🎯

dependency-audit

🎯Skill

from jezweb/claude-skills

What it does

Comprehensively audits JavaScript/TypeScript project dependencies for security vulnerabilities, outdated packages, license risks, and overall dependency health.

📦

Part of

jezweb/claude-skills(101 items)

dependency-audit

Installation

Add MarketplaceAdd marketplace to Claude Code

/plugin marketplace add https://github.com/jezweb/claude-skills

Install PluginInstall plugin from marketplace

/plugin install all@jezweb-skills # All skills (background knowledge)

Install PluginInstall plugin from marketplace

/plugin install skill-development@jezweb-skills # /scrape-api, /create-skill, etc.

Install PluginInstall plugin from marketplace

/plugin install developer-toolbox@jezweb-skills # debugger, test-runner, commit-helper agents

Install PluginInstall plugin from marketplace

/plugin install cloudflare-worker-base@jezweb-skills # cloudflare-deploy, d1-migration agents

+ 4 more commands

📖 Extracted from docs: jezweb/claude-skills

Need more details? View full documentation on GitHub →

9Installs

AddedFeb 4, 2026

View on GitHub Back to Skills

Skill Details

SKILL.md

Overview

# Dependency Audit

Status: Production Ready

Last Updated: 2026-02-03

Scope: npm, pnpm, yarn projects

---

Commands

| Command | Purpose |

|---------|---------|

| /audit-deps | Run comprehensive dependency audit with prioritised findings |

Quick Start

```

/audit-deps # Full audit

/audit-deps --security-only # Only security vulnerabilities

/audit-deps --outdated # Only outdated packages

/audit-deps --fix # Auto-fix compatible updates

```

---

What This Skill Audits

1. Security Vulnerabilities

```

npm audit / pnpm audit

```

Critical (CVSS 9.0-10.0): Remote code execution, auth bypass
High (CVSS 7.0-8.9): Data exposure, privilege escalation
Moderate (CVSS 4.0-6.9): DoS, info disclosure
Low (CVSS 0.1-3.9): Minor issues

2. Outdated Packages

```

npm outdated / pnpm outdated

```

Categories:

Major updates: Breaking changes likely (review changelog)
Minor updates: New features, backwards compatible
Patch updates: Bug fixes, safe to update

3. License Compliance

Checks for:

GPL licenses in commercial projects (copyleft risk)
Unknown/missing licenses
License conflicts

4. Dependency Health

Deprecated packages
Abandoned packages (no updates in 2+ years)
Packages with open security issues

---

Output Format

```

═══════════════════════════════════════════════

DEPENDENCY AUDIT REPORT

═══════════════════════════════════════════════

Project: my-app

Package Manager: pnpm

Total Dependencies: 847 (142 direct, 705 transitive)

───────────────────────────────────────────────

SECURITY

───────────────────────────────────────────────

🔴 CRITICAL (1)

lodash@4.17.20

└─ CVE-2021-23337: Command injection via template()

└─ Fix: npm update lodash@4.17.21

└─ Affects: direct dependency

🟠 HIGH (2)

minimist@1.2.5

└─ CVE-2021-44906: Prototype pollution

└─ Fix: Transitive via mkdirp, update parent

└─ Path: mkdirp → minimist

node-fetch@2.6.1

└─ CVE-2022-0235: Exposure of sensitive headers

└─ Fix: npm update node-fetch@2.6.7

🟡 MODERATE (3)

[details...]

───────────────────────────────────────────────

OUTDATED PACKAGES

───────────────────────────────────────────────

Major Updates (review breaking changes):

react 18.2.0 → 19.1.0 (1 major)

typescript 5.3.0 → 5.8.0 (5 minor)

drizzle-orm 0.44.0 → 0.50.0 (6 minor)

Minor Updates (safe, new features):

@types/node 20.11.0 → 20.14.0

vitest 1.2.0 → 1.6.0

Patch Updates (recommended):

[15 packages with patch updates]

───────────────────────────────────────────────

LICENSE CHECK

───────────────────────────────────────────────

✅ All licenses compatible with MIT

Note: 3 packages use ISC (compatible)

───────────────────────────────────────────────

SUMMARY

───────────────────────────────────────────────

Security Issues: 6 (1 critical, 2 high, 3 moderate)

Outdated: 23 (3 major, 5 minor, 15 patch)

License Issues: 0

Recommended Actions:

Fix critical: npm update lodash
Fix high: npm audit fix
Review major updates before upgrading

═══════════════════════════════════════════════

```

---

Agent

The dep-auditor agent can:

Parse npm/pnpm audit JSON output
Cross-reference CVE databases
Generate detailed fix recommendations
Auto-fix safe updates (with confirmation)

---

CI Integration

GitHub Actions

```yaml

name: Audit dependencies

run: npm audit --audit-level=high

continue-on-error: true

name: Check for critical vulnerabilities

run: |

CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')

if [ "$CRITICAL" -gt 0 ]; then

echo "Critical vulnerabilities found!"

exit 1

```

Pre-commit Hook

```bash

#!/bin/sh

npm audit --audit-level=critical || {

echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"

exit 1

}

```

---

Package Manager Commands

|------|-----|------|------|

| Fix force | npm audit fix --force | N/A | N/A |

---

Known Limitations

npm audit fix --force: May introduce breaking changes (major version bumps)
Transitive dependencies: Some vulnerabilities require updating parent packages
False positives: Some advisories may not apply to your usage
Private registries: May need auth configuration for auditing

---