| name | dependency-auditor |
|---|---|
| description | Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions. |
| allowed-tools | Bash, Read |
Automatic dependency vulnerability checking.
- ✅ package.json modified
- ✅ requirements.txt changed
- ✅ Gemfile or pom.xml modified
- ✅ User mentions dependencies or vulnerabilities
- ✅ Before deployments
- ✅ yarn.lock or package-lock.json changes
- Known CVEs in packages
- Outdated dependencies with security fixes
- Malicious packages
- License compatibility issues
- Deprecated packages
- Node.js: npm, yarn, pnpm
- Python: pip, pipenv, poetry
- Ruby: bundler
- Java: Maven, Gradle
- Go: go modules
- PHP: composer
# You run: npm install lodash
# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: lodash@4.17.15
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
Recommendation: Update to lodash@4.17.21 or higher# You modify requirements.txt: django==2.2.0
# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: Django@2.2.0
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571
Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to Django@2.2.28+# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
- 3 CRITICAL
- 2 HIGH
- 2 MEDIUM
- 1 LOW
Critical issues:
1. axios@0.21.0 - SSRF vulnerability
Fix: npm install axios@latest
2. ajv@6.10.0 - Prototype pollution
Fix: npm install ajv@^8.0.0
3. node-fetch@2.6.0 - Information disclosure
Fix: npm install node-fetch@^2.6.7
Run 'npm audit fix' to automatically fix 6/8 issues1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes# Node.js
npm audit
npm audit --json # Structured output
# Python
pip-audit
safety check
# Ruby
bundle audit
# Java (Maven)
mvn dependency-check:check- Remote code execution
- SQL injection
- Authentication bypass
- Publicly exploitable
- Cross-site scripting
- Denial of service
- Information disclosure
- Wide attack surface
- Limited impact vulnerabilities
- Requires specific conditions
- Difficult to exploit
- Minor security improvements
- Best practice violations
- Minimal risk
# Safe automatic fixes
npm audit fix
# May include breaking changes
npm audit fix --force# Check what will change
npm outdated
# Update specific package
npm update lodash
# Major version update
npm install lodash@latestVulnerable: request@2.88.0 (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]
# .github/workflows/security.yml
- name: Dependency audit
run: |
npm audit --audit-level=high
# Fails if HIGH or CRITICAL found# Weekly dependency check
on:
schedule:
- cron: '0 0 * * 0'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: npm auditWorks without sandboxing: ✅ Yes Works with sandboxing: ⚙️ Needs npm/pip registry access
Sandbox config:
{
"network": {
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"rubygems.org",
"repo.maven.apache.org"
]
}
}I also check license compatibility:
⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: some-gpl-package@1.0.0
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative
- Regular audits: Run weekly or on every dependency change
- Update frequently: Keep dependencies current
- Review breaking changes: Test before major updates
- Pin versions: Use exact versions in production
- Audit lock files: Commit and audit lock files
- security-auditor skill: Code vulnerability detection
- @architect sub-agent: Dependency strategy
- /review command: Pre-deployment security check