--- name: "dependency-auditor" description: "Audits dependencies for CVEs, outdated versions, license compliance, and unused packages. Auto-fix mode patches and cleans up safely." metadata: version: "1.0.0" disable-model-invocation: true --- # Dependency Auditor > **Purpose:** Audit project dependencies for security vulnerabilities, license compliance, outdated versions, and unused packages. --- ## Invocation ``` /deps-audit [--fix] [--severity critical|high|all] ``` --- ## Audit Phases ### Phase 1: Security Vulnerabilities Run the native audit tool: ```bash # Node.js npm audit --json # Python pip-audit --format=json # Go govulncheck ./... # Rust cargo audit --json ``` Parse results and rank by severity (critical → low). ### Phase 2: Outdated Packages ```bash npm outdated --json ``` Categorize updates: - **Patch** (1.2.3 → 1.2.4) — Safe to auto-update - **Minor** (1.2.3 → 1.3.0) — Usually safe, check changelog - **Major** (1.2.3 → 2.0.0) — Breaking changes likely, review migration guide ### Phase 3: License Compliance Check all dependency licenses against project policy: | License | Status | |---------|--------| | MIT, Apache-2.0, BSD | Allowed | | ISC, Unlicense | Allowed | | GPL-2.0, GPL-3.0 | Warning — viral copyleft | | AGPL-3.0 | Blocked — requires open-sourcing | | SSPL, BSL | Blocked — non-OSS | | No license | Blocked — no usage rights | ### Phase 4: Unused Dependencies Detect packages in `package.json` not imported anywhere: ```bash # Find all imports in source grep -rh "from ['\"]" src/ | sed "s/.*from ['\"]//;s/['\"].*//" | sort -u # Compare with package.json dependencies ``` --- ## Output Report ``` ## Security Vulnerabilities (3 found) 🔴 CRITICAL | lodash@4.17.20 | Prototype Pollution (CVE-2021-23337) Fix: npm install lodash@4.17.21 🟡 MEDIUM | axios@0.21.1 | SSRF via crafted URL Fix: npm install axios@0.21.4 ## Outdated (12 packages) | Package | Current | Latest | Type | |---------|---------|--------|------| | react | 18.2.0 | 19.1.0 | Major | | typescript | 5.3.3 | 5.7.2 | Minor | | vitest | 1.6.0 | 1.6.1 | Patch | ## License Issues (1 found) ⚠️ WARNING | chart.js@4.4.0 | MIT ✓ Dependency `chartjs-color` uses GPL-2.0 ## Unused Dependencies (2 found) - `moment` — not imported anywhere (consider removing) - `lodash.merge` — only used in removed test file ``` --- ## Auto-Fix Mode With `--fix`: 1. Apply all patch updates 2. Apply minor updates for packages with no breaking changelog entries 3. Remove confirmed unused packages 4. Re-run tests to verify nothing breaks 5. Commit: `chore(deps): security patches and cleanup` ## Playground
Dependency AuditorExample · SkillSlap
Input: package.json deps
"dependencies": {
  "express": "4.18.2",
  "lodash": "3.10.1",
  "jsonwebtoken": "8.5.1",
  "axios": "1.6.0",
  "moment": "2.29.4"
}
Output: Audit report
🔴 lodash 3.10.1 → 4.17.21
Prototype pollution: CVE-2019-10744
High severity. Update immediately.

🔴 jsonwebtoken 8.5.1 → 9.0.2
Auth bypass: CVE-2022-23539
Critical. Breaks JWT verification.

🟡 moment 2.29.4
Unmaintained (archived 2022).
Migrate to date-fns or dayjs.

✅ express 4.18.2 — OK
✅ axios 1.6.0 — OK

Action: npm update lodash jsonwebtoken