{"manifest":{"name":"Dependency Auditor","version":"1.0.0","description":"Audits dependencies for CVEs, outdated versions, license compliance, and unused packages. Auto-fix mode patches and cleans up safely.","tags":["security","dependencies","audit","devops"],"standard":"agentskills.io","standard_version":"1.0","content_checksum":"07d4213efc27e1d35b04e5d37845e8cb34abd9b20203675d839f31727b4e33e2","bundle_checksum":null,"metadata":{},"files":[]},"files":{"SKILL.md":"# Dependency Auditor\n\n> **Purpose:** Audit project dependencies for security vulnerabilities, license compliance, outdated versions, and unused packages.\n\n---\n\n## Invocation\n\n```\n/deps-audit [--fix] [--severity critical|high|all]\n```\n\n---\n\n## Audit Phases\n\n### Phase 1: Security Vulnerabilities\n\nRun the native audit tool:\n\n```bash\n# Node.js\nnpm audit --json\n\n# Python\npip-audit --format=json\n\n# Go\ngovulncheck ./...\n\n# Rust\ncargo audit --json\n```\n\nParse results and rank by severity (critical → low).\n\n### Phase 2: Outdated Packages\n\n```bash\nnpm outdated --json\n```\n\nCategorize updates:\n- **Patch** (1.2.3 → 1.2.4) — Safe to auto-update\n- **Minor** (1.2.3 → 1.3.0) — Usually safe, check changelog\n- **Major** (1.2.3 → 2.0.0) — Breaking changes likely, review migration guide\n\n### Phase 3: License Compliance\n\nCheck all dependency licenses against project policy:\n\n| License | Status |\n|---------|--------|\n| MIT, Apache-2.0, BSD | Allowed |\n| ISC, Unlicense | Allowed |\n| GPL-2.0, GPL-3.0 | Warning — viral copyleft |\n| AGPL-3.0 | Blocked — requires open-sourcing |\n| SSPL, BSL | Blocked — non-OSS |\n| No license | Blocked — no usage rights |\n\n### Phase 4: Unused Dependencies\n\nDetect packages in `package.json` not imported anywhere:\n\n```bash\n# Find all imports in source\ngrep -rh \"from ['\\\"]\" src/ | sed \"s/.*from ['\\\"]//;s/['\\\"].*//\" | sort -u\n\n# Compare with package.json dependencies\n```\n\n---\n\n## Output Report\n\n```\n## Security Vulnerabilities (3 found)\n\n🔴 CRITICAL | lodash@4.17.20 | Prototype Pollution (CVE-2021-23337)\n Fix: npm install lodash@4.17.21\n\n🟡 MEDIUM | axios@0.21.1 | SSRF via crafted URL\n Fix: npm install axios@0.21.4\n\n## Outdated (12 packages)\n\n| Package | Current | Latest | Type |\n|---------|---------|--------|------|\n| react | 18.2.0 | 19.1.0 | Major |\n| typescript | 5.3.3 | 5.7.2 | Minor |\n| vitest | 1.6.0 | 1.6.1 | Patch |\n\n## License Issues (1 found)\n\n⚠️ WARNING | chart.js@4.4.0 | MIT ✓\n Dependency `chartjs-color` uses GPL-2.0\n\n## Unused Dependencies (2 found)\n\n- `moment` — not imported anywhere (consider removing)\n- `lodash.merge` — only used in removed test file\n```\n\n---\n\n## Auto-Fix Mode\n\nWith `--fix`:\n1. Apply all patch updates\n2. Apply minor updates for packages with no breaking changelog entries\n3. Remove confirmed unused packages\n4. Re-run tests to verify nothing breaks\n5. Commit: `chore(deps): security patches and cleanup`\n\n## Playground\n\n
Dependency AuditorExample · SkillSlap
Input: package.json deps
\"dependencies\": {\n  \"express\": \"4.18.2\",\n  \"lodash\": \"3.10.1\",\n  \"jsonwebtoken\": \"8.5.1\",\n  \"axios\": \"1.6.0\",\n  \"moment\": \"2.29.4\"\n}
Output: Audit report
🔴 lodash 3.10.1 → 4.17.21\nPrototype pollution: CVE-2019-10744\nHigh severity. Update immediately.\n\n🔴 jsonwebtoken 8.5.1 → 9.0.2\nAuth bypass: CVE-2022-23539\nCritical. Breaks JWT verification.\n\n🟡 moment 2.29.4\nUnmaintained (archived 2022).\nMigrate to date-fns or dayjs.\n\n✅ express 4.18.2 — OK\n✅ axios 1.6.0 — OK\n\nAction: npm update lodash jsonwebtoken
"}}