dependency-audit
SKILL.md
Dependency Audit Skill
Summary
Systematic workflow for auditing, updating, and cleaning up project dependencies. Covers security vulnerability scanning, outdated package detection, unused dependency removal, and migration from deprecated libraries.
When to Use
- Weekly/monthly dependency maintenance
- After security advisories (CVE announcements)
- Before major releases
- When bundle size increases unexpectedly
- During code reviews for dependency changes
- Onboarding to legacy projects
Quick Audit Process
1. Check Outdated Packages
# npm
npm outdated
# pnpm
pnpm outdated
# yarn
yarn outdated
# pip (Python)
pip list --outdated
# poetry (Python)
poetry show --outdated
2. Security Vulnerability Scan
# npm
npm audit
npm audit fix # Auto-fix where possible
npm audit fix --force # Force major version updates (risky)
# pnpm
pnpm audit
pnpm audit --fix
# yarn
yarn audit
yarn audit --fix
# Python
pip-audit # Requires: pip install pip-audit
safety check # Requires: pip install safety
3. Find Unused Dependencies
# JavaScript/TypeScript
npx depcheck
# Output example:
# Unused dependencies
# * lodash
# * moment
# Unused devDependencies
# * @types/old-package
# Python
pip-autoremove --list # Requires: pip install pip-autoremove
Audit Commands
JavaScript/TypeScript/Node.js
npm
# Check what's outdated
npm outdated
# Update within semver range (safe)
npm update
# Update specific package to latest
npm install package@latest
# Check security vulnerabilities
npm audit
# Auto-fix vulnerabilities
npm audit fix
# View dependency tree
npm list
npm list --depth=0 # Top-level only
# Why is this package installed?
npm ls package-name
# Check for duplicate packages
npm dedupe
pnpm
# Check outdated
pnpm outdated
# Update all dependencies
pnpm update
# Update specific package
pnpm update package@latest
# Security audit
pnpm audit
# Deduplicate
pnpm dedupe
# List all packages
pnpm list
yarn
# Check outdated
yarn outdated
# Upgrade interactive (recommended)
yarn upgrade-interactive
# Update all
yarn upgrade
# Security audit
yarn audit
# Why is this here?
yarn why package-name
Python
pip
# List outdated
pip list --outdated
# Update specific package
pip install --upgrade package-name
# Security audit
pip-audit # Install: pip install pip-audit
# Freeze current dependencies
pip freeze > requirements.txt
# Check dependencies of a package
pip show package-name
poetry
# Show outdated
poetry show --outdated
# Update all
poetry update
# Update specific package
poetry update package-name
# Security check
poetry audit # poetry-audit-plugin required
# Show dependency tree
poetry show --tree
pipenv
# Check for security vulnerabilities
pipenv check
# Update all
pipenv update
# Update specific
pipenv update package-name
# Show dependency graph
pipenv graph
Priority Matrix
| Priority | Type | Action | Timeline | Example |
|---|---|---|---|---|
| P0 | Critical CVE (actively exploited) | Patch immediately | Same day | Auth bypass, RCE |
| P1 | High CVE or major framework update | Plan migration | 1-2 weeks | Next.js, React major version |
| P2 | Deprecated with active usage | Find replacement | 2-4 weeks | moment.js → date-fns |
| P3 | Minor/patch updates | Batch update | Monthly | Non-breaking updates |
| P4 | Unused dependencies | Remove | Next cleanup PR | Dead imports |
Priority Decision Tree
Is there a CVE?
├─ Yes → Is it critical/high severity?
│ ├─ Yes → P0 (patch immediately)
│ └─ No → P1 (plan update)
└─ No → Is package deprecated?
├─ Yes → Is it actively used?
│ ├─ Yes → P2 (find replacement)
│ └─ No → P4 (remove)
└─ No → Is it outdated?
├─ Major version → P1 (plan migration)
├─ Minor/patch → P3 (batch update)
└─ Unused → P4 (remove)
Common Replacements
Date/Time Libraries
JavaScript/TypeScript
// ❌ moment.js (deprecated, 288KB minified)
import moment from 'moment';
const formatted = moment().format('YYYY-MM-DD');
const diff = moment(date1).diff(moment(date2), 'days');
// ✅ date-fns (tree-shakeable, 2-5KB per function)
import { format, differenceInDays } from 'date-fns';
const formatted = format(new Date(), 'yyyy-MM-dd');
const diff = differenceInDays(date1, date2);
// ✅ Native Intl (zero bundle cost)
const formatted = new Intl.DateTimeFormat('en-US').format(new Date());
const relative = new Intl.RelativeTimeFormat('en').format(-1, 'day'); // "1 day ago"
Python
# ❌ arrow (overhead for simple tasks)
import arrow
now = arrow.now().format('YYYY-MM-DD')
# ✅ Native datetime
from datetime import datetime
now = datetime.now().strftime('%Y-%m-%d')
# ✅ pendulum (for complex timezone handling)
import pendulum
now = pendulum.now('America/New_York')
Utility Libraries
JavaScript/TypeScript
// ❌ Full lodash import (70KB)
import _ from 'lodash';
const value = _.get(obj, 'path.to.value');
const unique = _.uniq(array);
// ✅ Specific imports (5-10KB)
import get from 'lodash/get';
import uniq from 'lodash/uniq';
// ✅ Native alternatives (0KB)
const value = obj?.path?.to?.value; // Optional chaining
const unique = [...new Set(array)]; // Set
const keys = Object.keys(obj); // Object.keys
const flat = array.flat(); // Array.flat()
const grouped = Object.groupBy(arr, fn); // Object.groupBy
HTTP Clients
JavaScript/TypeScript
// ❌ axios (11KB) - often unnecessary
import axios from 'axios';
const { data } = await axios.get('/api/users');
// ✅ Native fetch (0KB) - built-in
const response = await fetch('/api/users');
const data = await response.json();
// ✅ ky (2KB) - if you need retries/timeout
import ky from 'ky';
const data = await ky.get('/api/users').json();
Python
# ❌ requests (large for serverless)
import requests
response = requests.get('https://api.example.com')
# ✅ httpx (async support, same API)
import httpx
async with httpx.AsyncClient() as client:
response = await client.get('https://api.example.com')
# ✅ urllib (native, for simple cases)
from urllib.request import urlopen
response = urlopen('https://api.example.com')
Testing Libraries
JavaScript/TypeScript
// Consider consolidating test runners
// If using Jest + Vitest + Playwright separately:
// ✅ Vitest can replace Jest in most projects (faster, native ESM)
// ✅ Keep Playwright for E2E, use Vitest for unit/integration
Validation Libraries
JavaScript/TypeScript
// ❌ Multiple validation libraries
import * as yup from 'yup';
import Joi from 'joi';
import { z } from 'zod';
// ✅ Pick one (Zod recommended for TypeScript)
import { z } from 'zod';
const schema = z.object({
email: z.string().email(),
age: z.number().min(0)
});
Update Strategy
Batch Related Updates
# Update all ESLint-related packages together
pnpm update eslint @typescript-eslint/parser @typescript-eslint/eslint-plugin
# Update all testing packages together
pnpm update vitest @vitest/ui @vitest/coverage-v8
# Update all Next.js packages together
pnpm update next react react-dom @types/react @types/react-dom
Test After Updates
Comprehensive Testing Checklist
# 1. Type check
pnpm tsc --noEmit
# 2. Lint
pnpm lint
# 3. Unit tests
pnpm test
# 4. Build verification
pnpm build
# 5. Dev server (smoke test)
pnpm dev
# Open browser, test key features
# 6. E2E tests (if available)
pnpm test:e2e
Incremental Update Strategy
For Major Version Updates
# 1. Create branch
git checkout -b chore/update-nextjs-15
# 2. Update package.json
# Change "next": "^14.0.0" → "^15.0.0"
# 3. Install
pnpm install
# 4. Read migration guide
# Visit: nextjs.org/docs/upgrading
# 5. Address breaking changes
# Follow migration guide step-by-step
# 6. Test thoroughly
pnpm test && pnpm build
# 7. Commit and PR
git add .
git commit -m "chore: upgrade Next.js to v15"
Cleanup Workflow
Step 1: Identify Unused Dependencies
npx depcheck
Example Output:
Unused dependencies
* lodash
* moment
* old-library
Unused devDependencies
* @types/old-package
* unused-test-lib
Step 2: Verify Not Used
# Search codebase for imports
rg "from 'lodash'" --type ts
rg "import.*lodash" --type ts
rg "require\('lodash'\)" --type js
# If no results → safe to remove
Step 3: Remove Package
pnpm remove lodash
Step 4: Update Lock File
# npm
rm package-lock.json
npm install
# pnpm
rm pnpm-lock.yaml
pnpm install
# yarn
rm yarn.lock
yarn install
Step 5: Test
pnpm test
pnpm build
Cleanup PR Template
## Dependency Cleanup
### Security Updates (P0/P1)
- [ ] `next`: 14.0.4 → 14.2.3 (CVE-2024-XXXX)
- [ ] `jose`: 4.15.4 → 4.15.5 (CVE-2024-YYYY)
### Removed (Unused)
- [ ] `lodash` - replaced with native JS methods
- [ ] `moment` - replaced with date-fns
- [ ] `@types/old-package` - package no longer used
### Updated (Maintenance)
- [ ] `eslint`: 8.57.0 → 9.0.0
- [ ] `typescript`: 5.3.3 → 5.4.2
### Migration Notes
**lodash → Native**:
- `_.get()` → optional chaining `obj?.prop?.value`
- `_.uniq()` → `[...new Set(array)]`
**moment → date-fns**:
- `moment().format('YYYY-MM-DD')` → `format(new Date(), 'yyyy-MM-dd')`
### Testing
- [ ] All tests pass (`pnpm test`)
- [ ] Build succeeds (`pnpm build`)
- [ ] No runtime errors in dev (`pnpm dev`)
- [ ] E2E tests pass (if applicable)
### Bundle Size Impact
- Before: 2.4 MB
- After: 1.8 MB
- **Savings: 600 KB (25% reduction)**
Security Scanning
Automated Security Checks
GitHub Actions
# .github/workflows/security.yml
name: Security Audit
on:
schedule:
- cron: '0 0 * * 1' # Weekly on Monday
pull_request:
push:
branches: [main]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: npm ci
- name: Run security audit
run: npm audit --audit-level=high
- name: Check for outdated packages
run: npm outdated || true
- name: Dependency review
uses: actions/dependency-review-action@v4
if: github.event_name == 'pull_request'
Snyk Integration
# .github/workflows/snyk.yml
name: Snyk Security
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Manual Security Commands
# npm security audit
npm audit
# Show only high/critical
npm audit --audit-level=high
# Get JSON report
npm audit --json > audit-report.json
# Snyk (requires: npm install -g snyk)
snyk test # Test for vulnerabilities
snyk monitor # Continuous monitoring
snyk wizard # Interactive fixing
# Socket.dev (supply chain security)
npx socket-npm audit
CVE Response Process
-
Notification: Receive security advisory (GitHub, npm, Snyk)
-
Assess Impact:
# Find where vulnerable package is used npm ls vulnerable-package # Check if we use vulnerable functionality rg "vulnerableFunction" --type ts -
Patch:
# Update to patched version npm install vulnerable-package@4.15.5 # Or update dependency that depends on it npm update parent-package -
Verify Fix:
npm audit # Should show 0 vulnerabilities -
Test & Deploy:
pnpm test && pnpm build git commit -m "fix: patch CVE-2024-XXXX in vulnerable-package"
Summary
Monthly Maintenance Checklist
## Dependency Maintenance - [YYYY-MM]
### Security
- [ ] Run `npm audit` and address high/critical issues
- [ ] Review GitHub security advisories
- [ ] Check Snyk dashboard (if integrated)
### Updates
- [ ] Check `npm outdated` for major updates
- [ ] Update patch versions: `npm update`
- [ ] Plan migration for deprecated packages
### Cleanup
- [ ] Run `npx depcheck` to find unused deps
- [ ] Remove packages with zero imports
- [ ] Deduplicate: `npm dedupe`
### Testing
- [ ] Run full test suite
- [ ] Check build succeeds
- [ ] Verify dev server works
- [ ] Test in production-like environment
### Documentation
- [ ] Update CHANGELOG.md
- [ ] Document breaking changes
- [ ] Update .env.example if needed
Best Practices
- Automate: Set up GitHub Actions for weekly audits
- Batch Updates: Group related dependency updates
- Test Thoroughly: Never skip tests after updates
- Document: Keep CHANGELOG.md updated
- Measure Impact: Track bundle size changes
- Stay Informed: Subscribe to security advisories
- Use Lock Files: Commit package-lock.json/pnpm-lock.yaml
- Gradual Migration: Don't update everything at once
Weekly Installs
53
Repository
bobmatnyc/claude-mpm-skillsFirst Seen
Jan 23, 2026
Security Audits
Installed on
claude-code42
codex35
gemini-cli34
opencode32
antigravity31
github-copilot29