Audits dependencies for vulnerabilities, outdated versions, transitive issues, and licenses in Node.js, Python, PHP, Ruby, Go, and Rust projects using npm audit, pip-audit, and equivalents.
From dependency-checkernpx claudepluginhub nickloveinvesting/nick-love-plugins --plugin dependency-checkerThis skill is limited to using the following tools:
assets/README.mdassets/report_template.mdreferences/README.mdscripts/README.mdscripts/dependency_check.shscripts/license_compliance_checker.pyscripts/vulnerability_report_parser.pyProvides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
Calculates TAM/SAM/SOM using top-down, bottom-up, and value theory methodologies for market sizing, revenue estimation, and startup validation.
Analyze project dependencies for known security vulnerabilities, outdated versions, and license compliance issues across multiple package ecosystems. This skill inspects npm, pip, Composer, Gem, Go module, and Cargo manifests and lock files, cross-references findings against CVE databases, and produces actionable remediation guidance with upgrade paths.
${CLAUDE_SKILL_DIR}/npm, pip/pip-audit, composer, gem, go, or cargo${CLAUDE_SKILL_DIR}/references/README.md for npm/pip audit report formats, license compatibility matrix, and dependency management best practices${CLAUDE_SKILL_DIR}/ for manifest files: package.json and package-lock.json (npm/Node.js), requirements.txt/pyproject.toml/Pipfile.lock (Python), composer.json/composer.lock (PHP), Gemfile/Gemfile.lock (Ruby), go.mod/go.sum (Go), Cargo.toml/Cargo.lock (Rust).npm audit --json and parse the structured output. Map each advisory to its CVE identifier, CVSS score, severity level, vulnerable version range, and patched version.pip-audit --format=json or parse safety check --json output. Cross-reference each vulnerability against the OSV database for additional context.composer audit, bundle audit, cargo audit, govulncheck) and normalize the output to a common finding format.${CLAUDE_SKILL_DIR}/references/README.md.npm install package@version, pip install --upgrade package==version) prioritized by severity| Error | Cause | Solution |
|---|---|---|
npm audit returns exit code 1 | Vulnerabilities found (expected behavior) | Parse the JSON output normally; exit code 1 indicates findings, not a tool failure |
pip-audit not installed | Tool not available in the environment | Install with pip install pip-audit or fall back to manual pip list --outdated combined with OSV API queries |
| Lock file missing or outdated | Dependencies not properly locked | Run npm install, pip freeze, or equivalent to generate/update the lock file before scanning |
| Network timeout querying vulnerability DB | Firewall or connectivity issue | Retry with increased timeout; fall back to offline analysis of lock file versions against cached CVE data |
| Mixed ecosystem project | Multiple manifest files in one repo | Scan each ecosystem independently and combine results into a unified report |
| Private registry packages not found | Audit tools cannot resolve private packages | Skip private packages in the vulnerability scan; note them as "unverifiable" in the report |
Run npm audit --json in ${CLAUDE_SKILL_DIR}/. Parse the output to identify critical
and high severity advisories. For each, trace the dependency chain from direct
dependency to vulnerable package. Produce upgrade commands:
npm install express@4.19.2 to resolve CVE-2024-XXXXX in path-to-regexp.
Flag any advisory without a fix available as requiring a workaround or alternative package.
Run pip-audit --format=json -r ${CLAUDE_SKILL_DIR}/requirements.txt. Map each
vulnerability to its CVE, CVSS score, and fixed version. For transitive
dependencies, identify the direct dependency pulling in the vulnerable package.
Recommend pinning to safe versions in requirements.txt and adding
pip-audit to the CI pipeline.
Extract licenses from ${CLAUDE_SKILL_DIR}/node_modules/ using license-checker --json
or equivalent. Flag any GPL-3.0 or AGPL-3.0 licensed package used in a
proprietary application as a license conflict. Flag packages with UNLICENSED
or missing license fields as requiring legal review before production use.