Detect CVEs and security issues in project dependencies. Use when you need to analyze packages for known vulnerabilities across npm, pip, cargo, and other ecosystems.
npx claudepluginhub joshuarweaver/cascade-content-creation-misc-1 --plugin jwynia-agent-skills-1This skill uses the workspace's default tool permissions.
Analyze package dependencies for known vulnerabilities.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Analyze package dependencies for known vulnerabilities.
/dependency-scan # Scan all detected package managers
/dependency-scan --npm # Node.js packages only
/dependency-scan --pip # Python packages only
/dependency-scan --fix # Auto-fix where possible
| Ecosystem | Files | Tool Used |
|---|---|---|
| Node.js | package.json, package-lock.json | npm audit |
| Python | requirements.txt, Pipfile, pyproject.toml | pip-audit, safety |
| Ruby | Gemfile, Gemfile.lock | bundler-audit |
| Java | pom.xml, build.gradle | dependency-check |
| Go | go.mod, go.sum | govulncheck |
| Rust | Cargo.toml, Cargo.lock | cargo-audit |
| PHP | composer.json, composer.lock | composer audit |
| .NET | *.csproj, packages.config | dotnet list --vulnerable |
/dependency-scan
Scans all detected package managers, reports all severity levels.
/dependency-scan --npm
/dependency-scan --pip
/dependency-scan --go
/dependency-scan --severity critical,high
/dependency-scan --severity medium
/dependency-scan --fix
/dependency-scan --fix --dry-run # Preview changes
Attempts to update vulnerable packages to patched versions.
DEPENDENCY SCAN RESULTS
=======================
Scanned: package.json, requirements.txt
Packages analyzed: 127 (78 npm, 49 pip)
VULNERABILITIES BY SEVERITY
Critical: 2
High: 4
Medium: 8
Low: 12
TOP ISSUES
[!] CRITICAL: lodash < 4.17.21
CVE-2021-23337: Command Injection
Affected: lodash@4.17.19
Fix: npm update lodash
[!] CRITICAL: urllib3 < 2.0.6
CVE-2023-43804: Cookie Leak
Affected: urllib3@1.26.0
Fix: pip install urllib3>=2.0.6
[H] HIGH: express < 4.19.2
CVE-2024-29041: Open Redirect
Affected: express@4.18.0
Fix: npm update express
/dependency-scan --details
DETAILED VULNERABILITY REPORT
=============================
CVE-2021-23337
--------------
Package: lodash
Installed: 4.17.19
Patched: 4.17.21
Severity: CRITICAL (CVSS 9.8)
Description:
Command Injection in lodash template function allows
arbitrary command execution via crafted template strings.
Attack Vector: Remote, no auth required
Exploitability: Public exploit available
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/lodash/lodash/issues/5085
Remediation:
npm update lodash
# or
npm install lodash@4.17.21
| Database | Coverage |
|---|---|
| NVD (National Vulnerability Database) | All CVEs |
| GitHub Advisory Database | GitHub-reported |
| OSV (Open Source Vulnerabilities) | Multi-ecosystem |
| npm Security Advisories | Node.js specific |
| PyPI Advisory Database | Python specific |
| RustSec Advisory Database | Rust specific |
| Score | Severity |
|---|---|
| 9.0-10.0 | Critical |
| 7.0-8.9 | High |
| 4.0-6.9 | Medium |
| 0.1-3.9 | Low |
npm audit --json
npm audit fix # Auto-fix
npm audit fix --force # Breaking changes OK
pip-audit
pip-audit --fix
pip-audit -r requirements.txt
safety check
safety check -r requirements.txt
bundle-audit check
bundle-audit update # Update advisory DB
govulncheck ./...
cargo audit
cargo audit fix # Auto-fix
Updates within semver-compatible range:
May introduce breaking changes:
--force flagAUTO-FIX REPORT
===============
Fixed: 8 vulnerabilities
lodash: 4.17.19 → 4.17.21
axios: 0.21.0 → 0.21.1
minimist: 1.2.5 → 1.2.6
Unable to fix: 2 vulnerabilities
react-scripts: No patch available (major version required)
webpack-dev-server: Conflicts with other dependencies
Review package.json changes before committing.
Create .dependency-scan-ignore:
# Ignore specific CVEs (document reason!)
ignore:
- id: CVE-2021-23337
reason: "Not exploitable in our usage, lodash template not used"
expires: 2024-12-31
- id: GHSA-xxx-xxx
reason: "Development dependency only"
# Ignore packages
packages:
- name: lodash
versions: ["< 4.17.0"] # Only old versions
# .dependency-scan.yaml
thresholds:
fail_on: critical # Fail CI on critical
warn_on: high # Warn on high
ignore_below: low # Don't report low
fix:
auto_fix: true
allow_major: false # No major version bumps
- name: Dependency Scan
run: |
/dependency-scan --severity critical,high --fail-on-findings
- name: Auto-fix and PR
if: failure()
run: |
/dependency-scan --fix
git add .
gh pr create --title "Security: Update vulnerable dependencies"
#!/bin/sh
# Run on package.json changes
if git diff --cached --name-only | grep -q "package.json\|requirements.txt"; then
/dependency-scan --severity critical,high
fi
/dependency-scan --health
Additional checks:
DEPENDENCY HEALTH
=================
Outdated (major behind): 5
react: 17.0.2 → 18.2.0
typescript: 4.9.5 → 5.3.3
Deprecated: 1
request: Use got, axios, or node-fetch
Unmaintained (>2 years): 2
moment: Consider dayjs or date-fns
License Issues: 0
/security-scan - Full security analysis/secrets-scan - Credential detection/config-scan - Configuration security