dependency-auditor

Name: dependency-auditor
Author: alirezarezvani/claude-code-tresor

$npx mdskill add alirezarezvani/claude-code-tresor/dependency-auditor

Audit package dependencies for vulnerabilities before deployment.

Detects known CVEs, outdated packages, and license conflicts.
Integrates with npm, pip, bundler, Maven, and other managers.
Analyzes dependency files and security mentions to trigger checks.
Outputs clear alerts with CVE details and specific upgrade paths.

SKILL.md

.github/skills/dependency-auditorView on GitHub ↗

---
name: dependency-auditor
description: Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
allowed-tools: Bash, Read
---

# Dependency Auditor Skill

Automatic dependency vulnerability checking.

## When I Activate

- ✅ package.json modified
- ✅ requirements.txt changed
- ✅ Gemfile or pom.xml modified
- ✅ User mentions dependencies or vulnerabilities
- ✅ Before deployments
- ✅ yarn.lock or package-lock.json changes

## What I Check

### Dependency Vulnerabilities
- Known CVEs in packages
- Outdated dependencies with security fixes
- Malicious packages
- License compatibility issues
- Deprecated packages

### Package Managers Supported
- **Node.js**: npm, yarn, pnpm
- **Python**: pip, pipenv, poetry
- **Ruby**: bundler
- **Java**: Maven, Gradle
- **Go**: go modules
- **PHP**: composer

## Example Alerts

### NPM Vulnerability

```bash
# You run: npm install lodash

# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: lodash@4.17.15
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
   https://nvd.nist.gov/vuln/detail/CVE-2020-8203

Recommendation: Update to lodash@4.17.21 or higher
```

### Python Vulnerability

```bash
# You modify requirements.txt: django==2.2.0

# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: Django@2.2.0
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571

Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to Django@2.2.28+
```

### Multiple Vulnerabilities

```bash
# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
  - 3 CRITICAL
  - 2 HIGH
  - 2 MEDIUM
  - 1 LOW

Critical issues:
  1. axios@0.21.0 - SSRF vulnerability
     Fix: npm install axios@latest

  2. ajv@6.10.0 - Prototype pollution
     Fix: npm install ajv@^8.0.0

  3. node-fetch@2.6.0 - Information disclosure
     Fix: npm install node-fetch@^2.6.7

Run 'npm audit fix' to automatically fix 6/8 issues
```

## Automatic Actions

### On Dependency Changes

```yaml
1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes
```

### Audit Commands

```bash
# Node.js
npm audit
npm audit --json  # Structured output

# Python
pip-audit
safety check

# Ruby
bundle audit

# Java (Maven)
mvn dependency-check:check
```

## Severity Classification

### CRITICAL 🚨
- Remote code execution
- SQL injection
- Authentication bypass
- Publicly exploitable

### HIGH ⚠️
- Cross-site scripting
- Denial of service
- Information disclosure
- Wide attack surface

### MEDIUM 📋
- Limited impact vulnerabilities
- Requires specific conditions
- Difficult to exploit

### LOW 💡
- Minor security improvements
- Best practice violations
- Minimal risk

## Fix Strategies

### Automatic Updates

```bash
# Safe automatic fixes
npm audit fix

# May include breaking changes
npm audit fix --force
```

### Manual Updates

```bash
# Check what will change
npm outdated

# Update specific package
npm update lodash

# Major version update
npm install lodash@latest
```

### Alternative Packages

```
Vulnerable: request@2.88.0 (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]
```

## Integration with CI/CD

### Block Deployments

```yaml
# .github/workflows/security.yml
- name: Dependency audit
  run: |
    npm audit --audit-level=high
    # Fails if HIGH or CRITICAL found
```

### Scheduled Audits

```yaml
# Weekly dependency check
on:
  schedule:
    - cron: '0 0 * * 0'
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - run: npm audit
```

## Sandboxing Compatibility

**Works without sandboxing:** ✅ Yes
**Works with sandboxing:** ⚙️ Needs npm/pip registry access

**Sandbox config:**
```json
{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "rubygems.org",
      "repo.maven.apache.org"
    ]
  }
}
```

## License Checking

I also check license compatibility:

```
⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: some-gpl-package@1.0.0
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative
```

## Best Practices

1. **Regular audits**: Run weekly or on every dependency change
2. **Update frequently**: Keep dependencies current
3. **Review breaking changes**: Test before major updates
4. **Pin versions**: Use exact versions in production
5. **Audit lock files**: Commit and audit lock files

## Related Tools

- **security-auditor skill**: Code vulnerability detection
- **@architect sub-agent**: Dependency strategy
- **/review command**: Pre-deployment security check

More from alirezarezvani/claude-code-tresor

Skill	Description
api-documenter	Auto-generate API documentation from code and comments. Use when API endpoints change, or user mentions API docs. Creates OpenAPI/Swagger specs from code. Triggers on API file changes, documentation requests, endpoint additions.
git-commit-helper	Generate conventional commit messages automatically. Use when user runs git commit, stages changes, or asks for commit message help. Analyzes git diff to create clear, descriptive conventional commit messages. Triggers on git commit, staged changes, commit message requests.
readme-updater	Keep README files current with project changes. Use when project structure changes, features added, or setup instructions modified. Suggests README updates based on code changes. Triggers on significant project changes, new features, dependency changes.
secret-scanner	Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.
security-auditor	Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep.
test-generator	Automatically suggest tests for new functions and components. Use when new code is written, functions added, or user mentions testing. Creates test scaffolding with Jest, Vitest, Pytest patterns. Triggers on new functions, components, test requests, testing mentions.