Agent skill

dependency-auditor

Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.

View SKILL.md on GitHub Repository
Stars 675
Forks 152

Install this agent skill to your Project

npx add-skill https://github.com/alirezarezvani/claude-code-tresor/tree/main/skills/security/dependency-auditor

SKILL.md

Dependency Auditor Skill

Automatic dependency vulnerability checking.

When I Activate

  • ✅ package.json modified
  • ✅ requirements.txt changed
  • ✅ Gemfile or pom.xml modified
  • ✅ User mentions dependencies or vulnerabilities
  • ✅ Before deployments
  • ✅ yarn.lock or package-lock.json changes

What I Check

Dependency Vulnerabilities

  • Known CVEs in packages
  • Outdated dependencies with security fixes
  • Malicious packages
  • License compatibility issues
  • Deprecated packages

Package Managers Supported

  • Node.js: npm, yarn, pnpm
  • Python: pip, pipenv, poetry
  • Ruby: bundler
  • Java: Maven, Gradle
  • Go: go modules
  • PHP: composer

Example Alerts

NPM Vulnerability

bash
# You run: npm install lodash

# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: lodash@4.17.15
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
   https://nvd.nist.gov/vuln/detail/CVE-2020-8203

Recommendation: Update to lodash@4.17.21 or higher

Python Vulnerability

bash
# You modify requirements.txt: django==2.2.0

# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: Django@2.2.0
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571

Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to Django@2.2.28+

Multiple Vulnerabilities

bash
# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
  - 3 CRITICAL
  - 2 HIGH
  - 2 MEDIUM
  - 1 LOW

Critical issues:
  1. axios@0.21.0 - SSRF vulnerability
     Fix: npm install axios@latest

  2. ajv@6.10.0 - Prototype pollution
     Fix: npm install ajv@^8.0.0

  3. node-fetch@2.6.0 - Information disclosure
     Fix: npm install node-fetch@^2.6.7

Run 'npm audit fix' to automatically fix 6/8 issues

Automatic Actions

On Dependency Changes

yaml
1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes

Audit Commands

bash
# Node.js
npm audit
npm audit --json  # Structured output

# Python
pip-audit
safety check

# Ruby
bundle audit

# Java (Maven)
mvn dependency-check:check

Severity Classification

CRITICAL 🚨

  • Remote code execution
  • SQL injection
  • Authentication bypass
  • Publicly exploitable

HIGH ⚠️

  • Cross-site scripting
  • Denial of service
  • Information disclosure
  • Wide attack surface

MEDIUM 📋

  • Limited impact vulnerabilities
  • Requires specific conditions
  • Difficult to exploit

LOW 💡

  • Minor security improvements
  • Best practice violations
  • Minimal risk

Fix Strategies

Automatic Updates

bash
# Safe automatic fixes
npm audit fix

# May include breaking changes
npm audit fix --force

Manual Updates

bash
# Check what will change
npm outdated

# Update specific package
npm update lodash

# Major version update
npm install lodash@latest

Alternative Packages

Vulnerable: request@2.88.0 (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]

Integration with CI/CD

Block Deployments

yaml
# .github/workflows/security.yml
- name: Dependency audit
  run: |
    npm audit --audit-level=high
    # Fails if HIGH or CRITICAL found

Scheduled Audits

yaml
# Weekly dependency check
on:
  schedule:
    - cron: '0 0 * * 0'
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - run: npm audit

Sandboxing Compatibility

Works without sandboxing: ✅ Yes Works with sandboxing: ⚙️ Needs npm/pip registry access

Sandbox config:

json
{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "rubygems.org",
      "repo.maven.apache.org"
    ]
  }
}

License Checking

I also check license compatibility:

⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: some-gpl-package@1.0.0
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative

Best Practices

  1. Regular audits: Run weekly or on every dependency change
  2. Update frequently: Keep dependencies current
  3. Review breaking changes: Test before major updates
  4. Pin versions: Use exact versions in production
  5. Audit lock files: Commit and audit lock files

Related Tools

  • security-auditor skill: Code vulnerability detection
  • @architect sub-agent: Dependency strategy
  • /review command: Pre-deployment security check

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

alirezarezvani/claude-code-tresor

api-documenter

Auto-generate API documentation from code and comments. Use when API endpoints change, or user mentions API docs. Creates OpenAPI/Swagger specs from code. Triggers on API file changes, documentation requests, endpoint additions.

675 152
Explore
alirezarezvani/claude-code-tresor

readme-updater

Keep README files current with project changes. Use when project structure changes, features added, or setup instructions modified. Suggests README updates based on code changes. Triggers on significant project changes, new features, dependency changes.

675 152
Explore
alirezarezvani/claude-code-tresor

security-auditor

Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep.

675 152
Explore
alirezarezvani/claude-code-tresor

secret-scanner

Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.

675 152
Explore
alirezarezvani/claude-code-tresor

code-reviewer

Automatic code quality and best practices analysis. Use proactively when files are modified, saved, or committed. Analyzes code style, patterns, potential bugs, and security basics. Triggers on file changes, git diff, code edits, quality mentions.

675 152
Explore
alirezarezvani/claude-code-tresor

test-generator

Automatically suggest tests for new functions and components. Use when new code is written, functions added, or user mentions testing. Creates test scaffolding with Jest, Vitest, Pytest patterns. Triggers on new functions, components, test requests, testing mentions.

675 152
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results