Agent skill
package-audit
Scan for security vulnerabilities using pnpm audit, Snyk, and automated tools. Use when checking security, before deployments, or resolving CVEs.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/security/package-audit-sgcarstrends-sgcarstrends
SKILL.md
Package Audit Skill
This skill helps you scan for and fix security vulnerabilities in npm dependencies.
When to Use This Skill
- Scanning for security vulnerabilities
- Before production deployments
- Resolving CVE alerts
- Regular security audits
- Dependency health checks
- Compliance requirements
- Pre-commit security checks
Security Audit Tools
pnpm audit
Built-in vulnerability scanner:
bash
# Run audit
pnpm audit
# Output example:
# ┌───────────────┬──────────────────────────────────────────────────────────────┐
# │ moderate │ Prototype Pollution in lodash │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Package │ lodash │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Vulnerable │ <4.17.21 │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Patched in │ >=4.17.21 │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Path │ lodash │
# └───────────────┴──────────────────────────────────────────────────────────────┘
Snyk
Advanced vulnerability scanning:
bash
# Install Snyk CLI
pnpm add -g snyk
# Authenticate
snyk auth
# Test for vulnerabilities
snyk test
# Monitor project
snyk monitor
# Fix vulnerabilities
snyk fix
Running Audits
Basic Audit
bash
# Audit all packages
pnpm audit
# Audit specific workspace
pnpm -F @sgcarstrends/api audit
# Audit production dependencies only
pnpm audit --prod
# Get JSON output
pnpm audit --json > audit-report.json
Severity Levels
bash
# Only show high/critical
pnpm audit --audit-level=high
# Audit levels:
# - info
# - low
# - moderate
# - high
# - critical
Automated Fix
bash
# Automatically fix vulnerabilities
pnpm audit --fix
# Dry run (preview fixes)
pnpm audit --fix --dry-run
Understanding Audit Results
Vulnerability Report
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ semver │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Vulnerable │ <5.7.2 || >=6.0.0 <6.3.1 || >=7.0.0 <7.5.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.7.2 <6.0.0 || >=6.3.1 <7.0.0 || >=7.5.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │
└───────────────┴──────────────────────────────────────────────────────────────┘
Key Information:
- Severity: critical, high, moderate, low, info
- Package: Affected package name
- Vulnerable: Vulnerable version range
- Patched in: Fixed version range
- Path: Dependency path (direct or transitive)
JSON Report Analysis
bash
# Generate JSON report
pnpm audit --json > audit.json
# Parse with jq
cat audit.json | jq '.vulnerabilities | length'
cat audit.json | jq '.vulnerabilities | group_by(.severity)'
# Filter critical vulnerabilities
cat audit.json | jq '.vulnerabilities[] | select(.severity == "critical")'
Fixing Vulnerabilities
Direct Dependencies
bash
# Step 1: Identify vulnerable package
pnpm audit
# Step 2: Check available versions
pnpm view package-name versions
# Step 3: Update catalog
# pnpm-workspace.yaml
catalog:
lodash: ^4.17.21 # Updated from ^4.17.19
# Step 4: Install
pnpm install
# Step 5: Verify fix
pnpm audit
Transitive Dependencies
bash
# Step 1: Identify dependency chain
pnpm why vulnerable-package
# Output:
# parent-package 1.0.0
# └─┬ intermediate-package 2.0.0
# └── vulnerable-package 3.0.0
# Step 2: Update parent package
catalog:
parent-package: ^2.0.0 # Newer version with fixed dependency
# Step 3: Or use overrides (last resort)
{
"pnpm": {
"overrides": {
"vulnerable-package": "^3.1.0"
}
}
}
Using Overrides
json
// package.json
{
"pnpm": {
"overrides": {
// Fix specific vulnerability
"lodash": "^4.17.21",
// Fix across all dependencies
"semver@<7.5.2": "^7.5.2",
// Fix in specific dependency
"some-package>vulnerable-dep": "^2.0.0"
}
}
}
Snyk Integration
Setup
bash
# Install Snyk
pnpm add -g snyk
# Authenticate
snyk auth
# Test project
snyk test
# Monitor for new vulnerabilities
snyk monitor
Snyk Commands
bash
# Test for vulnerabilities
snyk test
# Test with severity threshold
snyk test --severity-threshold=high
# Test specific file
snyk test --file=package.json
# Ignore specific vulnerabilities
snyk ignore --id=SNYK-JS-LODASH-1018905
# Generate HTML report
snyk test --json | snyk-to-html -o snyk-report.html
Snyk Configuration
yaml
# .snyk
version: v1.25.0
ignore:
# Ignore low severity
'SNYK-JS-LODASH-1018905':
- '*':
reason: Low severity, no fix available
expires: 2024-12-31
# Ignore specific path
'SNYK-JS-AXIOS-1234567':
- 'dev-dependency > axios':
reason: Dev dependency only
expires: never
CI Integration
GitHub Actions
yaml
# .github/workflows/security.yml
name: Security Audit
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 1' # Weekly on Monday
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v2
- uses: actions/setup-node@v4
with:
node-version: 20
cache: "pnpm"
- run: pnpm install
- run: pnpm audit --audit-level=moderate
# Fail on high/critical vulnerabilities
- name: Check for high/critical vulnerabilities
run: |
AUDIT_OUTPUT=$(pnpm audit --json)
HIGH=$(echo $AUDIT_OUTPUT | jq '.metadata.vulnerabilities.high // 0')
CRITICAL=$(echo $AUDIT_OUTPUT | jq '.metadata.vulnerabilities.critical // 0')
if [ $HIGH -gt 0 ] || [ $CRITICAL -gt 0 ]; then
echo "High or critical vulnerabilities found!"
exit 1
fi
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: snyk/actions/setup@master
- uses: pnpm/action-setup@v2
- uses: actions/setup-node@v4
with:
node-version: 20
cache: "pnpm"
- run: pnpm install
- name: Snyk test
run: snyk test --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk monitor
run: snyk monitor
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Automated Dependency Updates
Dependabot
yaml
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
# Auto-merge security patches
groups:
security:
patterns:
- "*"
update-types:
- "patch"
# Ignore major versions
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
Renovate
json
// renovate.json
{
"extends": ["config:base"],
"vulnerabilityAlerts": {
"enabled": true,
"automerge": true
},
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"matchCurrentVersion": "!/^0/",
"automerge": true,
"automergeType": "branch"
},
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
]
}
Best Practices
1. Regular Audits
bash
# ❌ Only audit before deployment
pnpm audit # Once every few months
# ✅ Regular schedule
# - Daily: Automated CI checks
# - Weekly: Manual review
# - Before deployment: Final check
2. Prioritize Fixes
bash
# ❌ Try to fix everything at once
pnpm audit --fix
# ✅ Prioritize by severity
# 1. Critical: Fix immediately
# 2. High: Fix within 1 week
# 3. Moderate: Fix within 1 month
# 4. Low: Fix when convenient
3. Verify Fixes
bash
# ❌ Just update and deploy
pnpm audit --fix
git push
# ✅ Test after fixing
pnpm audit --fix
pnpm test # Run tests
pnpm build # Build check
pnpm dev # Manual testing
git commit && git push
4. Document Decisions
yaml
# .snyk
ignore:
'SNYK-JS-LODASH-1018905':
- '*':
reason: >
Low severity prototype pollution.
Package only used in dev scripts.
No fix available yet.
Monitoring for updates.
expires: 2024-12-31
created: 2024-01-15
Handling Common Scenarios
No Fix Available
bash
# Issue: Vulnerability with no fix
# Options:
# 1. Wait for fix (monitor regularly)
snyk monitor
# 2. Find alternative package
pnpm remove vulnerable-package
pnpm add alternative-package
# 3. Accept risk (document decision)
# Add to .snyk with expiration date
Breaking Changes in Fix
bash
# Issue: Fix requires major version upgrade
# Solution:
# 1. Review breaking changes
pnpm view package-name changelog
# 2. Create migration branch
git checkout -b upgrade/package-name
# 3. Update and test
catalog:
package-name: ^2.0.0 # Major version
pnpm install
pnpm test
# 4. Fix breaking changes
# 5. Commit and merge
False Positives
bash
# Issue: Vulnerability doesn't affect your code
# Solution: Ignore with justification
# .snyk
ignore:
'SNYK-ID':
- 'package-name':
reason: >
False positive.
Vulnerable code path not used in our application.
Only affects feature X which we don't use.
expires: never
Security Audit Checklist
- Run
pnpm auditregularly - Fix critical and high vulnerabilities immediately
- Monitor for new vulnerabilities (Snyk/Dependabot)
- Document ignored vulnerabilities
- Review security patches before applying
- Test thoroughly after fixes
- Keep audit logs for compliance
- Update security policy as needed
References
- pnpm Audit: https://pnpm.io/cli/audit
- Snyk: https://snyk.io
- npm Security Advisories: https://github.com/advisories
- OWASP Dependency Check: https://owasp.org/www-project-dependency-check
- Related files:
.snyk- Snyk configuration.github/dependabot.yml- Dependabot config- Root CLAUDE.md - Security guidelines
Best Practices Summary
- Regular Audits: Run audits daily in CI, weekly manually
- Prioritize Severity: Fix critical/high first, then moderate/low
- Automate Security: Use Dependabot or Renovate
- Test Fixes: Always test after applying security patches
- Document Decisions: Explain ignored vulnerabilities
- Monitor Continuously: Use Snyk monitor for ongoing tracking
- Review Dependencies: Regularly review and remove unused packages
- Stay Informed: Subscribe to security advisories for key packages
Didn't find tool you were looking for?