Dependency Audit

Status

Production Ready

Last Updated

2026-02-03

Scope

npm, pnpm, yarn projects

Commands

Command

Purpose

/audit-deps

Run comprehensive dependency audit with prioritised findings

Quick Start

/audit-deps # Full audit

/audit-deps --security-only # Only security vulnerabilities

/audit-deps --outdated # Only outdated packages

/audit-deps --fix # Auto-fix compatible updates

What This Skill Audits

1. Security Vulnerabilities

npm audit / pnpm audit

Critical

(CVSS 9.0-10.0): Remote code execution, auth bypass

High

(CVSS 7.0-8.9): Data exposure, privilege escalation

Moderate

(CVSS 4.0-6.9): DoS, info disclosure

Low

(CVSS 0.1-3.9): Minor issues

2. Outdated Packages

npm outdated / pnpm outdated

Categories:

Major updates

Breaking changes likely (review changelog)

Minor updates

New features, backwards compatible

Patch updates

Bug fixes, safe to update 3. License Compliance Checks for: GPL licenses in commercial projects (copyleft risk) Unknown/missing licenses License conflicts 4. Dependency Health Deprecated packages Abandoned packages (no updates in 2+ years) Packages with open security issues Output Format ═══════════════════════════════════════════════ DEPENDENCY AUDIT REPORT ═══════════════════════════════════════════════ Project: my-app Package Manager: pnpm Total Dependencies: 847 (142 direct, 705 transitive) ─────────────────────────────────────────────── SECURITY ─────────────────────────────────────────────── 🔴 CRITICAL (1) lodash@4.17.20 └─ CVE-2021-23337: Command injection via template() └─ Fix: npm update lodash@4.17.21 └─ Affects: direct dependency 🟠 HIGH (2) minimist@1.2.5 └─ CVE-2021-44906: Prototype pollution └─ Fix: Transitive via mkdirp, update parent └─ Path: mkdirp → minimist node-fetch@2.6.1 └─ CVE-2022-0235: Exposure of sensitive headers └─ Fix: npm update node-fetch@2.6.7 🟡 MODERATE (3) [details...] ─────────────────────────────────────────────── OUTDATED PACKAGES ─────────────────────────────────────────────── Major Updates (review breaking changes): react 18.2.0 → 19.1.0 (1 major) typescript 5.3.0 → 5.8.0 (5 minor) drizzle-orm 0.44.0 → 0.50.0 (6 minor) Minor Updates (safe, new features): @types/node 20.11.0 → 20.14.0 vitest 1.2.0 → 1.6.0 Patch Updates (recommended): [15 packages with patch updates] ─────────────────────────────────────────────── LICENSE CHECK ─────────────────────────────────────────────── ✅ All licenses compatible with MIT Note: 3 packages use ISC (compatible) ─────────────────────────────────────────────── SUMMARY ─────────────────────────────────────────────── Security Issues: 6 (1 critical, 2 high, 3 moderate) Outdated: 23 (3 major, 5 minor, 15 patch) License Issues: 0 Recommended Actions: 1. Fix critical: npm update lodash 2. Fix high: npm audit fix 3. Review major updates before upgrading ═══════════════════════════════════════════════ Agent The dep-auditor agent can: Parse npm/pnpm audit JSON output Cross-reference CVE databases Generate detailed fix recommendations Auto-fix safe updates (with confirmation) CI Integration GitHub Actions - name : Audit dependencies run : npm audit - - audit - level=high continue-on-error : true - name : Check for critical vulnerabilities run : | CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical') if [ "$CRITICAL" -gt 0 ]; then echo "Critical vulnerabilities found!" exit 1 fi Pre-commit Hook

!/bin/sh

npm

audit --audit-level

=

critical

||

{

echo

"Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"

exit

1

}

Package Manager Commands

Task

npm

pnpm

yarn

Audit

npm audit

pnpm audit

yarn audit

Audit JSON

npm audit --json

pnpm audit --json

yarn audit --json

Fix auto

npm audit fix

pnpm audit --fix

yarn audit --fix

Fix force

npm audit fix --force

N/A

N/A

Outdated

npm outdated

pnpm outdated

yarn outdated

Why

npm explain

pnpm why

yarn why

Known Limitations

npm audit fix --force

May introduce breaking changes (major version bumps)

Transitive dependencies

Some vulnerabilities require updating parent packages

False positives

Some advisories may not apply to your usage

Private registries

May need auth configuration for auditing