dependency-audit
dependency-audit is a Claude Code skill that analyzes project dependencies across multiple ecosystems (npm, pip, Maven, Go, Cargo, etc.) to identify security vulnerabilities with CVE references, assess license compliance against organizational policies, flag outdated packages by risk priority, and analyze transitive dependency risks. Use this skill when tasked with auditing dependencies, reviewing package security posture, checking license compliance, assessing overall dependency health, or generating vulnerability reports with actionable remediation timelines.
git clone --depth 1 https://github.com/mohitagw15856/pm-claude-skills /tmp/dependency-audit && cp -r /tmp/dependency-audit/plugins/pm-engineering/skills/dependency-audit ~/.claude/skills/dependency-auditSKILL.md
# Dependency Audit Skill Produce a complete dependency audit report for a project — covering security vulnerabilities (with CVE references), license compliance against policy, outdated packages prioritised by risk, transitive dependency risk analysis, and a concrete remediation plan with timeline. A good dependency audit gives the team a clear, prioritised action list — not a raw dump of audit output that no one acts on. ## Required Inputs Ask for these if not already provided: - **Project language and ecosystem** — npm, pip/PyPI, Maven/Gradle, Go modules, Cargo, RubyGems, NuGet, or mixed - **Dependency list or package manifest** — paste the contents of `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, etc., or provide the audit tool output - **License policy** — which licenses are allowed, which are restricted (e.g. "GPL is prohibited", "MIT/Apache/BSD only", or "no policy yet — recommend one") - **Current security tooling** — Dependabot, Snyk, OWASP Dependency-Check, npm audit, pip-audit, or none ## Output Format --- # Dependency Audit Report: [Project Name] **Ecosystem:** [npm / pip / Maven / Go / etc.] **Audit date:** [Date] **Auditor:** [Name] **Total direct dependencies:** [N] **Total transitive dependencies:** [N] **Audit tool(s) used:** [npm audit / pip-audit / Snyk / OWASP Dependency-Check / etc.] --- ## Executive Summary | Category | Finding | Risk level | |---|---|---| | Critical vulnerabilities | [N] CVEs requiring immediate action | [Critical / High / Low] | | High vulnerabilities | [N] CVEs — fix within 7 days | [High / Medium] | | License violations | [N] packages with non-compliant licenses | [High / Low] | | Severely outdated packages | [N] packages > 2 major versions behind | [Medium] | | Packages with no active maintenance | [N] packages — no commits in 12+ months | [Medium] | | **Overall dependency health score** | **[Score]/100** | **[Red / Amber / Green]** | **Scoring methodology:** Critical CVEs: −20 each. High CVEs: −10 each. License violations: −15 each. Abandoned packages: −5 each. Maximum deduction: 100. Score ≥80 = Green, 60–79 = Amber, <60 = Red. **Immediate actions required:** 1. [Most critical action — e.g. "Upgrade lodash from 4.17.11 to 4.17.21 to fix CVE-2021-23337 (Critical — prototype pollution)"] 2. [Second action] 3. [Third action] --- ## 1. Security Vulnerability Findings ### Critical and High Severity (Act within 24–72 hours) | Package | Installed version | Fix version | CVE | Severity | CVSS score | Description | Exploitability | |---|---|---|---|---|---|---|---| | [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Critical | [9.x] | [e.g. Prototype pollution via `merge` function — remote code execution possible] | [Known exploit / PoC available / No known exploit] | | [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | High | [7.x] | [e.g. Path traversal in file serving utility] | [PoC available] | | [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | High | [7.x] | [e.g. Regular expression denial of service (ReDoS)] | [No known exploit] | ### Medium Severity (Fix within 30 days) | Package | Installed version | Fix version | CVE | Severity | CVSS score | Description | |---|---|---|---|---|---|---| | [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Medium | [5.x] | [Description] | | [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Medium | [4.x] | [Description] | ### Low Severity (Fix within 90 days or accept risk) | Package | Installed version | Fix version | CVE | Severity | Description | |---|---|---|---|---|---| | [package-name] | [X.Y.Z] | [A.B.C] | Low | [Description] | ### Vulnerabilities With No Fix Available | Package | CVE | Severity | Recommended mitigation | |---|---|---|---| | [package-name] | [CVE-YYYY-NNNNN] | [High] | [e.g. "Remove this package — alternative: [replacement]"] | | [package-name] | [CVE-YYYY-NNNNN] | [Medium] | [e.g. "Vendor has a fix in progress — track issue [URL]. Mitigate by [X]"] | --- ## 2. License Compliance Matrix ### License Policy Reference | License | Category | Policy | Notes | |---|---|---|---| | MIT | Permissive | Allowed | Attribution required in distributed products | | Apache 2.0 | Permissive | Allowed | Attribution + NOTICE file required | | BSD 2-Clause / 3-Clause | Permissive | Allowed | Attribution required | | ISC | Permissive | Allowed | | | MPL 2.0 | Weak copyleft | Allowed with review | Source disclosure required for modified MPL files only | | LGPL v2 / v3 | Weak copyleft | Allowed with review | Dynamic linking permitted; static linking may require disclosure | | GPL v2 / v3 | Strong copyleft | **Restricted** | May require open-sourcing the entire codebase — legal review required | | AGPL v3 | Strong copyleft | **Restricted** | Network use triggers copyleft — especially risky for SaaS | | SSPL | Source available | **Prohibited** | Not OSI-approved — treat as proprietary | | Proprietary / Commercial | Commercial | **Requires contract** | Verify license covers current use case and scale | | Unknown / Unlicensed | — | **Prohibited** | No license = all rights reserved — cannot use legally | ### Findings: Packages With Compliance Issues | Package | License | Issue | Recommendation | Risk if unaddressed | |---|---|---|---|---| | [package-name] | GPL v3 | Copyleft — may require open-sourcing this project | Replace with [alternative] or get legal sign-off | Legal / IP risk | | [package-name] | AGPL v3 | Network copyleft — SaaS use triggers disclosure | Replace with [alternative] | Legal / IP risk | | [package-name] | Proprietary | License may not cover current usage tier | Verify license scope with vendor | Contract breach | | [package-name] | Unknown | No license declared in package metadata | Contact maintainer or replace | Cannot use legally | ### All Licenses in Use (Full Inventory) | License | Package count | Compliance status | |---|---|---| | MIT | [N] | Compliant | | Apache 2.0 | [N] | Compliant | | BSD-3-Clause | [N] | Complian
Conduct a structured ethical review of an AI or ML feature, model, or product. Use when preparing to deploy an AI system, assessing algorithmic risk, auditing a model for bias, or producing a responsible AI impact assessment. Produces a structured ethics review covering fairness, transparency, privacy, safety, accountability, and societal impact with a risk tier score, pre-deployment checklist, and prioritised mitigations.
Structure AI and ML product decisions with the rigour of any product decision. Use when building AI-powered features, evaluating LLM integrations, designing AI products, or assessing AI readiness. Produces a complete AI product canvas covering problem definition, model approach, data requirements, evaluation framework, UX design, responsible AI checklist, and launch monitoring plan.
Transform feature briefs into structured design briefs that give designers the context they need before opening Figma. Use when asked to write a design brief, create a design handoff, brief a designer on a new feature, or translate a PRD into design requirements. Produces a brief with user goal, emotional context, success criteria, constraints, edge cases, and out-of-scope boundaries.
Design statistically rigorous A/B tests and interpret experiment results. Use when asked to design an experiment, run an A/B test, calculate sample size, interpret test results, or assess whether an experiment was successful. Produces a complete experiment design with hypothesis, sample size, run time, success criteria, and risk flags — or a results interpretation with ship/iterate/kill recommendation.
Synthesises user signals from multiple research sources into a unified, weighted insight brief. Use when you have data from interviews, support tickets, NPS verbatims, app reviews, or sales calls and need to reconcile contradictions, surface the underlying need behind requests, or answer 'what are users really telling us'. Produces ranked insights with confidence ratings, source weighting rationale, divergent signal analysis by user segment, and a research gap identification section.
Structure a product data analysis, metric deep-dive, funnel analysis, or cohort study. Use when asked to analyse product metrics, investigate a drop in conversion, explain a data change to stakeholders, or find the root cause of a metric movement. Produces a structured analysis with question, root cause, confidence level, and recommended action.
Interpret product metrics against goals and surface actionable signals. Use when asked to analyse product health, review key metrics, investigate a performance issue, produce a health report, or assess product-market fit signals. Produces a structured health report with RAG status, trend analysis, root cause hypotheses, and prioritised actions.
Structure a retention analysis, churn investigation, or engagement deep-dive for any product team. Use when asked to analyse user retention, investigate churn, measure DAU/MAU, or build a retention improvement plan. Produces a retention snapshot with root cause hypotheses, aha-moment correlation, and prioritised interventions.