npx claudepluginhub cwinvestments/memstack --plugin memstackThis skill uses the workspace's default tool permissions.
*Scan project dependencies for vulnerabilities, outdated packages, abandoned libraries, and supply chain risks with a prioritized upgrade plan.*
Audits project dependencies from package.json, requirements.txt, go.mod, Gemfile for CVEs, outdated packages, transitive issues, licenses, and supply chain risks. Provides severity assessments, remediation suggestions, and prioritized reports.
Audits project dependencies for CVEs, outdated versions, incompatible licenses, and abandoned packages using npm audit, pip-audit, cargo audit, govulncheck, composer audit. Blocks releases on critical/high vulns.
Analyzes project dependencies for vulnerabilities, licensing issues, outdated packages, and supply chain risks. Provides prioritized remediation strategies and upgrade paths.
Share bugs, ideas, or general feedback.
Scan project dependencies for vulnerabilities, outdated packages, abandoned libraries, and supply chain risks with a prioritized upgrade plan.
When this skill activates, output:
π Dependency Audit β Scanning your dependency tree...
| Context | Status |
|---|---|
| User says "dependency audit", "npm audit", "scan dependencies" | ACTIVE |
| User wants to check for vulnerable or outdated packages | ACTIVE |
| User mentions CVEs, supply chain security, or abandoned packages | ACTIVE |
| User wants OWASP web app security (not just dependencies) | DORMANT β see owasp-top10 |
| User wants secrets scanning (not package vulnerabilities) | DORMANT β see secrets-scanner |
| User wants general code review | DORMANT β see code-reviewer |
Identify the package ecosystem from project files:
| File Found | Ecosystem | Audit Command | Outdated Command |
|---|---|---|---|
package.json | npm/Node.js | npm audit --json | npm outdated --json |
package-lock.json | npm (locked) | npm audit --json | npm outdated --json |
yarn.lock | Yarn | yarn audit --json | yarn outdated --json |
pnpm-lock.yaml | pnpm | pnpm audit --json | pnpm outdated --json |
requirements.txt | pip/Python | pip audit --format=json | pip list --outdated --format=json |
Pipfile.lock | Pipenv | pipenv check --output json | pipenv update --dry-run |
pyproject.toml | Poetry/Python | pip audit --format=json | poetry show --outdated |
Cargo.toml | Rust/Cargo | cargo audit --json | cargo outdated --format json |
go.mod | Go | govulncheck ./... | go list -u -m all |
Gemfile.lock | Ruby/Bundler | bundle audit check --format json | bundle outdated |
If multiple ecosystems detected, audit all of them. Report which ecosystem each finding belongs to.
Execute the appropriate audit command and parse results into a unified format:
ββ VULNERABILITY SCAN βββββββββββββββββββββ
CVE-2024-XXXXX π΄ CRITICAL
Package: [name]@[version]
Dependency: Direct / Transitive (via [parent])
Fixed in: [version]
Description: [brief description]
CVSS Score: [score]
Exploitability: [network/local] [complexity]
CVE-2024-YYYYY π‘ HIGH
Package: [name]@[version]
Dependency: Transitive (via [parent] β [grandparent])
Fixed in: [version]
Description: [brief description]
CVSS Score: [score]
Exploitability: [network/local] [complexity]
Severity classification:
| Severity | CVSS Score | Icon | Action |
|---|---|---|---|
| Critical | 9.0 - 10.0 | π΄ | Fix immediately β potential active exploitation |
| High | 7.0 - 8.9 | π‘ | Fix within 1 week β significant risk |
| Medium | 4.0 - 6.9 | π | Fix within 1 month β moderate risk |
| Low | 0.1 - 3.9 | π΅ | Fix when convenient β minimal risk |
Direct vs transitive priority:
overrides (npm) or resolutions (Yarn)Run the outdated command and categorize results:
ββ OUTDATED PACKAGES ββββββββββββββββββββββ
Package Current Latest Type Risk
βββββββββββββββββββββββββββββββββββββββββββββββββββββ
[package-a] 1.2.3 1.2.8 Patch β
Safe β bug fixes only
[package-b] 2.1.0 2.4.0 Minor β
Safe β new features, backward compatible
[package-c] 3.0.0 4.2.1 Major β οΈ Breaking β review changelog
[package-d] 1.0.0 1.0.0 Current β
Up to date
Version gap classification:
| Gap Type | Risk | Approach |
|---|---|---|
| Patch (1.2.3 β 1.2.8) | Very Low | Update immediately β bug/security fixes |
| Minor (2.1.0 β 2.4.0) | Low | Update in batch β new features, backward compatible |
| Major (3.0.0 β 4.2.1) | Medium-High | Review migration guide, test thoroughly |
| Multiple majors (1.x β 4.x) | High | Dedicate time, may require code changes |
Check each dependency for maintenance status:
ββ ABANDONED PACKAGE CHECK ββββββββββββββββ
Package Last Publish Downloads/wk Status
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[package-x] 3 years ago 12,000 β οΈ ABANDONED β find alternative
[package-y] 2.5 years ago 800 π΄ DEAD β replace immediately
[package-z] 6 months ago 250,000 β
Active
Abandonment indicators:
For each abandoned package, suggest:
Check for packages with known supply chain risk factors:
| Risk Factor | Detection Method | Severity |
|---|---|---|
| Typosquatting | Package name similar to popular package | High |
| Install scripts | preinstall/postinstall scripts in package.json | Medium |
| Excessive permissions | Package requests network/fs access unexpectedly | Medium |
| Single maintainer | One person controls publishing | Low-Medium |
| Recent ownership transfer | npm ownership changed recently | High |
| Minified source only | No readable source code in package | Medium |
| Unpinned dependencies | Using * or >= in dependency ranges | Medium |
ββ SUPPLY CHAIN RISKS βββββββββββββββββββββ
[package-a] β οΈ Has postinstall script
Script: "postinstall": "node setup.js"
Review: [does it fetch remote code? write to fs? safe build step?]
[package-b] β οΈ Single maintainer, low download count
Maintainer: [username]
Weekly downloads: [count]
Alternative: [more established package]
Create a prioritized upgrade plan in three tiers:
βββ TIER 1: IMMEDIATE (This Sprint) ββββββ
Critical/High vulnerabilities in direct dependencies.
Patch updates with no breaking changes.
1. [package]@[current] β [target]
Reason: π΄ CVE-2024-XXXXX (CRITICAL)
Risk: None β patch update
Command: npm install [package]@[target]
2. [package]@[current] β [target]
Reason: π‘ CVE-2024-YYYYY (HIGH)
Risk: None β minor update
Command: npm install [package]@[target]
βββ TIER 2: PLANNED (Next 2 Weeks) βββββββ
Medium vulnerabilities, minor version updates,
replacing abandoned packages.
3. [package]@[current] β [target]
Reason: π CVE-2024-ZZZZZ (MEDIUM) + 8 minor versions behind
Risk: Low β review changelog for deprecations
Command: npm install [package]@[target]
Test: [specific areas to regression test]
4. [package] β [replacement-package]
Reason: β οΈ Abandoned (last publish: 2 years ago)
Risk: Medium β API differences, migration needed
Migration: [brief migration steps]
βββ TIER 3: SCHEDULED (Next Quarter) ββββββ
Major version upgrades requiring migration effort.
5. [package]@[current] β [target]
Reason: 3 major versions behind, accumulating tech debt
Risk: High β breaking changes in v3 and v4
Migration guide: [URL]
Estimated effort: [hours/days]
Test: [comprehensive regression testing required]
When a transitive dependency can't be fixed by updating the direct parent:
npm (overrides in package.json):
{
"overrides": {
"vulnerable-package": ">=2.0.1"
}
}
Yarn (resolutions in package.json):
{
"resolutions": {
"vulnerable-package": ">=2.0.1"
}
}
pnpm (overrides in package.json):
{
"pnpm": {
"overrides": {
"vulnerable-package": ">=2.0.1"
}
}
}
Pip (constraint file):
# constraints.txt
vulnerable-package>=2.0.1
pip install -c constraints.txt -r requirements.txt
Caution: Overrides can break compatibility. Always test after applying.
Recommend automated dependency scanning in CI:
# GitHub Actions example
name: Dependency Audit
on:
schedule:
- cron: '0 9 * * 1' # Weekly Monday 9 AM
pull_request:
paths:
- 'package.json'
- 'package-lock.json'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- run: npm audit --audit-level=high
- run: npm outdated || true # Don't fail on outdated
Recommended tools for ongoing monitoring:
Present the complete dependency health report:
βββ DEPENDENCY HEALTH REPORT βββββββββββββ
Project: [name]
Ecosystem: [npm/pip/cargo/etc.]
Scan date: [date]
Total dependencies: [direct] direct, [transitive] transitive
ββ VULNERABILITY SUMMARY ββββββββββββββββββ
π΄ Critical: [count]
π‘ High: [count]
π Medium: [count]
π΅ Low: [count]
ββ VULNERABILITIES ββββββββββββββββββββββββ
[detailed CVE list with fix versions]
ββ OUTDATED PACKAGES ββββββββββββββββββββββ
Patch updates available: [count]
Minor updates available: [count]
Major updates available: [count]
ββ ABANDONED PACKAGES βββββββββββββββββββββ
[list with alternatives]
ββ SUPPLY CHAIN RISKS βββββββββββββββββββββ
[risk factors found]
ββ UPGRADE PLAN βββββββββββββββββββββββββββ
Tier 1 (Immediate): [count] packages
Tier 2 (Planned): [count] packages
Tier 3 (Scheduled): [count] packages
ββ COMMANDS βββββββββββββββββββββββββββββββ
[copy-paste upgrade commands]
ββ CI RECOMMENDATION ββββββββββββββββββββββ
[automated scanning setup]
ββ HEALTH SCORE βββββββββββββββββββββββββββ
Score: [X/100]
Vulnerabilities: [-points per severity]
Currency: [-points per outdated major]
Maintenance: [-points per abandoned dep]
Supply chain: [-points per risk factor]
Health score calculation: