From claudekit
Audits project dependencies for bloat, unused packages, security risks, supply-chain issues, and upgrades by building import graphs and verifying call sites in npm, pip, Cargo, Go, Ruby projects.
npx claudepluginhub duthaho/claudekit --plugin claudekitThis skill uses the workspace's default tool permissions.
A four-step dependency audit that goes past `npm audit` / `pip-audit` / `cargo audit`
Audits project dependencies from package.json, requirements.txt, go.mod, Gemfile for CVEs, outdated packages, transitive issues, licenses, and supply chain risks. Provides severity assessments, remediation suggestions, and prioritized reports.
Scans project dependencies for vulnerabilities, outdated packages, abandoned libraries, and supply chain risks across npm/Yarn/pnpm, pip/Poetry/Pipenv, Cargo, Go, and Bundler ecosystems.
Audits dependencies for vulnerabilities, outdated versions, transitive issues, and licenses in Node.js, Python, PHP, Ruby, Go, and Rust projects using npm audit, pip-audit, and equivalents.
Share bugs, ideas, or general feedback.
A four-step dependency audit that goes past npm audit / pip-audit / cargo audit
output into the actual import graph. The skill enforces that every claim
("we don't use that import path", "this dep is dead", "this CVE doesn't apply")
is backed by evidence from the code, not from a tool's verdict alone. The audit
produces a list of dependencies with three columns: declared, transitively pulled,
actually called. Anything in column 1 or 2 but not column 3 is a candidate for
removal. Anything called but unpinned, deprecated, or vulnerable is an action item.
Senior ICs use it before adding a new dep, before a major version bump, or after
a CVE lands.
npm audit, pip-audit, GitHub Dependabot, Snyk, or similarnode_modules / site-packages / target size feels disproportionateGoal: Capture the current declared dependency state in a form you can diff later.
Inputs: The project's manifest file(s) — package.json, requirements.txt,
pyproject.toml, Cargo.toml, go.mod, Gemfile, etc.
Actions:
npm ls --all (or pnpm ls --depth=Infinity)pip list --format=jsoncargo treego list -m allOutput: A snapshot file at a known path. A two-line note: <N> direct, <M> transitive.
Goal: Determine which declared and transitively-pulled dependencies are actually imported by your code.
Inputs: The snapshot from Step 1 + access to the source tree.
Actions:
import .* from ['"]<name>['"] and require\(['"]<name>['"]\)^(from|import) <name>(\.|$| )use <crate>:: and extern crate <crate>;Output: A table per dep: <name> | <declared version> | <import sites> | <verdict: keep | remove | promote>.
Goal: Reconcile your import-graph evidence with what npm audit /
pip-audit / cargo audit reports, and decide whether each advisory applies.
Inputs: The Step 2 table, plus the output of the ecosystem's audit tool.
Actions:
Output: Each advisory annotated with a verdict and a one-line proof
(<file:line> showing reach or absence of the vulnerable function).
Goal: Produce an artifact with actions, not opinions.
Inputs: The Step 2 table and Step 3 advisory verdicts.
Actions:
docs/audits/deps-<YYYY-MM-DD>.md with sections:
lodash from package.json — 0 import sites in src/. Re-run
pnpm install to verify transitive count drops by N.").Output: The audit artifact at the dated path, plus a PR (or sequence of PRs) applying the action items.
| Excuse | Why it sounds reasonable | Why it's wrong | What to do instead |
|---|---|---|---|
"npm audit says it's fine, that's enough." | The scanner is the standard tool, it's automated, it sees more than I do. | Scanners report on declared package versions against a CVE database. They do not tell you whether the vulnerable code path is reachable from your code, nor whether a high-severity advisory in a sub-package matters at all. A clean audit can hide real exposure; a noisy audit can list advisories that don't apply. | Run the scanner, but treat its output as input to Step 3, not the conclusion. Each advisory needs a reachability check before you ignore or patch it. |
| "It's just a patch bump, ship it." | SemVer says patch is bug-fix only, no breaking changes. | SemVer is a publishing convention, not a behavioral guarantee. Patch bumps regularly include behavior shifts (changed defaults, tightened validation, dropped Node/Python versions). Skipping a read of the changelog because "it's just a patch" is the line where the regression you'll spend tomorrow debugging gets shipped today. | Read the changelog or release notes for every bump, even patch. 30 seconds of reading saves 3 hours of bisect later. |
| "We don't use that import path." | It's true that not every advisory applies to every consumer. | "We don't use that import path" said without the grep that proves it is folklore. The function may be called transitively by another dep you do use. Or it may be called by a code path triggered only in production. The claim is testable; test it. | Step 3, Action 3: find the affected function in the package source, grep your code (and the code of the deps that use it) for the function name. Cite the file:line where you proved absence — or where you found a call. |
| "snyk/dependabot already filed a PR — just merge it." | Automated remediation is a real win. | The bot's PR upgrades the package; it doesn't verify your code still works at the new version, nor that the upgrade actually closes the advisory in your call path. Merging blind means you trust the bot's reachability analysis (it has none) and your CI's coverage (it may not exercise the affected code). | Treat the bot's PR as a draft of Step 4's action item. Run the test suite. Read the changelog. If the changelog mentions a behavior change in code you call, exercise that path manually before merging. |
| "Removing deps is risky — we might need them later." | True for some deps; the cost of removing a useful dep is non-trivial. | "Might need later" without evidence is hoarding. Unused deps still pull transitive deps, still expand the CVE attack surface, still slow installs and CI. The cost of removal is reversible (re-add when actually needed); the cost of leaving them is paid every install. | If the dep has zero import sites in Step 2 and no roadmap item committed to using it within one release cycle, remove it. Note the version in the audit artifact so re-adding the same version is easy. |
| Checkpoint | Required artifact | What "no evidence" looks like |
|---|---|---|
| End of Step 1 | Snapshot file with direct/transitive counts | "We have a lot of dependencies." |
| End of Step 2 | Per-dep table with import-site counts and a keep/remove/promote verdict | "Most of these look unused, I think." |
| End of Step 3 | Per-advisory verdict with file:line proof of reach/absence | "The high-severity ones are the urgent ones." |
| End of Step 4 | Audit artifact at docs/audits/deps-<date>.md plus an action-items PR | "I'll get to the cleanup in the next sprint." |
remove is removed by the PR but tests still pass and bundle
size doesn't change. You may have searched for the wrong import name (alias?
re-export?). Re-grep before merging.remove. The CVE may be moot,
but verify removal closes it before declaring done.