playbooks

home / skills / ovachiever / droid-tings / dependency-auditor

dependency-auditor skill

/skills/dependency-auditor

This skill automatically audits project dependencies for known vulnerabilities, outdated packages, and license issues across Node, Python, Ruby, Java, Go, and

npx playbooks add skill ovachiever/droid-tings --skill dependency-auditor

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
4.9 KB
---
name: dependency-auditor
description: Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
allowed-tools: Bash, Read
---

# Dependency Auditor Skill

Automatic dependency vulnerability checking.

## When I Activate

- ✅ package.json modified
- ✅ requirements.txt changed
- ✅ Gemfile or pom.xml modified
- ✅ User mentions dependencies or vulnerabilities
- ✅ Before deployments
- ✅ yarn.lock or package-lock.json changes

## What I Check

### Dependency Vulnerabilities
- Known CVEs in packages
- Outdated dependencies with security fixes
- Malicious packages
- License compatibility issues
- Deprecated packages

### Package Managers Supported
- **Node.js**: npm, yarn, pnpm
- **Python**: pip, pipenv, poetry
- **Ruby**: bundler
- **Java**: Maven, Gradle
- **Go**: go modules
- **PHP**: composer

## Example Alerts

### NPM Vulnerability

```bash
# You run: npm install lodash

# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: [email protected]
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
   https://nvd.nist.gov/vuln/detail/CVE-2020-8203

Recommendation: Update to [email protected] or higher
```

### Python Vulnerability

```bash
# You modify requirements.txt: django==2.2.0

# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: [email protected]
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571

Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to [email protected]+
```

### Multiple Vulnerabilities

```bash
# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
  - 3 CRITICAL
  - 2 HIGH
  - 2 MEDIUM
  - 1 LOW

Critical issues:
  1. [email protected] - SSRF vulnerability
     Fix: npm install axios@latest

  2. [email protected] - Prototype pollution
     Fix: npm install ajv@^8.0.0

  3. [email protected] - Information disclosure
     Fix: npm install node-fetch@^2.6.7

Run 'npm audit fix' to automatically fix 6/8 issues
```

## Automatic Actions

### On Dependency Changes

```yaml
1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes
```

### Audit Commands

```bash
# Node.js
npm audit
npm audit --json  # Structured output

# Python
pip-audit
safety check

# Ruby
bundle audit

# Java (Maven)
mvn dependency-check:check
```

## Severity Classification

### CRITICAL 🚨
- Remote code execution
- SQL injection
- Authentication bypass
- Publicly exploitable

### HIGH ⚠️
- Cross-site scripting
- Denial of service
- Information disclosure
- Wide attack surface

### MEDIUM 📋
- Limited impact vulnerabilities
- Requires specific conditions
- Difficult to exploit

### LOW 💡
- Minor security improvements
- Best practice violations
- Minimal risk

## Fix Strategies

### Automatic Updates

```bash
# Safe automatic fixes
npm audit fix

# May include breaking changes
npm audit fix --force
```

### Manual Updates

```bash
# Check what will change
npm outdated

# Update specific package
npm update lodash

# Major version update
npm install lodash@latest
```

### Alternative Packages

```
Vulnerable: [email protected] (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]
```

## Integration with CI/CD

### Block Deployments

```yaml
# .github/workflows/security.yml
- name: Dependency audit
  run: |
    npm audit --audit-level=high
    # Fails if HIGH or CRITICAL found
```

### Scheduled Audits

```yaml
# Weekly dependency check
on:
  schedule:
    - cron: '0 0 * * 0'
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - run: npm audit
```

## Sandboxing Compatibility

**Works without sandboxing:** ✅ Yes
**Works with sandboxing:** ⚙️ Needs npm/pip registry access

**Sandbox config:**
```json
{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "rubygems.org",
      "repo.maven.apache.org"
    ]
  }
}
```

## License Checking

I also check license compatibility:

```
⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: [email protected]
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative
```

## Best Practices

1. **Regular audits**: Run weekly or on every dependency change
2. **Update frequently**: Keep dependencies current
3. **Review breaking changes**: Test before major updates
4. **Pin versions**: Use exact versions in production
5. **Audit lock files**: Commit and audit lock files

## Related Tools

- **security-auditor skill**: Code vulnerability detection
- **@architect sub-agent**: Dependency strategy
- **/review command**: Pre-deployment security check

Overview

This skill performs automatic dependency vulnerability checks across common package managers and alerts on known security issues. It triggers when dependency files change or before deployments and provides actionable remediation steps. The goal is to catch CVEs, malicious packages, license conflicts, and deprecated modules early in the development lifecycle.

How this skill works

On trigger it detects the project’s package manager, runs the appropriate audit command (npm audit, pip-audit, bundle audit, mvn dependency-check, etc.), parses structured output, and categorizes findings by severity. It suggests fixes, highlights breaking changes, and can be wired into CI/CD to block risky deployments. It also inspects lock files and license metadata where available.

When to use it

  • When package.json, yarn.lock, package-lock.json, or pnpm-lock.yaml changes
  • When requirements.txt, Pipfile, or poetry.lock changes
  • Before any deployment or release job
  • If a team member mentions dependencies or security concerns
  • On scheduled/regular dependency health scans

Best practices

  • Run audits on every dependency change and in CI pipelines
  • Audit lock files and commit them to ensure consistent scans
  • Fail builds for HIGH/CRITICAL findings unless an exception is documented
  • Prefer minimal automated fixes; review major version bumps before applying
  • Keep a scheduled cadence (weekly or biweekly) for full dependency sweeps

Example use cases

  • Pull request: detect added vulnerable package and post remediation guidance
  • Pre-deploy check: block deployment if CRITICAL or HIGH vulnerabilities exist
  • Nightly job: scheduled audit that reports outdated or deprecated packages
  • License scan: flag GPL/MIT/Apache incompatibilities before release
  • Multi-language repo: run npm, pip, and Maven audits based on changed files

FAQ

Which package managers are supported?

Node (npm, yarn, pnpm), Python (pip, pipenv, poetry), Ruby (bundler), Java (Maven/Gradle), Go modules, and PHP (composer).

Can it automatically fix vulnerabilities?

It suggests and can run safe automated fixes (e.g., npm audit fix) but recommends manual review for major upgrades that may introduce breaking changes.

How does it handle CI/CD integration?

Integrate audit commands into your pipeline and fail builds conditionally (for example, fail on HIGH/CRITICAL). Scheduled jobs for periodic scans are supported too.

Does it check licenses?

Yes. The skill flags license compatibility issues and recommends alternative packages when a license conflicts with project policies.