Check for vulnerable dependencies via npm audit
Scans project dependencies for known vulnerabilities and provides actionable fix commands.
/plugin marketplace add Rahat-ch/vibe-check/plugin install rahat-ch-vibe-check@Rahat-ch/vibe-checkScan dependencies for known vulnerabilities.
Usage: /vibe-check:deps
npm audit --json 2>/dev/null
If pnpm:
pnpm audit --json 2>/dev/null
If yarn:
yarn audit --json 2>/dev/null
npm audit JSON structure:
{
"vulnerabilities": {
"package-name": {
"name": "package-name",
"severity": "high",
"via": [...],
"effects": [...],
"range": ">=1.0.0 <1.2.3",
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"critical": 0,
"high": 2,
"moderate": 5,
"low": 1
}
}
}
| npm Severity | vibe-check Severity |
|---|---|
| critical | CRITICAL |
| high | HIGH |
| moderate | MEDIUM |
| low | LOW |
For each vulnerability, check fixAvailable:
true: Include upgrade commandfalse: Note as "requires manual intervention"Flag regardless of vulnerabilities:
Check last publish date:
npm view package-name time.modified
Check for lock file presence:
package-lock.json (npm)pnpm-lock.yaml (pnpm)yarn.lock (yarn)Missing lock file = MEDIUM severity (inconsistent installs).
[HIGH] Vulnerable Dependency: lodash
Package: lodash@4.17.20
Severity: High
Vulnerability: Prototype Pollution (CVE-2021-23337)
Affected: lodash <4.17.21
Fix:
npm update lodash
# or
npm install lodash@latest
[CRITICAL] Critical Vulnerability: next
Package: next@12.3.0
Severity: Critical
Vulnerability: Server-Side Request Forgery
Affected: next <13.4.6
Fix:
npm install next@latest
Note: Major version upgrade - review breaking changes:
https://nextjs.org/docs/upgrading
Dependency Audit Summary
========================
Critical: 1
High: 2
Moderate: 5
Low: 3
Fixable: 8/11
Run to fix all:
npm audit fix
Run for breaking changes:
npm audit fix --force
npx ncu -u for bulk updates^ for critical packagesnpm audit before each deploy