Skip to main content Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
npx skills add alirezarezvani/claude-code-tresor --skill dependency-auditor Bash, Read agent-development-kit agentic-ai agentic-coding agentic-workflow agents anthropic-claude
Dependency Auditor Skill
Automatic dependency vulnerability checking.
When I Activate
✅ package.json modified
✅ requirements.txt changed
✅ Gemfile or pom.xml modified
✅ User mentions dependencies or vulnerabilities
✅ Before deployments
✅ yarn.lock or package-lock.json changes
What I Check
Dependency Vulnerabilities
Known CVEs in packages
Outdated dependencies with security fixes
Malicious packages
License compatibility issues
Deprecated packages
Package Managers Supported
Node.js : npm, yarn, pnpm
Python : pip, pipenv, poetry
Ruby : bundler
Java : Maven, Gradle
Go : go modules
PHP : composer
Example Alerts
NPM Vulnerability
# You run: npm install lodash
# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: [email protected]
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
Recommendation: Update to [email protected] or higher
Python Vulnerability # You modify requirements.txt: django==2.2.0
# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: [email protected]
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571
Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to [email protected] +
Multiple Vulnerabilities # After npm install:
🚨 Dependency audit found 8 vulnerabilities:
- 3 CRITICAL
- 2 HIGH
- 2 MEDIUM
- 1 LOW
Critical issues:
1. [email protected] - SSRF vulnerability
Fix: npm install axios@latest
2. [email protected] - Prototype pollution
Fix: npm install ajv@^8.0.0
3. [email protected] - Information disclosure
Fix: npm install node-fetch@^2.6.7
Run 'npm audit fix' to automatically fix 6/8 issues
Automatic Actions
On Dependency Changes 1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes
Audit Commands # Node.js
npm audit
npm audit --json # Structured output
# Python
pip-audit
safety check
# Ruby
bundle audit
# Java (Maven)
mvn dependency-check:check
Severity Classification
CRITICAL 🚨
Remote code execution
SQL injection
Authentication bypass
Publicly exploitable
HIGH ⚠️
Cross-site scripting
Denial of service
Information disclosure
Wide attack surface
MEDIUM 📋
Limited impact vulnerabilities
Requires specific conditions
Difficult to exploit
LOW 💡
Minor security improvements
Best practice violations
Minimal risk
Fix Strategies
Automatic Updates # Safe automatic fixes
npm audit fix
# May include breaking changes
npm audit fix --force
Manual Updates # Check what will change
npm outdated
# Update specific package
npm update lodash
# Major version update
npm install lodash@latest
Alternative Packages Vulnerable: [email protected] (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]
Integration with CI/CD
Block Deployments # .github/workflows/security.yml
- name: Dependency audit
run: |
npm audit --audit-level=high
# Fails if HIGH or CRITICAL found
Scheduled Audits # Weekly dependency check
on:
schedule:
- cron: '0 0 * * 0'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: npm audit
Sandboxing Compatibility Works without sandboxing: ✅ Yes
Works with sandboxing: ⚙️ Needs npm/pip registry access
{
"network": {
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"rubygems.org",
"repo.maven.apache.org"
]
}
}
License Checking I also check license compatibility:
⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: [email protected]
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative
Best Practices
Regular audits : Run weekly or on every dependency change
Update frequently : Keep dependencies current
Review breaking changes : Test before major updates
Pin versions : Use exact versions in production
Audit lock files : Commit and audit lock files
Related Tools
security-auditor skill : Code vulnerability detection
@architect sub-agent : Dependency strategy
/review command : Pre-deployment security check
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).