deps-audit
Dependency Audit
Commands
Run in parallel:
npm auditnpm outdated
Workflow
- Run audit and outdated check in parallel
- Report vulnerabilities with CVE + fix command using severity table below
- List outdated packages: table of package/current/latest/type (major vs minor/patch)
- Check for unused deps: grep imports in
src/
Severity Levels
| Level | CVSS | Action |
|---|---|---|
| Critical | 9.0-10.0 | Fix immediately, block merge |
| High | 7.0-8.9 | Fix before next release |
| Moderate | 4.0-6.9 | Fix in current sprint |
| Low | 0.1-3.9 | Fix when convenient |
For each critical/high vulnerability report:
Package: <name>@<version>
CVE: CVE-YYYY-XXXXX
Severity: Critical
Description: <one line>
Fix: npm audit fix --force (or: npm install <pkg>@<safe-version>)
Rules
- Never use
npxdirectly - Focus on actionable items
- Prioritize: security > major updates > unused > minor updates
Error Handling
npm auditfails -- runnpm installfirst to generatepackage-lock.json, then retrynpm outdatedreturns nothing -- report all dependencies are currentnpmnot found -- report incompatibility; this skill requires npm
More from helderberto/skills
ship
Commit and push changes using atomic commits. Use when user asks to "ship", "commit and push", or requests committing and pushing changes. Don't use for creating pull requests or reviewing changes before committing.
46explain-code
Explains code with visual diagrams and analogies. Use when explaining how code works, teaching about a codebase, or when the user asks "how does this work?" Don't use for modifying code, fixing bugs, or generating new implementations.
45refactor-plan
Create structured refactoring plans. Use when user wants to plan a refactor, needs a refactoring strategy, or mentions breaking down large changes into small commits. Don't use for implementing code changes directly, small one-line fixes, or renaming a single variable.
45safe-repo
Check for sensitive data in repository. Use when user asks to "check for sensitive data", "/safe-repo", or wants to verify no company/credential data is in the repository. Don't use for general code review, adding .gitignore entries, or scanning non-git directories.
41lint
Run linting and formatting checks. Use when user asks to "run linter", "/lint", "check linting", "fix lint errors", or requests code linting/formatting. Don't use for running tests, type-checking only, or projects without a lint script in package.json.
40tdd
Guides test-driven development with red-green-refactor loop. Use when user wants to build features or fix bugs using TDD, mentions "red-green-refactor", wants test-first development, or requests TDD workflow. Don't use for writing tests after implementation, adding tests to existing untested code, or one-off test fixes.
40