From security-toolkit
Audits dependencies for security vulnerabilities in Node.js, Python, Go, Ruby, Rust projects using npm audit, pip-audit, govulncheck, bundle audit; includes fixes and verification.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-toolkit:dependency-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit dependencies based on project type:
Audit dependencies based on project type:
# Node.js
npm audit
# Python
pip-audit
# Go
govulncheck ./...
Check for manifest files:
package.json / package-lock.json → npm/yarnrequirements.txt / pyproject.toml → pipgo.mod → Go modulesCargo.toml → Cargo (Rust)Gemfile → Bundler (Ruby)Node.js (npm):
npm audit
npm audit --json # Machine-readable output
Node.js (yarn):
yarn audit
yarn audit --json
Python:
pip install pip-audit
pip-audit
pip-audit -r requirements.txt
Go:
govulncheck ./...
Ruby:
bundle audit check --update
Categorize by severity:
| Severity | CVSS | Action |
|---|---|---|
| Critical | 9.0+ | Update immediately |
| High | 7.0-8.9 | Update within 24h |
| Moderate | 4.0-6.9 | Update this sprint |
| Low | < 4.0 | Update when convenient |
npm - Auto-fix:
npm audit fix
npm audit fix --force # Breaking changes allowed
npm - Manual update:
npm update vulnerable-package
# or specific version
npm install [email protected]
Python - Update package:
pip install --upgrade vulnerable-package
# or pin safe version in requirements.txt
vulnerable-package>=2.0.0
Re-run audit to confirm:
npm audit # Should show 0 vulnerabilities
pip-audit # Should show no issues
When vulnerability is in a sub-dependency:
# Check dependency tree
npm ls vulnerable-package
# Force resolution (npm)
# Add to package.json:
{
"overrides": {
"vulnerable-package": "2.0.0"
}
}
When no patched version exists:
When fix requires major version bump:
## Dependency Audit Report
**Project:** my-app
**Date:** 2024-01-15
**Total Dependencies:** 245
**Vulnerabilities Found:** 3
### Critical (1)
**lodash** - Prototype Pollution
- Installed: 4.17.15
- Fixed in: 4.17.21
- CVE: CVE-2021-23337
- Fix: `npm install [email protected]`
### High (1)
**axios** - SSRF Vulnerability
- Installed: 0.21.0
- Fixed in: 0.21.2
- CVE: CVE-2021-3749
- Fix: `npm install [email protected]`
### Moderate (1)
**minimist** - Prototype Pollution
- Installed: 1.2.5
- Fixed in: 1.2.6
- CVE: CVE-2021-44906
- Fix: `npm audit fix`
- name: Audit dependencies
run: |
npm audit --audit-level=high
# Fails if high or critical vulnerabilities found
# package.json scripts
{
"scripts": {
"precommit": "npm audit --audit-level=moderate"
}
}
npx claudepluginhub p/armanzeroeight-security-toolkit-plugins-security-toolkitAudits project dependencies for CVEs using detected package manager, reports vulnerabilities with installed/fixed versions and exact upgrade commands. Includes auto-fix and banned-packages check.
Scans project dependencies for known CVEs and security vulnerabilities across npm, pip, cargo, and other ecosystems. Supports severity filtering and auto-fix.
Audit project dependencies for known vulnerabilities using ecosystem-specific tools (npm audit, composer audit, pip-audit, cargo audit, etc).