dependency-scan
Dependency Scan
Analyze package dependencies for known vulnerabilities.
Quick Start
/dependency-scan # Scan all detected package managers
/dependency-scan --npm # Node.js packages only
/dependency-scan --pip # Python packages only
/dependency-scan --fix # Auto-fix where possible
What This Skill Does
- Identifies package managers in your project
- Parses dependency manifests (package.json, requirements.txt, etc.)
- Checks vulnerability databases for known CVEs
- Reports severity and remediation options
- Optionally auto-fixes by updating to patched versions
Supported Package Managers
| Ecosystem | Files | Tool Used |
|---|---|---|
| Node.js | package.json, package-lock.json | npm audit |
| Python | requirements.txt, Pipfile, pyproject.toml | pip-audit, safety |
| Ruby | Gemfile, Gemfile.lock | bundler-audit |
| Java | pom.xml, build.gradle | dependency-check |
| Go | go.mod, go.sum | govulncheck |
| Rust | Cargo.toml, Cargo.lock | cargo-audit |
| PHP | composer.json, composer.lock | composer audit |
| .NET | *.csproj, packages.config | dotnet list --vulnerable |
Scan Modes
Full Scan
/dependency-scan
Scans all detected package managers, reports all severity levels.
Specific Ecosystem
/dependency-scan --npm
/dependency-scan --pip
/dependency-scan --go
Severity Filter
/dependency-scan --severity critical,high
/dependency-scan --severity medium
Auto-Fix Mode
/dependency-scan --fix
/dependency-scan --fix --dry-run # Preview changes
Attempts to update vulnerable packages to patched versions.
Output Format
Summary View
DEPENDENCY SCAN RESULTS
=======================
Scanned: package.json, requirements.txt
Packages analyzed: 127 (78 npm, 49 pip)
VULNERABILITIES BY SEVERITY
Critical: 2
High: 4
Medium: 8
Low: 12
TOP ISSUES
[!] CRITICAL: lodash < 4.17.21
CVE-2021-23337: Command Injection
Affected: lodash@4.17.19
Fix: npm update lodash
[!] CRITICAL: urllib3 < 2.0.6
CVE-2023-43804: Cookie Leak
Affected: urllib3@1.26.0
Fix: pip install urllib3>=2.0.6
[H] HIGH: express < 4.19.2
CVE-2024-29041: Open Redirect
Affected: express@4.18.0
Fix: npm update express
Detailed View
/dependency-scan --details
DETAILED VULNERABILITY REPORT
=============================
CVE-2021-23337
--------------
Package: lodash
Installed: 4.17.19
Patched: 4.17.21
Severity: CRITICAL (CVSS 9.8)
Description:
Command Injection in lodash template function allows
arbitrary command execution via crafted template strings.
Attack Vector: Remote, no auth required
Exploitability: Public exploit available
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23337
- https://github.com/lodash/lodash/issues/5085
Remediation:
npm update lodash
# or
npm install lodash@4.17.21
Vulnerability Sources
Databases Consulted
| Database | Coverage |
|---|---|
| NVD (National Vulnerability Database) | All CVEs |
| GitHub Advisory Database | GitHub-reported |
| OSV (Open Source Vulnerabilities) | Multi-ecosystem |
| npm Security Advisories | Node.js specific |
| PyPI Advisory Database | Python specific |
| RustSec Advisory Database | Rust specific |
CVSS Scoring
| Score | Severity |
|---|---|
| 9.0-10.0 | Critical |
| 7.0-8.9 | High |
| 4.0-6.9 | Medium |
| 0.1-3.9 | Low |
Commands Used
Node.js (npm)
npm audit --json
npm audit fix # Auto-fix
npm audit fix --force # Breaking changes OK
Python (pip-audit)
pip-audit
pip-audit --fix
pip-audit -r requirements.txt
Python (safety)
safety check
safety check -r requirements.txt
Ruby (bundler-audit)
bundle-audit check
bundle-audit update # Update advisory DB
Go (govulncheck)
govulncheck ./...
Rust (cargo-audit)
cargo audit
cargo audit fix # Auto-fix
Auto-Fix Behavior
Safe Fixes
Updates within semver-compatible range:
- Patch versions (1.2.3 → 1.2.4)
- Minor versions if locked to major (^1.2.3 → ^1.3.0)
Breaking Fixes
May introduce breaking changes:
- Major version updates
- Requires
--forceflag
Fix Report
AUTO-FIX REPORT
===============
Fixed: 8 vulnerabilities
lodash: 4.17.19 → 4.17.21
axios: 0.21.0 → 0.21.1
minimist: 1.2.5 → 1.2.6
Unable to fix: 2 vulnerabilities
react-scripts: No patch available (major version required)
webpack-dev-server: Conflicts with other dependencies
Review package.json changes before committing.
Configuration
Ignore Known Issues
Create .dependency-scan-ignore:
# Ignore specific CVEs (document reason!)
ignore:
- id: CVE-2021-23337
reason: "Not exploitable in our usage, lodash template not used"
expires: 2024-12-31
- id: GHSA-xxx-xxx
reason: "Development dependency only"
# Ignore packages
packages:
- name: lodash
versions: ["< 4.17.0"] # Only old versions
Severity Thresholds
# .dependency-scan.yaml
thresholds:
fail_on: critical # Fail CI on critical
warn_on: high # Warn on high
ignore_below: low # Don't report low
fix:
auto_fix: true
allow_major: false # No major version bumps
CI/CD Integration
GitHub Actions
- name: Dependency Scan
run: |
/dependency-scan --severity critical,high --fail-on-findings
- name: Auto-fix and PR
if: failure()
run: |
/dependency-scan --fix
git add .
gh pr create --title "Security: Update vulnerable dependencies"
Pre-Commit
#!/bin/sh
# Run on package.json changes
if git diff --cached --name-only | grep -q "package.json\|requirements.txt"; then
/dependency-scan --severity critical,high
fi
Dependency Health
Beyond CVEs
/dependency-scan --health
Additional checks:
- Outdated packages: Major versions behind
- Deprecated packages: No longer maintained
- License issues: Incompatible licenses
- Maintenance: Last update, open issues
Health Report
DEPENDENCY HEALTH
=================
Outdated (major behind): 5
react: 17.0.2 → 18.2.0
typescript: 4.9.5 → 5.3.3
Deprecated: 1
request: Use got, axios, or node-fetch
Unmaintained (>2 years): 2
moment: Consider dayjs or date-fns
License Issues: 0
Related Skills
/security-scan- Full security analysis/secrets-scan- Credential detection/config-scan- Configuration security
More from jwynia/agent-skills
frontend-design
Create distinctive, production-grade frontend interfaces with high design quality. Provides analysis tools for auditing existing designs and generation tools for creating color palettes, typography systems, design tokens, and component templates. Supports React, Vue, Svelte, and vanilla HTML/CSS. Use when building web components, pages, or applications. Keywords: design, UI, frontend, CSS, components, palette, typography, tokens, accessibility.
2.0Krequirements-analysis
Diagnose requirements problems and guide discovery of real needs and constraints
1.8Kgodot-best-practices
Guide AI agents through Godot 4.x GDScript coding best practices including scene organization, signals, resources, state machines, and performance optimization. This skill should be used when generating GDScript code, creating Godot scenes, designing game architecture, implementing state machines, object pooling, save/load systems, or when the user asks about Godot patterns, node structure, or GDScript standards. Keywords: godot, gdscript, game development, signals, resources, scenes, nodes, state machine, object pooling, save system, autoload, export, type hints.
1.4Kpresentation-design
Design and evaluate presentations that communicate effectively. Use when designing a presentation, creating slides, getting presentation feedback, structuring a talk, or reviewing slides. Keywords: presentation, slides, talk, PowerPoint, Keynote, reveal.js.
1.3Kweb-search-tavily
Search the web using Tavily API for high-quality, AI-optimized results with advanced filtering options. Use when you need structured search results, domain filtering, relevance scores, or AI-generated answer summaries. Requires TAVILY_API_KEY. Keywords: tavily, advanced search, filtered search, domain filtering, relevance scoring.
1.0Kstory-coach
Act as an assistive writing coach who guides but never writes for the user. Use when helping someone develop their own writing through questions, diagnosis, and frameworks. Critical constraint - never generate story prose, dialogue, or narrative content. Instead ask questions, identify issues, suggest approaches, and let the writer write.
702