dependency-auditor
Audit npm dependencies for security vulnerabilities, outdated packages, and unused dependencies. Use when checking for security issues, updating packages, or cleaning up dependencies.
git clone --depth 1 https://github.com/OneWave-AI/claude-skills /tmp/dependency-auditor && cp -r /tmp/dependency-auditor/dependency-auditor ~/.claude/skills/dependency-auditorSKILL.md
# Dependency Auditor
## Instructions
When auditing dependencies:
1. **Run security audit**
2. **Check for outdated packages**
3. **Find unused dependencies**
4. **Analyze bundle size impact**
5. **Review and update**
## Security Audit
```bash
# NPM audit
npm audit
# Get JSON output for processing
npm audit --json
# Fix automatically (safe fixes only)
npm audit fix
# Force fix (may have breaking changes)
npm audit fix --force
# PNPM
pnpm audit
# Yarn
yarn audit
```
## Check Outdated Packages
```bash
# NPM
npm outdated
# Interactive update
npx npm-check-updates -i
# Update all to latest
npx npm-check-updates -u
npm install
# Check specific package
npm view <package> versions
```
## Find Unused Dependencies
```bash
# Using depcheck
npx depcheck
# With details
npx depcheck --detailed
# Ignore patterns
npx depcheck --ignores="@types/*,eslint-*"
```
### Common False Positives
Depcheck may flag these as unused when they're actually needed:
- `@types/*` packages (used by TypeScript)
- ESLint/Prettier plugins (referenced in config)
- PostCSS plugins (referenced in config)
- Next.js plugins
- Babel presets
## Analyze Bundle Size
```bash
# For Next.js
npx @next/bundle-analyzer
# General purpose
npx source-map-explorer dist/**/*.js
# Check package size before installing
npx package-phobia <package-name>
# Compare alternatives
npx bundlephobia-cli compare lodash ramda
```
## Dependency Review Checklist
### Security
- [ ] No critical/high vulnerabilities
- [ ] Dependencies actively maintained
- [ ] No known malicious packages
- [ ] Lock file committed
### Freshness
- [ ] No major version behind (unless intentional)
- [ ] Security patches applied
- [ ] Deprecated packages replaced
### Cleanliness
- [ ] No unused dependencies
- [ ] No duplicate packages (check lock file)
- [ ] devDependencies vs dependencies correct
## Update Strategies
### Conservative (Recommended)
```bash
# Update patch versions only
npm update
# Update specific package
npm install package@latest
```
### Aggressive
```bash
# Update everything
npx npm-check-updates -u
npm install
npm test
```
### Interactive
```bash
npx npm-check-updates -i
# Options:
# a - update all
# space - toggle selection
# enter - apply selected
```
## Package.json Cleanup
```json
{
"dependencies": {
// Runtime dependencies only
},
"devDependencies": {
// Build/test tools only
},
"peerDependencies": {
// For libraries only
},
"optionalDependencies": {
// Platform-specific (rare)
}
}
```
## Lock File Best Practices
1. **Always commit** lock files (package-lock.json, pnpm-lock.yaml, yarn.lock)
2. **Use `npm ci`** in CI/CD (not `npm install`)
3. **Regenerate** if corrupted: delete lock file + node_modules, reinstall
4. **Single lock file** per project (don't mix package managers)
## Automated Monitoring
```yaml
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
dev-dependencies:
dependency-type: "development"
```Audit websites for accessibility issues and WCAG compliance. Use when checking accessibility, fixing a11y issues, or ensuring WCAG compliance.
Deploy a 2-layer parallel agent hierarchy for large, parallelizable work — big refactors, multi-file migrations, codebase-wide audits, bulk generation. Layer 1 is 3-50+ specialist agents, each with its own full context window; Layer 2 is 2+ sub-agents per member. Includes git safety, tiered sizing, a pre-deploy gate, phantom-completion checks, and multi-wave follow-up.
Deploys swarms of sub-agents for massive parallel data processing tasks. Unlike agent-army (which is for code changes), this is for DATA tasks -- processing 1000 documents, analyzing datasets, bulk content generation. Configurable swarm size, task distribution, result aggregation, progress tracking, and error recovery.
Designs and deploys custom agent teams for specific business workflows. Interactive discovery of business processes, then generates complete team configurations with specialized agent roles, tool access, communication protocols, and handoff rules.
Agent-to-Agent (A2A) communication protocol. Connect two or more Claude agents that pass messages, share context, delegate tasks, and collaborate. Implements structured handoffs, shared memory, and multi-agent conversations.
Assesses how ready a business is for AI adoption across six dimensions. Evaluates data maturity, tech stack, team skills, process documentation, budget, and culture. Generates a comprehensive ai-readiness-report.md with scores, gap analysis, and recommended starting points. Aligned with OneWave AI's audit methodology.
Generate animated videos and motion graphics from natural language descriptions. Creates a standalone Vite + React project with Framer Motion scenes that auto-play in the browser. Use when the user wants to create animations, motion graphics, video intros, animated presentations, or product demos.
Generate comprehensive API documentation including endpoint descriptions, request/response examples, authentication guides, error codes, and SDKs. Creates OpenAPI/Swagger specs, REST API docs, and developer-friendly reference materials. Use when users need to document APIs, create technical references, or write developer documentation.