dependency-auditor
Dependency-auditor automatically scans project dependencies for known security vulnerabilities across multiple package managers including npm, pip, bundler, and Maven. It triggers when dependency files like package.json or requirements.txt change, before deployments, or when security is mentioned, providing severity-ranked vulnerability alerts with specific CVE references and upgrade recommendations.
git clone --depth 1 https://github.com/alirezarezvani/claude-code-tresor /tmp/dependency-auditor && cp -r /tmp/dependency-auditor/skills/security/dependency-auditor ~/.claude/skills/dependency-auditorSKILL.md
# Dependency Auditor Skill
Automatic dependency vulnerability checking.
## When I Activate
- ✅ package.json modified
- ✅ requirements.txt changed
- ✅ Gemfile or pom.xml modified
- ✅ User mentions dependencies or vulnerabilities
- ✅ Before deployments
- ✅ yarn.lock or package-lock.json changes
## What I Check
### Dependency Vulnerabilities
- Known CVEs in packages
- Outdated dependencies with security fixes
- Malicious packages
- License compatibility issues
- Deprecated packages
### Package Managers Supported
- **Node.js**: npm, yarn, pnpm
- **Python**: pip, pipenv, poetry
- **Ruby**: bundler
- **Java**: Maven, Gradle
- **Go**: go modules
- **PHP**: composer
## Example Alerts
### NPM Vulnerability
```bash
# You run: npm install lodash
# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: lodash@4.17.15
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
Recommendation: Update to lodash@4.17.21 or higher
```
### Python Vulnerability
```bash
# You modify requirements.txt: django==2.2.0
# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: Django@2.2.0
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571
Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to Django@2.2.28+
```
### Multiple Vulnerabilities
```bash
# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
- 3 CRITICAL
- 2 HIGH
- 2 MEDIUM
- 1 LOW
Critical issues:
1. axios@0.21.0 - SSRF vulnerability
Fix: npm install axios@latest
2. ajv@6.10.0 - Prototype pollution
Fix: npm install ajv@^8.0.0
3. node-fetch@2.6.0 - Information disclosure
Fix: npm install node-fetch@^2.6.7
Run 'npm audit fix' to automatically fix 6/8 issues
```
## Automatic Actions
### On Dependency Changes
```yaml
1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes
```
### Audit Commands
```bash
# Node.js
npm audit
npm audit --json # Structured output
# Python
pip-audit
safety check
# Ruby
bundle audit
# Java (Maven)
mvn dependency-check:check
```
## Severity Classification
### CRITICAL 🚨
- Remote code execution
- SQL injection
- Authentication bypass
- Publicly exploitable
### HIGH ⚠️
- Cross-site scripting
- Denial of service
- Information disclosure
- Wide attack surface
### MEDIUM 📋
- Limited impact vulnerabilities
- Requires specific conditions
- Difficult to exploit
### LOW 💡
- Minor security improvements
- Best practice violations
- Minimal risk
## Fix Strategies
### Automatic Updates
```bash
# Safe automatic fixes
npm audit fix
# May include breaking changes
npm audit fix --force
```
### Manual Updates
```bash
# Check what will change
npm outdated
# Update specific package
npm update lodash
# Major version update
npm install lodash@latest
```
### Alternative Packages
```
Vulnerable: request@2.88.0 (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]
```
## Integration with CI/CD
### Block Deployments
```yaml
# .github/workflows/security.yml
- name: Dependency audit
run: |
npm audit --audit-level=high
# Fails if HIGH or CRITICAL found
```
### Scheduled Audits
```yaml
# Weekly dependency check
on:
schedule:
- cron: '0 0 * * 0'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: npm audit
```
## Sandboxing Compatibility
**Works without sandboxing:** ✅ Yes
**Works with sandboxing:** ⚙️ Needs npm/pip registry access
**Sandbox config:**
```json
{
"network": {
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"rubygems.org",
"repo.maven.apache.org"
]
}
}
```
## License Checking
I also check license compatibility:
```
⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: some-gpl-package@1.0.0
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative
```
## Best Practices
1. **Regular audits**: Run weekly or on every dependency change
2. **Update frequently**: Keep dependencies current
3. **Review breaking changes**: Test before major updates
4. **Pin versions**: Use exact versions in production
5. **Audit lock files**: Commit and audit lock files
## Related Tools
- **security-auditor skill**: Code vulnerability detection
- **@architect sub-agent**: Dependency strategy
- **/review command**: Pre-deployment security checkConfiguration safety specialist focusing on production reliability, magic numbers, pool sizes, timeouts, and connection limits. Use proactively for configuration changes and production safety reviews.
Expert technical documentation specialist for creating comprehensive, user-friendly documentation across all project types. Use proactively for API docs, user guides, and technical documentation.
Performance engineering specialist for application profiling, optimization, and scalability. Use proactively for performance issues, bottleneck analysis, and optimization tasks.
Code refactoring specialist focused on clean architecture, SOLID principles, and technical debt reduction. Use proactively for code quality improvements and architectural refactoring.
Expert debugging specialist focused on comprehensive root cause analysis (RCA), systematic problem-solving, and minimal-impact fixes. Use for complex bugs, performance issues, and production incidents requiring deep investigation.
Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep.
Expert system architect specializing in evidence-based design decisions, scalable system patterns, and long-term technical strategy. Use proactively for architectural reviews and system design.
Specialized testing expert for comprehensive test creation, validation, and quality assurance across all testing levels. Use proactively for test generation and coverage analysis.