Scans project dependencies for known CVEs and security vulnerabilities across npm, pip, cargo, and other ecosystems. Supports severity filtering and auto-fix.
How this skill is triggered — by the user, by Claude, or both
Slash command
/jwynia-agent-skills-1:dependency-scanThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze package dependencies for known vulnerabilities.
Analyze package dependencies for known vulnerabilities.
/dependency-scan # Scan all detected package managers
/dependency-scan --npm # Node.js packages only
/dependency-scan --pip # Python packages only
/dependency-scan --fix # Auto-fix where possible
| Ecosystem | Files | Tool Used |
|---|---|---|
| Node.js | package.json, package-lock.json | npm audit |
| Python | requirements.txt, Pipfile, pyproject.toml | pip-audit, safety |
| Ruby | Gemfile, Gemfile.lock | bundler-audit |
| Java | pom.xml, build.gradle | dependency-check |
| Go | go.mod, go.sum | govulncheck |
| Rust | Cargo.toml, Cargo.lock | cargo-audit |
| PHP | composer.json, composer.lock | composer audit |
| .NET | *.csproj, packages.config | dotnet list --vulnerable |
/dependency-scan
Scans all detected package managers, reports all severity levels.
/dependency-scan --npm
/dependency-scan --pip
/dependency-scan --go
/dependency-scan --severity critical,high
/dependency-scan --severity medium
/dependency-scan --fix
/dependency-scan --fix --dry-run # Preview changes
Attempts to update vulnerable packages to patched versions.
DEPENDENCY SCAN RESULTS
=======================
Scanned: package.json, requirements.txt
Packages analyzed: 127 (78 npm, 49 pip)
VULNERABILITIES BY SEVERITY
Critical: 2
High: 4
Medium: 8
Low: 12
TOP ISSUES
[!] CRITICAL: lodash < 4.17.21
CVE-2021-23337: Command Injection
Affected: [email protected]
Fix: npm update lodash
[!] CRITICAL: urllib3 < 2.0.6
CVE-2023-43804: Cookie Leak
Affected: [email protected]
Fix: pip install urllib3>=2.0.6
[H] HIGH: express < 4.19.2
CVE-2024-29041: Open Redirect
Affected: [email protected]
Fix: npm update express
/dependency-scan --details
DETAILED VULNERABILITY REPORT
=============================
CVE-2021-23337
--------------
Package: lodash
Installed: 4.17.19
Patched: 4.17.21
Severity: CRITICAL (CVSS 9.8)
Description:
Command Injection in lodash template function allows
arbitrary command execution via crafted template strings.
Attack Vector: Remote, no auth required
Exploitability: Public exploit available
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/lodash/lodash/issues/5085
Remediation:
npm update lodash
# or
npm install [email protected]
| Database | Coverage |
|---|---|
| NVD (National Vulnerability Database) | All CVEs |
| GitHub Advisory Database | GitHub-reported |
| OSV (Open Source Vulnerabilities) | Multi-ecosystem |
| npm Security Advisories | Node.js specific |
| PyPI Advisory Database | Python specific |
| RustSec Advisory Database | Rust specific |
| Score | Severity |
|---|---|
| 9.0-10.0 | Critical |
| 7.0-8.9 | High |
| 4.0-6.9 | Medium |
| 0.1-3.9 | Low |
npm audit --json
npm audit fix # Auto-fix
npm audit fix --force # Breaking changes OK
pip-audit
pip-audit --fix
pip-audit -r requirements.txt
safety check
safety check -r requirements.txt
bundle-audit check
bundle-audit update # Update advisory DB
govulncheck ./...
cargo audit
cargo audit fix # Auto-fix
Updates within semver-compatible range:
May introduce breaking changes:
--force flagAUTO-FIX REPORT
===============
Fixed: 8 vulnerabilities
lodash: 4.17.19 → 4.17.21
axios: 0.21.0 → 0.21.1
minimist: 1.2.5 → 1.2.6
Unable to fix: 2 vulnerabilities
react-scripts: No patch available (major version required)
webpack-dev-server: Conflicts with other dependencies
Review package.json changes before committing.
Create .dependency-scan-ignore:
# Ignore specific CVEs (document reason!)
ignore:
- id: CVE-2021-23337
reason: "Not exploitable in our usage, lodash template not used"
expires: 2024-12-31
- id: GHSA-xxx-xxx
reason: "Development dependency only"
# Ignore packages
packages:
- name: lodash
versions: ["< 4.17.0"] # Only old versions
# .dependency-scan.yaml
thresholds:
fail_on: critical # Fail CI on critical
warn_on: high # Warn on high
ignore_below: low # Don't report low
fix:
auto_fix: true
allow_major: false # No major version bumps
- name: Dependency Scan
run: |
/dependency-scan --severity critical,high --fail-on-findings
- name: Auto-fix and PR
if: failure()
run: |
/dependency-scan --fix
git add .
gh pr create --title "Security: Update vulnerable dependencies"
#!/bin/sh
# Run on package.json changes
if git diff --cached --name-only | grep -q "package.json\|requirements.txt"; then
/dependency-scan --severity critical,high
fi
/dependency-scan --health
Additional checks:
DEPENDENCY HEALTH
=================
Outdated (major behind): 5
react: 17.0.2 → 18.2.0
typescript: 4.9.5 → 5.3.3
Deprecated: 1
request: Use got, axios, or node-fetch
Unmaintained (>2 years): 2
moment: Consider dayjs or date-fns
License Issues: 0
/security-scan - Full security analysis/secrets-scan - Credential detection/config-scan - Configuration securitynpx claudepluginhub jwynia/agent-skillsScans project dependencies for known CVEs across npm, pip, cargo, Go, and Java ecosystems. Reports vulnerable packages with severity, affected versions, and fixes.
Audits project dependencies from package.json, requirements.txt, go.mod, Gemfile for CVEs, outdated packages, transitive issues, licenses, and supply chain risks. Provides severity assessments, remediation suggestions, and prioritized reports.
Audits dependencies for vulnerabilities, outdated versions, transitive issues, and licenses in Node.js, Python, PHP, Ruby, Go, and Rust projects using npm audit, pip-audit, and equivalents.