Memstack memstack-security-dependency-audit

Use this skill when the user says 'dependency audit', 'npm audit', 'pip audit', 'cargo audit', 'security vulnerabilities', 'outdated packages', 'supply chain', or needs to scan project dependencies for vulnerabilities, abandoned packages, and upgrade risks. Do NOT use for application-level security or secrets scanning.

install

source · Clone the upstream repo

git clone https://github.com/cwinvestments/memstack

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/cwinvestments/memstack "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/security/dependency-audit" ~/.claude/skills/cwinvestments-memstack-memstack-security-dependency-audit && rm -rf "$T"

manifest: skills/security/dependency-audit/SKILL.md

source content

🔒 Dependency Audit — Supply Chain Security Scanner

Scan project dependencies for vulnerabilities, outdated packages, abandoned libraries, and supply chain risks with a prioritized upgrade plan.

Activation

When this skill activates, output:

🔒 Dependency Audit — Scanning your dependency tree...

Context	Status
User says "dependency audit", "npm audit", "scan dependencies"	ACTIVE
User wants to check for vulnerable or outdated packages	ACTIVE
User mentions CVEs, supply chain security, or abandoned packages	ACTIVE
User wants OWASP web app security (not just dependencies)	DORMANT — see owasp-top10
User wants secrets scanning (not package vulnerabilities)	DORMANT — see secrets-scanner
User wants general code review	DORMANT — see code-reviewer

Protocol

Step 1: Detect Project Type

Identify the package ecosystem from project files:

File Found	Ecosystem	Audit Command	Outdated Command
`package.json`	npm/Node.js	`npm audit --json`	`npm outdated --json`
`package-lock.json`	npm (locked)	`npm audit --json`	`npm outdated --json`
`yarn.lock`	Yarn	`yarn audit --json`	`yarn outdated --json`
`pnpm-lock.yaml`	pnpm	`pnpm audit --json`	`pnpm outdated --json`
`requirements.txt`	pip/Python	`pip audit --format=json`	`pip list --outdated --format=json`
`Pipfile.lock`	Pipenv	`pipenv check --output json`	`pipenv update --dry-run`
`pyproject.toml`	Poetry/Python	`pip audit --format=json`	`poetry show --outdated`
`Cargo.toml`	Rust/Cargo	`cargo audit --json`	`cargo outdated --format json`
`go.mod`	Go	`govulncheck ./...`	`go list -u -m all`
`Gemfile.lock`	Ruby/Bundler	`bundle audit check --format json`	`bundle outdated`

If multiple ecosystems detected, audit all of them. Report which ecosystem each finding belongs to.

Step 2: Run Vulnerability Scan

Execute the appropriate audit command and parse results into a unified format:

── VULNERABILITY SCAN ─────────────────────

CVE-2024-XXXXX  🔴 CRITICAL
  Package: [name]@[version]
  Dependency: Direct / Transitive (via [parent])
  Fixed in: [version]
  Description: [brief description]
  CVSS Score: [score]
  Exploitability: [network/local] [complexity]

CVE-2024-YYYYY  🟡 HIGH
  Package: [name]@[version]
  Dependency: Transitive (via [parent] → [grandparent])
  Fixed in: [version]
  Description: [brief description]
  CVSS Score: [score]
  Exploitability: [network/local] [complexity]

Severity classification:

Severity	CVSS Score	Icon	Action
Critical	9.0 - 10.0	🔴	Fix immediately — potential active exploitation
High	7.0 - 8.9	🟡	Fix within 1 week — significant risk
Medium	4.0 - 6.9	🟠	Fix within 1 month — moderate risk
Low	0.1 - 3.9	🔵	Fix when convenient — minimal risk

Direct vs transitive priority:

Direct dependency: You explicitly installed it — highest priority, easiest to fix
Transitive dependency: Pulled in by another package — fix by updating the direct parent
If the transitive parent hasn't released a fix, consider overriding with
```
overrides
```
(npm) or
```
resolutions
```
(Yarn)

Step 3: Check for Outdated Packages

Run the outdated command and categorize results:

── OUTDATED PACKAGES ──────────────────────

Package          Current    Latest     Type      Risk
─────────────────────────────────────────────────────
[package-a]      1.2.3      1.2.8      Patch     ✅ Safe — bug fixes only
[package-b]      2.1.0      2.4.0      Minor     ✅ Safe — new features, backward compatible
[package-c]      3.0.0      4.2.1      Major     ⚠️ Breaking — review changelog
[package-d]      1.0.0      1.0.0      Current   ✅ Up to date

Version gap classification:

Gap Type	Risk	Approach
Patch (1.2.3 → 1.2.8)	Very Low	Update immediately — bug/security fixes
Minor (2.1.0 → 2.4.0)	Low	Update in batch — new features, backward compatible
Major (3.0.0 → 4.2.1)	Medium-High	Review migration guide, test thoroughly
Multiple majors (1.x → 4.x)	High	Dedicate time, may require code changes

Step 4: Identify Abandoned Packages

Check each dependency for maintenance status:

── ABANDONED PACKAGE CHECK ────────────────

Package          Last Publish    Downloads/wk    Status
──────────────────────────────────────────────────────
[package-x]      3 years ago     12,000          ⚠️ ABANDONED — find alternative
[package-y]      2.5 years ago   800             🔴 DEAD — replace immediately
[package-z]      6 months ago    250,000         ✅ Active

Abandonment indicators:

No npm/PyPI publish in 2+ years
No GitHub commits in 1+ year
Open issues/PRs with no maintainer response for 6+ months
Maintainer has publicly archived the repository
Deprecation notice in README or package metadata

For each abandoned package, suggest:

Alternative package (actively maintained fork or replacement)
Migration effort estimate (drop-in replacement vs API changes)
Risk of staying: known unpatched vulnerabilities, compatibility drift

Step 5: Supply Chain Risk Assessment

Check for packages with known supply chain risk factors:

Risk Factor	Detection Method	Severity
Typosquatting	Package name similar to popular package	High
Install scripts	`preinstall` / `postinstall` scripts in package.json	Medium
Excessive permissions	Package requests network/fs access unexpectedly	Medium
Single maintainer	One person controls publishing	Low-Medium
Recent ownership transfer	npm ownership changed recently	High
Minified source only	No readable source code in package	Medium
Unpinned dependencies	Using `*` or `>=` in dependency ranges	Medium

── SUPPLY CHAIN RISKS ─────────────────────

[package-a]  ⚠️ Has postinstall script
  Script: "postinstall": "node setup.js"
  Review: [does it fetch remote code? write to fs? safe build step?]

[package-b]  ⚠️ Single maintainer, low download count
  Maintainer: [username]
  Weekly downloads: [count]
  Alternative: [more established package]

Step 6: Generate Upgrade Plan

Create a prioritized upgrade plan in three tiers:

━━━ TIER 1: IMMEDIATE (This Sprint) ━━━━━━
Critical/High vulnerabilities in direct dependencies.
Patch updates with no breaking changes.

1. [package]@[current] → [target]
   Reason: 🔴 CVE-2024-XXXXX (CRITICAL)
   Risk: None — patch update
   Command: npm install [package]@[target]

2. [package]@[current] → [target]
   Reason: 🟡 CVE-2024-YYYYY (HIGH)
   Risk: None — minor update
   Command: npm install [package]@[target]

━━━ TIER 2: PLANNED (Next 2 Weeks) ━━━━━━━
Medium vulnerabilities, minor version updates,
replacing abandoned packages.

3. [package]@[current] → [target]
   Reason: 🟠 CVE-2024-ZZZZZ (MEDIUM) + 8 minor versions behind
   Risk: Low — review changelog for deprecations
   Command: npm install [package]@[target]
   Test: [specific areas to regression test]

4. [package] → [replacement-package]
   Reason: ⚠️ Abandoned (last publish: 2 years ago)
   Risk: Medium — API differences, migration needed
   Migration: [brief migration steps]

━━━ TIER 3: SCHEDULED (Next Quarter) ━━━━━━
Major version upgrades requiring migration effort.

5. [package]@[current] → [target]
   Reason: 3 major versions behind, accumulating tech debt
   Risk: High — breaking changes in v3 and v4
   Migration guide: [URL]
   Estimated effort: [hours/days]
   Test: [comprehensive regression testing required]

Step 7: Override Guidance

When a transitive dependency can't be fixed by updating the direct parent:

npm (overrides in package.json):

{
  "overrides": {
    "vulnerable-package": ">=2.0.1"
  }
}

Yarn (resolutions in package.json):

{
  "resolutions": {
    "vulnerable-package": ">=2.0.1"
  }
}

pnpm (overrides in package.json):

{
  "pnpm": {
    "overrides": {
      "vulnerable-package": ">=2.0.1"
    }
  }
}

Pip (constraint file):

# constraints.txt
vulnerable-package>=2.0.1

pip install -c constraints.txt -r requirements.txt

Caution: Overrides can break compatibility. Always test after applying.

Step 8: CI Integration Recommendation

Recommend automated dependency scanning in CI:

# GitHub Actions example
name: Dependency Audit
on:
  schedule:
    - cron: '0 9 * * 1'  # Weekly Monday 9 AM
  pull_request:
    paths:
      - 'package.json'
      - 'package-lock.json'

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm audit --audit-level=high
      - run: npm outdated || true  # Don't fail on outdated

Recommended tools for ongoing monitoring:

Dependabot (GitHub): Auto-creates PRs for updates
Renovate (any platform): More configurable than Dependabot
Snyk: Deep vulnerability scanning + fix PRs
Socket.dev: Supply chain risk detection

Step 9: Output

Present the complete dependency health report:

━━━ DEPENDENCY HEALTH REPORT ━━━━━━━━━━━━━
Project: [name]
Ecosystem: [npm/pip/cargo/etc.]
Scan date: [date]
Total dependencies: [direct] direct, [transitive] transitive

── VULNERABILITY SUMMARY ──────────────────
🔴 Critical: [count]
🟡 High:     [count]
🟠 Medium:   [count]
🔵 Low:      [count]

── VULNERABILITIES ────────────────────────
[detailed CVE list with fix versions]

── OUTDATED PACKAGES ──────────────────────
Patch updates available: [count]
Minor updates available: [count]
Major updates available: [count]

── ABANDONED PACKAGES ─────────────────────
[list with alternatives]

── SUPPLY CHAIN RISKS ─────────────────────
[risk factors found]

── UPGRADE PLAN ───────────────────────────
Tier 1 (Immediate): [count] packages
Tier 2 (Planned):   [count] packages
Tier 3 (Scheduled): [count] packages

── COMMANDS ───────────────────────────────
[copy-paste upgrade commands]

── CI RECOMMENDATION ──────────────────────
[automated scanning setup]

── HEALTH SCORE ───────────────────────────
Score: [X/100]
  Vulnerabilities: [-points per severity]
  Currency: [-points per outdated major]
  Maintenance: [-points per abandoned dep]
  Supply chain: [-points per risk factor]

Health score calculation:

Start at 100
Critical CVE: -20 each
High CVE: -10 each
Medium CVE: -5 each
Major version behind: -3 each
Abandoned dependency: -8 each
Supply chain risk: -5 each
Minimum score: 0

Inputs

Project path (or current directory)
Package ecosystem (auto-detected from lockfiles)
Severity threshold (default: all)
Include dev dependencies? (default: yes)

Outputs

Unified vulnerability list with CVE IDs, severity, affected package, and fix version
Direct vs transitive dependency classification
Outdated packages categorized by version gap type
Abandoned package list with alternatives
Supply chain risk assessment
Three-tier prioritized upgrade plan with commands
Override guidance for transitive dependency fixes
CI integration config for ongoing monitoring
Dependency health score (0-100)

Level History

Lv.1 — Base: Multi-ecosystem audit (npm, pip, cargo, go, bundler), unified vulnerability format with CVSS severity, direct vs transitive classification, outdated package analysis, abandoned package detection with alternatives, supply chain risk assessment, three-tier upgrade plan, override guidance, CI integration config, health score. (Origin: MemStack v3.2, Mar 2026)