code-dep-audit
Installation
SKILL.md
Contains Shell Commands
This skill contains shell command directives (!`command`) that may execute system commands. Review carefully before installing.
/code:dep-audit
Audit project dependencies for vulnerabilities and freshness.
When to Use This Skill
| Use this skill when... | Use something else when... |
|---|---|
| Checking for known CVEs in dependencies | Setting up security scanning CI → /configure:security |
| Preparing a release and need dep health check | Looking for code-level security issues → /code:antipatterns |
| Responding to a vulnerability advisory | Reviewing code quality → /code:review |
| Auditing license compliance | Configuring dependency management → /configure:package-management |
Context
- Package files: !
find . -maxdepth 1 \( -name "package.json" -o -name "package-lock.json" -o -name "yarn.lock" -o -name "bun.lockb" -o -name "pyproject.toml" -o -name "requirements.txt" -o -name "Cargo.toml" -o -name "Cargo.lock" -o -name "go.mod" -o -name "go.sum" \) -type f
Parameters
--type: Audit type —security(default),outdated,licenses, orall--fix: Automatically apply safe updates for vulnerable packages
Execution
Execute this dependency audit workflow:
Step 1: Detect package ecosystem
Identify all package manifests and lock files present. Determine which audit tools are available for each ecosystem.
Step 2: Run security audit
JavaScript/TypeScript:
npm audit --json
For bun projects:
bun pm ls
Python:
pip-audit --format json
Or with uv:
uv pip audit
Rust:
cargo audit --json
Go:
go list -m -json all
govulncheck ./...
If the audit tool is not installed, report which tool is needed and suggest /configure:security to set up the project.
Step 3: Check outdated packages (if --type outdated or all)
JavaScript/TypeScript:
npm outdated --json
Python:
pip list --outdated --format json
Rust:
cargo outdated --format json
Step 4: Check license compliance (if --type licenses or all)
JavaScript/TypeScript:
npx license-checker --json --summary
Python:
pip-licenses --format json
Rust:
cargo license --json
Flag problematic licenses: GPL (in proprietary projects), AGPL, unlicensed, or unknown.
Step 5: Apply fixes (if --fix)
For security vulnerabilities:
- Run
npm audit fix/cargo update/pip install --upgradefor safe updates - Report which vulnerabilities were fixed and which require manual intervention
- Run project tests to verify nothing broke
Step 6: Report results
Print summary:
Dependency Audit Report
=======================
Ecosystem: [JS/TS | Python | Rust | Go]
Security:
Critical: N
High: N
Medium: N
Low: N
Outdated: N packages behind latest
License issues: N flagged
Top actions:
1. [package@version] - critical CVE-XXXX-XXXX
2. [package] - N major versions behind
Post-Actions
- If many vulnerabilities found → suggest
npm audit fixor equivalent - If audit tools not configured → suggest
/configure:security - If outdated packages found → suggest updating in a separate branch
Agentic Optimizations
| Context | Command |
|---|---|
| Quick JS audit | npm audit --json |
| Python audit | pip-audit --format json |
| Rust audit | cargo audit --json |
| Outdated check | npm outdated --json |
| License check | npx license-checker --json --summary |
| CI mode | npm audit --audit-level=critical --json |