OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry dependency-audit

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/dependency-audit" ~/.claude/skills/majiayu000-claude-skill-registry-dependency-audit && rm -rf "$T"
manifest: skills/data/dependency-audit/SKILL.md
tags
#dependency-audit#npm-audit#security-vulnerabilities#license-compliance#vulnerability-check
source content

Dependency Audit

Status: Production Ready Last Updated: 2026-02-03 Scope: npm, pnpm, yarn projects

Commands

CommandPurpose
/audit-deps
Run comprehensive dependency audit with prioritised findings

Quick Start

/audit-deps                    # Full audit
/audit-deps --security-only    # Only security vulnerabilities
/audit-deps --outdated         # Only outdated packages
/audit-deps --fix              # Auto-fix compatible updates

What This Skill Audits

1. Security Vulnerabilities

npm audit / pnpm audit
  • Critical (CVSS 9.0-10.0): Remote code execution, auth bypass
  • High (CVSS 7.0-8.9): Data exposure, privilege escalation
  • Moderate (CVSS 4.0-6.9): DoS, info disclosure
  • Low (CVSS 0.1-3.9): Minor issues

2. Outdated Packages

npm outdated / pnpm outdated

Categories:

  • Major updates: Breaking changes likely (review changelog)
  • Minor updates: New features, backwards compatible
  • Patch updates: Bug fixes, safe to update

3. License Compliance

Checks for:

  • GPL licenses in commercial projects (copyleft risk)
  • Unknown/missing licenses
  • License conflicts

4. Dependency Health

  • Deprecated packages
  • Abandoned packages (no updates in 2+ years)
  • Packages with open security issues

Output Format

═══════════════════════════════════════════════
   DEPENDENCY AUDIT REPORT
═══════════════════════════════════════════════

Project: my-app
Package Manager: pnpm
Total Dependencies: 847 (142 direct, 705 transitive)

───────────────────────────────────────────────
   SECURITY
───────────────────────────────────────────────

🔴 CRITICAL (1)
  lodash@4.17.20
  └─ CVE-2021-23337: Command injection via template()
  └─ Fix: npm update lodash@4.17.21
  └─ Affects: direct dependency

🟠 HIGH (2)
  minimist@1.2.5
  └─ CVE-2021-44906: Prototype pollution
  └─ Fix: Transitive via mkdirp, update parent
  └─ Path: mkdirp → minimist

  node-fetch@2.6.1
  └─ CVE-2022-0235: Exposure of sensitive headers
  └─ Fix: npm update node-fetch@2.6.7

🟡 MODERATE (3)
  [details...]

───────────────────────────────────────────────
   OUTDATED PACKAGES
───────────────────────────────────────────────

Major Updates (review breaking changes):
  react           18.2.0  →  19.1.0   (1 major)
  typescript      5.3.0   →  5.8.0    (5 minor)
  drizzle-orm     0.44.0  →  0.50.0   (6 minor)

Minor Updates (safe, new features):
  @types/node     20.11.0 →  20.14.0
  vitest          1.2.0   →  1.6.0

Patch Updates (recommended):
  [15 packages with patch updates]

───────────────────────────────────────────────
   LICENSE CHECK
───────────────────────────────────────────────

✅ All licenses compatible with MIT

Note: 3 packages use ISC (compatible)

───────────────────────────────────────────────
   SUMMARY
───────────────────────────────────────────────

Security Issues:  6 (1 critical, 2 high, 3 moderate)
Outdated:         23 (3 major, 5 minor, 15 patch)
License Issues:   0

Recommended Actions:
1. Fix critical: npm update lodash
2. Fix high: npm audit fix
3. Review major updates before upgrading

═══════════════════════════════════════════════

Agent

The 

dep-auditor
agent can:

  • Parse npm/pnpm audit JSON output
  • Cross-reference CVE databases
  • Generate detailed fix recommendations
  • Auto-fix safe updates (with confirmation)

CI Integration

GitHub Actions

- name: Audit dependencies
  run: npm audit --audit-level=high
  continue-on-error: true

- name: Check for critical vulnerabilities
  run: |
    CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
    if [ "$CRITICAL" -gt 0 ]; then
      echo "Critical vulnerabilities found!"
      exit 1
    fi

Pre-commit Hook

#!/bin/sh
npm audit --audit-level=critical || {
  echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"
  exit 1
}

Package Manager Commands

Tasknpmpnpmyarn
Audit
npm audit
pnpm audit
yarn audit
Audit JSON
npm audit --json
pnpm audit --json
yarn audit --json
Fix auto
npm audit fix
pnpm audit --fix
yarn audit --fix
Fix force
npm audit fix --force
N/AN/A
Outdated
npm outdated
pnpm outdated
yarn outdated
Why
npm explain <pkg>
pnpm why <pkg>
yarn why <pkg>

Known Limitations

  • npm audit fix --force: May introduce breaking changes (major version bumps)
  • Transitive dependencies: Some vulnerabilities require updating parent packages
  • False positives: Some advisories may not apply to your usage
  • Private registries: May need auth configuration for auditing

Related Skills

  • cloudflare-worker-base: For Workers projects
  • testing-patterns: Run tests after updates
  • developer-toolbox: For commit-helper after fixes

Version: 1.0.0 Last Updated: 2026-02-03