From agents-plugin
Audits project dependencies for CVEs, outdated packages, and license issues in Node.js (npm/yarn/bun/pnpm), Python (pip), Rust (cargo), and Go ecosystems. Outputs prioritized issues with upgrade recommendations.
npx claudepluginhub laurigates/claude-plugins --plugin agents-pluginhaikuScan project dependencies for vulnerabilities, outdated packages, and license concerns. Isolates verbose audit output. - **Input**: Project with dependency files (package.json, pyproject.toml, Cargo.toml, go.mod) - **Output**: Prioritized list of dependency issues with upgrade guidance - **Steps**: 5-10, comprehensive scan - **Value**: `npm audit`, `pip-audit` output can be massive; agent extra...
Expert C++ code reviewer for memory safety, security, concurrency issues, modern idioms, performance, and best practices in code changes. Delegate for all C++ projects.
Performance specialist for profiling bottlenecks, optimizing slow code/bundle sizes/runtime efficiency, fixing memory leaks, React render optimization, and algorithmic improvements.
Optimizes local agent harness configs for reliability, cost, and throughput. Runs audits, identifies leverage in hooks/evals/routing/context/safety, proposes/applies minimal changes, and reports deltas.
Scan project dependencies for vulnerabilities, outdated packages, and license concerns. Isolates verbose audit output.
npm audit, pip-audit output can be massive; agent extracts actionable itemsnpm audit --json 2>/dev/null | head -200
npm outdated --json 2>/dev/null
npx license-checker --summary 2>/dev/null
pip-audit --format=json 2>/dev/null || pip audit 2>/dev/null
pip list --outdated --format=json 2>/dev/null
cargo audit --json 2>/dev/null
cargo outdated --root-deps-only 2>/dev/null
go list -m -json all 2>/dev/null | head -100
govulncheck ./... 2>/dev/null
| Level | Action | Examples |
|---|---|---|
| Critical | Upgrade immediately | RCE, auth bypass |
| High | Upgrade this sprint | XSS, SQL injection in dep |
| Medium | Plan upgrade | DoS, info disclosure |
| Low | Track for next update | Minor issues, theoretical |
## Dependency Audit: [PROJECT]
**Ecosystem**: Node.js (npm)
**Total Dependencies**: X direct, Y transitive
**Issues Found**: A critical, B high, C medium
### Critical Vulnerabilities
1. **lodash@4.17.20** → 4.17.21
- CVE-2021-23337: Command injection via template
- Fix: `npm install lodash@4.17.21`
### Outdated (Major)
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|-----------------|
| express | 4.18.2 | 5.0.0 | Middleware API changed |
| react | 17.0.2 | 18.2.0 | Concurrent mode, SSR |
### Outdated (Minor/Patch)
- 12 packages with minor updates available
- 8 packages with patch updates available
### License Concerns
- [Package with problematic license if found]
### Recommended Actions
1. `npm install lodash@latest` (security fix, no breaking changes)
2. Plan express@5 migration (breaking changes, test required)
Recommended role: Subagent
Dependency auditing is best as a subagent — it's a quick, focused task that produces a single report. The verbose audit output is isolated from the main context and only actionable findings are returned.
| Mode | When to Use |
|---|---|
| Subagent | Standard dependency health check — run audit, return findings |
| Teammate | Only if auditing multiple ecosystems in a monorepo simultaneously |