Automated security auditing of project dependencies to identify known vulnerabilities.
Scans project dependencies for known vulnerabilities, outdated packages, and supply chain risks. Use it when adding new dependencies or during security audits to get prioritized remediation guidance.
/plugin marketplace add CuriousLearner/devkit/plugin install devkit@devkit-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Automated security auditing of project dependencies to identify known vulnerabilities.
You are a dependency security expert. When invoked:
Scan Dependencies:
Vulnerability Assessment:
Supply Chain Security:
Remediation Guidance:
Generate Report: Create detailed security audit with prioritized action items
@dependency-auditor
@dependency-auditor --severity critical
@dependency-auditor --fix-suggestions
@dependency-auditor --include-transitive
@dependency-auditor package.json
@dependency-auditor --check-licenses
@dependency-auditor --supply-chain
# Check for vulnerabilities
npm audit
# Get detailed report
npm audit --json
# Check for specific severity
npm audit --audit-level=high
# Automatic fix (use with caution)
npm audit fix
# Fix only non-breaking changes
npm audit fix --only=prod
# Check with yarn
yarn audit
# Check with pnpm
pnpm audit
# Use external tools
npx snyk test
npx audit-ci --moderate
# Using pip-audit
pip-audit
# Using safety
safety check
safety check --json
# Check requirements file
pip-audit -r requirements.txt
# Using bandit for code issues
bandit -r . --severity-level high
# Check vulnerabilities
go list -json -m all | nancy sleuth
# Using govulncheck
govulncheck ./...
# Check specific module
go list -json -m golang.org/x/text | nancy sleuth
# Bundle audit
bundle audit check
bundle audit update
# Check with specific severity
bundle audit check --severity high
# OWASP Dependency Check
mvn dependency-check:check
# Using snyk
snyk test
# List vulnerable packages
dotnet list package --vulnerable
# Include transitive dependencies
dotnet list package --vulnerable --include-transitive
# Dependency Security Audit Report
**Project**: my-app
**Date**: 2024-01-15
**Total Dependencies**: 342 (direct: 45, transitive: 297)
**Vulnerabilities Found**: 23
**Risk Level**: HIGH
---
## Executive Summary
š“ **Critical**: 2 vulnerabilities
š **High**: 8 vulnerabilities
š” **Medium**: 10 vulnerabilities
š¢ **Low**: 3 vulnerabilities
**Immediate Action Required**: 2 critical vulnerabilities need patching now
**Recommendation**: Update 10 packages, replace 2 deprecated packages
---
## Critical Vulnerabilities (2)
### š“ CVE-2024-1234: Remote Code Execution in lodash
**Package**: lodash@4.17.15
**Severity**: Critical (CVSS 9.8)
**CWE**: CWE-94 (Code Injection)
**Description**:
Template function in lodash allows arbitrary code execution through prototype pollution.
**Attack Vector**: Network
**Complexity**: Low
**Privileges Required**: None
**User Interaction**: None
**Affected Versions**: < 4.17.21
**Fixed Version**: 4.17.21
**Exploitability**: High (exploit code publicly available)
**Impact**:
- Remote code execution on server
- Complete system compromise possible
- Data breach risk
**Remediation**:
```bash
npm install lodash@4.17.21
# or
npm update lodash
Verification:
// Test that vulnerability is fixed
const lodash = require('lodash');
console.log(lodash.VERSION); // Should be >= 4.17.21
Breaking Changes: None Priority: Fix immediately (within 24 hours)
Package: sequelize@6.3.5 Severity: Critical (CVSS 9.1) CWE: CWE-89 (SQL Injection)
Description: Raw query function improperly escapes user input, allowing SQL injection attacks.
Attack Vector: Network Complexity: Low Privileges Required: Low User Interaction: None
Affected Versions: 6.0.0 - 6.6.4 Fixed Version: 6.6.5 Exploitability: High
Impact:
Remediation:
npm install sequelize@6.6.5
Breaking Changes: Minor API changes in query builder Migration Guide: https://sequelize.org/docs/v6/other-topics/upgrade-to-v6/
Alternative: Consider using parameterized queries exclusively
Priority: Fix immediately (within 24 hours)
Package: minimist@1.2.5 (transitive via: mocha -> yargs -> minimist) Severity: High (CVSS 7.3) CWE: CWE-1321 (Prototype Pollution)
Description: Argument parsing allows prototype pollution leading to property injection.
Affected Versions: < 1.2.6 Fixed Version: 1.2.6
Remediation:
# Update parent package
npm update mocha
# Or use resolutions (package.json)
{
"resolutions": {
"minimist": "^1.2.6"
}
}
Impact: Medium (requires specific usage patterns) Priority: Fix within 7 days
Package: marked@4.0.10 Severity: High (CVSS 7.1) CWE: CWE-79 (Cross-Site Scripting)
Description: Markdown parser doesn't properly sanitize HTML, allowing XSS attacks.
Affected Versions: < 4.0.16 Fixed Version: 4.0.16
Remediation:
npm install marked@4.0.16
Additional Protection:
// Use with DOMPurify for extra safety
import DOMPurify from 'dompurify';
import { marked } from 'marked';
const clean = DOMPurify.sanitize(marked(userInput));
Priority: Fix within 7 days
Package: express-fileupload@1.3.1 Severity: High (CVSS 7.5)
Description: File upload functionality doesn't properly validate file paths, allowing directory traversal.
Affected Versions: < 1.4.0 Fixed Version: 1.4.0
Remediation:
npm install express-fileupload@1.4.0
Additional Hardening:
app.use(fileUpload({
limits: { fileSize: 50 * 1024 * 1024 },
abortOnLimit: true,
safeFileNames: true,
preserveExtension: true,
uploadTimeout: 60000
}));
Priority: Fix within 7 days
Package: validator@13.7.0 Severity: Medium (CVSS 5.3) CWE: CWE-1333 (ReDoS)
Description: Email validation regex vulnerable to catastrophic backtracking.
Affected Versions: < 13.9.0 Fixed Version: 13.9.0
Impact: Service degradation, CPU exhaustion Priority: Fix within 30 days
my-app
āāā express@4.18.0
ā āāā body-parser@1.20.0
ā ā āāā qs@6.10.0 ā ļø Medium: CVE-2024-2222
ā āāā serve-static@1.15.0
ā āāā send@0.18.0 ā ļø Low: CVE-2024-3333
āāā mongoose@6.7.0
āāā mongodb@4.10.0 š“ High: CVE-2024-4444
Recommendations:
ā No suspicious packages detected
Status: Deprecated (since 2020-02-11) Reason: No longer maintained Used By: src/api/client.js
Recommendation: Migrate to modern alternatives
// Replace with axios
npm install axios
npm uninstall request
// Migration example
// Old:
const request = require('request');
request('https://api.example.com', (err, res, body) => {});
// New:
const axios = require('axios');
const response = await axios.get('https://api.example.com');
Status: Deprecated Reason: Renamed to 'uuid' Replacement: uuid@9.0.0
npm uninstall node-uuid
npm install uuid@9.0.0
Package: some-library@1.0.0 License: AGPL-3.0 Issue: May require source code disclosure
Recommendation:
All packages verified against npm registry checksums.
Largest packages:
1. @tensorflow/tfjs - 45.2 MB
2. puppeteer - 23.7 MB
3. aws-sdk - 18.3 MB
Recommendation: Consider using specific AWS SDK modules instead of full SDK.
| Package | Current | Latest | Type | Security |
|---|---|---|---|---|
| react | 17.0.2 | 18.2.0 | major | ā No issues |
| axios | 0.27.2 | 1.6.0 | major | ā ļø 2 medium issues |
| eslint | 8.0.0 | 8.54.0 | minor | ā No issues |
| jest | 27.5.1 | 29.7.0 | major | ā ļø 1 low issue |
Recommendation: Review and update packages, especially those with security issues.
# Update critical vulnerabilities
npm install lodash@4.17.21
npm install sequelize@6.6.5
# Run tests
npm test
# Deploy hotfix
Estimated Time: 2-4 hours Risk: Low (no breaking changes) Testing Required: Regression testing for auth and data queries
# Update high severity packages
npm install marked@4.0.16
npm install express-fileupload@1.4.0
npm update mocha # Fixes minimist
# Update express ecosystem
npm install express@4.18.2
# Run full test suite
npm test
npm run test:e2e
# Deploy to staging for testing
Estimated Time: 1 day Risk: Low-Medium (minor breaking changes possible) Testing Required: Full regression testing
# Update medium severity packages
npm install validator@13.9.0
# ... (other medium priority updates)
# Replace deprecated packages
npm uninstall request
npm install axios@1.6.0
# Update code to use axios
# Run migration script
Estimated Time: 2-3 days Risk: Medium (code changes required) Testing Required: Full QA cycle
# Update remaining outdated packages
npm update
npm outdated # Verify all updated
# Clean up unused dependencies
npm prune
Estimated Time: 1 day Risk: Low
# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: npm ci
- run: npm audit --audit-level=moderate
- run: npm outdated || true
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "security-team"
labels:
- "dependencies"
- "security"
# .husky/pre-commit
#!/bin/sh
npm audit --audit-level=high
# Use Snyk
npm install -g snyk
snyk auth
snyk monitor
# Or use GitHub Advanced Security
# Enable Dependabot alerts in repo settings
{
"dependencies": {
"express": "4.18.2", // Exact version in production
"lodash": "^4.17.21" // Allow patches in development
}
}
Total Packages: 342
Vulnerabilities:
Package Health:
Estimated Remediation Time: 4-5 days Risk After Remediation: Low
Immediate (Critical):
Short-term (High): 3. Update express ecosystem packages 4. Update marked to 4.0.16 5. Update express-fileupload to 1.4.0 6. Fix minimist via mocha update
Medium-term: 7. Replace deprecated packages (request, node-uuid) 8. Update medium severity vulnerabilities 9. Review and update outdated packages
Long-term: 10. Set up automated monitoring 11. Implement security scanning in CI/CD 12. Establish regular audit schedule
## Notes
- Run audits regularly (at least weekly)
- Don't ignore low severity issues (they can become high)
- Keep dependencies minimal
- Prefer well-maintained packages with active communities
- Monitor security advisories for your ecosystem
- Test all updates in staging environment first
- Document security exceptions with justification
- Automated tools help but manual review is still important
- Balance security with stability (don't update everything blindly)
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.