dependency-audit
Dependency Audit
Audit, update, and manage dependencies safely.
npm / Node.js
Audit
# Run security audit
npm audit
npm audit --json # Machine-readable
npm audit --production # Production deps only
# Fix automatically
npm audit fix
npm audit fix --force # Allow major version bumps
# Check specific advisory
npm audit --advisory=1234
Check Outdated
# List outdated packages
npm outdated
# Output:
# Package Current Wanted Latest Location
# express 4.17.1 4.17.3 5.0.0 my-app
# lodash 4.17.20 4.17.21 4.17.21 my-app
# Wanted = highest version matching semver range in package.json
# Latest = latest version published
Update Strategies
# Update within semver range (safe)
npm update
# Update specific package
npm update express
# Update to latest (may break)
npm install express@latest
# Interactive update tool
npx npm-check-updates # List all updates
npx npm-check-updates -u # Update package.json
npm install # Install updated
# Update with target
npx npm-check-updates --target minor # Only minor+patch
npx npm-check-updates --target patch # Only patch
Lock File
# Regenerate lock file
rm package-lock.json && npm install
# Check lock file integrity
npm ci # Clean install from lock file (CI)
# Deduplicate
npm dedupe
Python / pip
Audit
# pip-audit (recommended)
pip install pip-audit
pip-audit
pip-audit -r requirements.txt
pip-audit --fix # Auto-fix vulnerabilities
pip-audit --json # Machine-readable
# Safety (alternative)
pip install safety
safety check
safety check -r requirements.txt
Check Outdated
# List outdated packages
pip list --outdated
pip list --outdated --format=json
# Check specific package
pip show package-name
Update Strategies
# Update single package
pip install --upgrade requests
# Update all packages (careful!)
pip list --outdated --format=json | python -c "
import json, sys
for pkg in json.load(sys.stdin):
print(pkg['name'])" | xargs -n1 pip install --upgrade
# Pin versions after updating
pip freeze > requirements.txt
pip-tools (Recommended)
pip install pip-tools
# Define requirements.in (unpinned)
# requirements.in:
# flask
# sqlalchemy>=2.0
# Compile to pinned requirements.txt
pip-compile requirements.in
# Update all
pip-compile --upgrade requirements.in
# Update specific package
pip-compile --upgrade-package flask requirements.in
# Sync environment to match
pip-sync requirements.txt
Yarn
# Audit
yarn audit
yarn audit --level moderate # Only moderate+
# Outdated
yarn outdated
# Update
yarn upgrade # Within ranges
yarn upgrade --latest # To latest versions
yarn upgrade-interactive # Interactive picker
# Dedupe
yarn dedupe
pnpm
# Audit
pnpm audit
pnpm audit --fix
# Outdated
pnpm outdated
# Update
pnpm update
pnpm update --latest
pnpm update --interactive
Renovate / Dependabot
Dependabot (GitHub)
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "team-name"
labels:
- "dependencies"
groups:
dev-deps:
patterns:
- "*"
dependency-type: "development"
prod-deps:
patterns:
- "*"
dependency-type: "production"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
Renovate
// renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"schedule": ["before 6am on Monday"],
"automerge": true,
"automergeType": "pr",
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"labels": ["breaking"]
}
]
}
Update Workflow
1. Check what's outdated
npm outdated / pip list --outdated
2. Run audit for vulnerabilities
npm audit / pip-audit
3. Update patch versions first (safest)
npx ncu --target patch -u && npm install
4. Run tests
npm test / pytest
5. Update minor versions
npx ncu --target minor -u && npm install && npm test
6. Update major versions one at a time
npm install package@latest && npm test
Read migration guides for major bumps
7. Commit and push
git add package.json package-lock.json
git commit -m "chore: update dependencies"
License Checking
# npm
npx license-checker --summary
npx license-checker --onlyAllow "MIT;ISC;BSD-3-Clause;Apache-2.0"
# Python
pip install pip-licenses
pip-licenses --summary
pip-licenses --allow-only "MIT;BSD;Apache-2.0"
Reference
For CI integration and automation: references/automation.md
More from 1mangesh1/dev-skills-collection
curl-http
HTTP request construction and API testing with curl and HTTPie. Use when user asks to "test API", "make HTTP request", "curl POST", "send request", "test endpoint", "debug API", "upload file", "check response time", "set auth header", "basic auth with curl", "send JSON", "test webhook", "check status code", "follow redirects", "rate limit testing", "measure API latency", "stress test endpoint", "mock API response", or any HTTP calls from the command line.
28database-indexing
Database indexing internals, index type selection, query plan analysis, and write-overhead tradeoffs across PostgreSQL, MySQL, and MongoDB. Use when user asks to "optimize queries", "create indexes", "fix slow queries", "read EXPLAIN output", "reduce query time", "index strategy", "database performance", "composite index", "covering index", "partial index", "index bloat", "unused indexes", or needs help diagnosing and resolving database performance problems.
13testing-strategies
Testing strategies, patterns, and methodologies across the full testing spectrum. Use when asked about unit tests, integration tests, e2e tests, test pyramid, mocking, test doubles, TDD, property-based testing, snapshot testing, test coverage, mutation testing, contract testing, performance testing, test data management, CI/CD testing, flaky tests, test anti-patterns, test organization, test isolation, test fixtures, test parameterization, or any testing strategy, approach, or methodology.
10secret-scanner
This skill should be used when the user asks to "scan for secrets", "find API keys", "detect credentials", "check for hardcoded passwords", "find leaked tokens", "scan for sensitive keys", "check git history for secrets", "audit repository for credentials", or mentions secret detection, credential scanning, API key exposure, token leakage, password detection, or security key auditing.
10terraform
Terraform infrastructure as code for provisioning, modules, state management, and workspaces. Use when user asks to "create infrastructure", "write Terraform", "manage state", "create module", "import resource", "plan changes", or any IaC tasks.
10code-review
Code review checklists, PR review patterns, feedback techniques, and review automation. Use when user asks to "review this code", "code review checklist", "PR review template", "review best practices", "write review feedback", "review this PR", "how to give feedback on code", "PR too large", "split this PR", "review turnaround time", "automated code review", "CODEOWNERS", "pair review", "when to request changes", "code review tool", "review security", "design review", "performance review", "test coverage review", or any code review and feedback tasks.
9