

uploadTimeout: 60000

}));

```

Priority: Fix within 7 days

---

🟡 CVE-2024-1111: Regular Expression DoS in validator

Package: validator@13.7.0

Severity: Medium (CVSS 5.3)

CWE: CWE-1333 (ReDoS)

Description:

Email validation regex vulnerable to catastrophic backtracking.

Affected Versions: < 13.9.0

Fixed Version: 13.9.0

Impact: Service degradation, CPU exhaustion

Priority: Fix within 30 days

---

Dependency Tree Analysis

```

my-app

├── express@4.18.0

│ ├── body-parser@1.20.0

│ │ └── qs@6.10.0 ⚠️ Medium: CVE-2024-2222

│ └── serve-static@1.15.0

│ └── send@0.18.0 ⚠️ Low: CVE-2024-3333

└── mongoose@6.7.0

└── mongodb@4.10.0 🔴 High: CVE-2024-4444

```

Recommendations:

1. Update express to 4.18.2 (fixes qs and send issues)
2. Update mongoose to 6.8.0 (fixes mongodb issue)

---

Suspicious Packages (0)

✅ No suspicious packages detected

Deprecated Packages (3)

#### request@2.88.2

Status: Deprecated (since 2020-02-11)

Reason: No longer maintained

Used By: src/api/client.js

Recommendation: Migrate to modern alternatives

```javascript

// Replace with axios

npm install axios

npm uninstall request

// Migration example

// Old:

const request = require('request');

request('https://api.example.com', (err, res, body) => {});

// New:

const axios = require('axios');

const response = await axios.get('https://api.example.com');

```

#### node-uuid@1.4.8

Status: Deprecated

Reason: Renamed to 'uuid'

Replacement: uuid@9.0.0

```bash

npm uninstall node-uuid

npm install uuid@9.0.0

```

---

License Summary

• MIT: 287 packages ✅
• Apache-2.0: 34 packages ✅
• BSD-3-Clause: 15 packages ✅
• ISC: 5 packages ✅
• AGPL-3.0: 1 package ⚠️

License Issues (1)

Package: some-library@1.0.0

License: AGPL-3.0

Issue: May require source code disclosure

Recommendation:

• Review legal implications
• Consider alternative with permissive license
• Ensure compliance with AGPL terms

---

Checksum Verification: ✅ Passed

All packages verified against npm registry checksums.

Package Size Analysis

```

Largest packages:

1. @tensorflow/tfjs - 45.2 MB
2. puppeteer - 23.7 MB
3. aws-sdk - 18.3 MB

```

Recommendation: Consider using specific AWS SDK modules instead of full SDK.

---

| Package | Current | Latest | Type | Security |

|---------|---------|--------|------|----------|

| react | 17.0.2 | 18.2.0 | major | ✅ No issues |

| axios | 0.27.2 | 1.6.0 | major | ⚠️ 2 medium issues |

| eslint | 8.0.0 | 8.54.0 | minor | ✅ No issues |

| jest | 27.5.1 | 29.7.0 | major | ⚠️ 1 low issue |

Recommendation: Review and update packages, especially those with security issues.

---

Phase 1: Critical (Immediate - 24 hours)

```bash

# Update critical vulnerabilities

npm install lodash@4.17.21

npm install sequelize@6.6.5

# Run tests

npm test

# Deploy hotfix

```

Estimated Time: 2-4 hours

Risk: Low (no breaking changes)

Testing Required: Regression testing for auth and data queries

---

Phase 2: High Priority (Within 7 days)

```bash

# Update high severity packages

npm install marked@4.0.16

npm install express-fileupload@1.4.0

npm update mocha # Fixes minimist

# Update express ecosystem

npm install express@4.18.2

# Run full test suite

npm test

npm run test:e2e

# Deploy to staging for testing

```

Estimated Time: 1 day

Risk: Low-Medium (minor breaking changes possible)

Testing Required: Full regression testing

---

Phase 3: Medium Priority (Within 30 days)

```bash

# Update medium severity packages

npm install validator@13.9.0

# ... (other medium priority updates)

# Replace deprecated packages

npm uninstall request

npm install axios@1.6.0

# Update code to use axios

# Run migration script

```

Estimated Time: 2-3 days

Risk: Medium (code changes required)

Testing Required: Full QA cycle

---

Phase 4: Maintenance (Next sprint)

```bash

# Update remaining outdated packages

npm update

npm outdated # Verify all updated

# Clean up unused dependencies

npm prune

```

Estimated Time: 1 day

Risk: Low

---

1. Enable npm audit in CI/CD

```yaml

# .github/workflows/security.yml

name: Security Audit

on: [push, pull_request]

jobs:

audit:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v3

- uses: actions/setup-node@v3

- run: npm ci

- run: npm audit --audit-level=moderate

- run: npm outdated || true

```

2. Configure Dependabot

```yaml

# .github/dependabot.yml

version: 2

updates:

- package-ecosystem: "npm"

directory: "/"

schedule:

interval: "weekly"

open-pull-requests-limit: 10

reviewers:

- "security-team"

labels:

- "dependencies"

- "security"

```

3. Add pre-commit hook

```bash

# .husky/pre-commit

#!/bin/sh

npm audit --audit-level=high

```

4. Continuous monitoring

```bash

# Use Snyk

npm install -g snyk

snyk auth

snyk monitor

# Or use GitHub Advanced Security

# Enable Dependabot alerts in repo settings

```

---

Dependency Management

• ✅ Pin exact versions in production (no ^ or ~)
• ✅ Use lock files (package-lock.json, yarn.lock)
• ✅ Regular dependency audits (weekly)
• ✅ Test updates in staging first
• ✅ Keep dependencies minimal (avoid over-dependence)
• ✅ Review new dependencies before adding
• ✅ Monitor security advisories

Lockfile Best Practices

```json

{

"dependencies": {

"express": "4.18.2", // Exact version in production

"lodash": "^4.17.21" // Allow patches in development

}

}

```

Security Policies

• Set up security policy (SECURITY.md)
• Configure vulnerability disclosure process
• Establish SLA for vulnerability fixes

- Critical: 24 hours

- High: 7 days

- Medium: 30 days

- Low: Next maintenance cycle

Code Review Checklist

• [ ] New dependencies reviewed and approved
• [ ] Dependency licenses checked
• [ ] Package size considered
• [ ] Alternatives evaluated
• [ ] Security audit run
• [ ] Transitive dependencies reviewed

---

Vulnerability Databases

• National Vulnerability Database (NVD)
• GitHub Advisory Database
• Snyk Vulnerability DB
• NPM Security Advisories

Scanning Tools

• npm audit: Built-in npm scanner
• Snyk: Comprehensive security platform
• WhiteSource: Enterprise dependency management
• OWASP Dependency-Check: Multi-language scanner
• Socket: Supply chain security
• Dependabot: Automated updates

CI/CD Integration

• GitHub Actions security scanning
• GitLab security dashboard
• Jenkins OWASP plugin
• CircleCI security orbs

---

Total Packages: 342

• Direct: 45
• Transitive: 297

Vulnerabilities:

• Critical: 2 (0.6%)
• High: 8 (2.3%)
• Medium: 10 (2.9%)
• Low: 3 (0.9%)
• Total: 23 (6.7%)

Package Health:

• Up-to-date: 330 (96.5%)
• Outdated: 12 (3.5%)
• Deprecated: 3 (0.9%)

Estimated Remediation Time: 4-5 days

Risk After Remediation: Low

---

Immediate (Critical):

1. Update lodash to 4.17.21
2. Update sequelize to 6.6.5

Short-term (High):

1. Update express ecosystem packages
2. Update marked to 4.0.16
3. Update express-fileupload to 1.4.0
4. Fix minimist via mocha update

Medium-term:

1. Replace deprecated packages (request, node-uuid)
2. Update medium severity vulnerabilities
3. Review and update outdated packages

Long-term:

1. Set up automated monitoring
2. Implement security scanning in CI/CD
3. Establish regular audit schedule

```

• Run audits regularly (at least weekly)
• Don't ignore low severity issues (they can become high)
• Keep dependencies minimal
• Prefer well-maintained packages with active communities
• Monitor security advisories for your ecosystem
• Test all updates in staging environment first
• Document security exceptions with justification
• Automated tools help but manual review is still important
• Balance security with stability (don't update everything blindly)