| name | dependency-auditor |
| description | Automated security auditing of project dependencies to identify known vulnerabilities. |
Dependency Auditor Skill
Automated security auditing of project dependencies to identify known vulnerabilities.
Instructions
You are a dependency security expert. When invoked:
Scan Dependencies:
- Analyze package.json, requirements.txt, go.mod, Gemfile, etc.
- Check for known vulnerabilities (CVEs)
- Identify outdated packages
- Detect transitive dependency issues
- Check license compatibility
Vulnerability Assessment:
- Severity classification (Critical, High, Medium, Low)
- Exploitability analysis
- Attack vector identification
- Impact assessment
- Available patches or workarounds
Supply Chain Security:
- Detect suspicious packages
- Check package integrity
- Verify package maintainers
- Identify typosquatting attempts
- Check for deprecated packages
Remediation Guidance:
- Suggest safe version upgrades
- Provide patch availability
- Recommend alternative packages
- Breaking change analysis
- Migration path guidance
Generate Report: Create detailed security audit with prioritized action items
Vulnerability Severity Levels
Critical
- Remote code execution (RCE)
- SQL injection in core dependencies
- Authentication bypass
- Arbitrary file access
- Privilege escalation
- Action: Fix immediately, consider hotfix
High
- Cross-site scripting (XSS)
- Denial of service (DoS)
- Information disclosure
- Path traversal
- Insecure deserialization
- Action: Fix within 7 days
Medium
- Security misconfiguration
- Weak cryptography
- Session fixation
- Unvalidated redirects
- Action: Fix within 30 days
Low
- Information leakage
- Insecure defaults
- Minor security flaws
- Action: Fix in regular maintenance cycle
Usage Examples
@dependency-auditor
@dependency-auditor --severity critical
@dependency-auditor --fix-suggestions
@dependency-auditor --include-transitive
@dependency-auditor package.json
@dependency-auditor --check-licenses
@dependency-auditor --supply-chain
Audit Commands by Ecosystem
Node.js / npm
# Check for vulnerabilities
npm audit
# Get detailed report
npm audit --json
# Check for specific severity
npm audit --audit-level=high
# Automatic fix (use with caution)
npm audit fix
# Fix only non-breaking changes
npm audit fix --only=prod
# Check with yarn
yarn audit
# Check with pnpm
pnpm audit
# Use external tools
npx snyk test
npx audit-ci --moderate
Python
# Using pip-audit
pip-audit
# Using safety
safety check
safety check --json
# Check requirements file
pip-audit -r requirements.txt
# Using bandit for code issues
bandit -r . --severity-level high
Go
# Check vulnerabilities
go list -json -m all | nancy sleuth
# Using govulncheck
govulncheck ./...
# Check specific module
go list -json -m golang.org/x/text | nancy sleuth
Ruby
# Bundle audit
bundle audit check
bundle audit update
# Check with specific severity
bundle audit check --severity high
Java / Maven
# OWASP Dependency Check
mvn dependency-check:check
# Using snyk
snyk test
.NET
# List vulnerable packages
dotnet list package --vulnerable
# Include transitive dependencies
dotnet list package --vulnerable --include-transitive
Audit Report Format
# Dependency Security Audit Report
**Project**: my-app
**Date**: 2024-01-15
**Total Dependencies**: 342 (direct: 45, transitive: 297)
**Vulnerabilities Found**: 23
**Risk Level**: HIGH
---
## Executive Summary
🔴 **Critical**: 2 vulnerabilities
🟠 **High**: 8 vulnerabilities
🟡 **Medium**: 10 vulnerabilities
🟢 **Low**: 3 vulnerabilities
**Immediate Action Required**: 2 critical vulnerabilities need patching now
**Recommendation**: Update 10 packages, replace 2 deprecated packages
---
## Critical Vulnerabilities (2)
### 🔴 CVE-2024-1234: Remote Code Execution in lodash
**Package**: lodash@4.17.15
**Severity**: Critical (CVSS 9.8)
**CWE**: CWE-94 (Code Injection)
**Description**:
Template function in lodash allows arbitrary code execution through prototype pollution.
**Attack Vector**: Network
**Complexity**: Low
**Privileges Required**: None
**User Interaction**: None
**Affected Versions**: < 4.17.21
**Fixed Version**: 4.17.21
**Exploitability**: High (exploit code publicly available)
**Impact**:
- Remote code execution on server
- Complete system compromise possible
- Data breach risk
**Remediation**:
```bash
npm install lodash@4.17.21
# or
npm update lodash
Verification:
// Test that vulnerability is fixed
const lodash = require('lodash');
console.log(lodash.VERSION); // Should be >= 4.17.21
Breaking Changes: None Priority: Fix immediately (within 24 hours)
🔴 CVE-2024-5678: SQL Injection in sequelize
Package: sequelize@6.3.5 Severity: Critical (CVSS 9.1) CWE: CWE-89 (SQL Injection)
Description: Raw query function improperly escapes user input, allowing SQL injection attacks.
Attack Vector: Network Complexity: Low Privileges Required: Low User Interaction: None
Affected Versions: 6.0.0 - 6.6.4 Fixed Version: 6.6.5 Exploitability: High
Impact:
- Database compromise
- Unauthorized data access
- Data modification/deletion
Remediation:
npm install sequelize@6.6.5
Breaking Changes: Minor API changes in query builder Migration Guide: https://sequelize.org/docs/v6/other-topics/upgrade-to-v6/
Alternative: Consider using parameterized queries exclusively
Priority: Fix immediately (within 24 hours)
High Vulnerabilities (8)
🟠 CVE-2024-9012: Prototype Pollution in minimist
Package: minimist@1.2.5 (transitive via: mocha -> yargs -> minimist) Severity: High (CVSS 7.3) CWE: CWE-1321 (Prototype Pollution)
Description: Argument parsing allows prototype pollution leading to property injection.
Affected Versions: < 1.2.6 Fixed Version: 1.2.6
Remediation:
# Update parent package
npm update mocha
# Or use resolutions (package.json)
{
"resolutions": {
"minimist": "^1.2.6"
}
}
Impact: Medium (requires specific usage patterns) Priority: Fix within 7 days
🟠 CVE-2024-3456: XSS in marked
Package: marked@4.0.10 Severity: High (CVSS 7.1) CWE: CWE-79 (Cross-Site Scripting)
Description: Markdown parser doesn't properly sanitize HTML, allowing XSS attacks.
Affected Versions: < 4.0.16 Fixed Version: 4.0.16
Remediation:
npm install marked@4.0.16
Additional Protection:
// Use with DOMPurify for extra safety
import DOMPurify from 'dompurify';
import { marked } from 'marked';
const clean = DOMPurify.sanitize(marked(userInput));
Priority: Fix within 7 days
🟠 CVE-2024-7890: Path Traversal in express-fileupload
Package: express-fileupload@1.3.1 Severity: High (CVSS 7.5)
Description: File upload functionality doesn't properly validate file paths, allowing directory traversal.
Affected Versions: < 1.4.0 Fixed Version: 1.4.0
Remediation:
npm install express-fileupload@1.4.0
Additional Hardening:
app.use(fileUpload({
limits: { fileSize: 50 * 1024 * 1024 },
abortOnLimit: true,
safeFileNames: true,
preserveExtension: true,
uploadTimeout: 60000
}));
Priority: Fix within 7 days
Medium Vulnerabilities (10)
🟡 CVE-2024-1111: Regular Expression DoS in validator
Package: validator@13.7.0 Severity: Medium (CVSS 5.3) CWE: CWE-1333 (ReDoS)
Description: Email validation regex vulnerable to catastrophic backtracking.
Affected Versions: < 13.9.0 Fixed Version: 13.9.0
Impact: Service degradation, CPU exhaustion Priority: Fix within 30 days
Transitive Dependencies (15 issues)
Dependency Tree Analysis
my-app
├── express@4.18.0
│ ├── body-parser@1.20.0
│ │ └── qs@6.10.0 ⚠️ Medium: CVE-2024-2222
│ └── serve-static@1.15.0
│ └── send@0.18.0 ⚠️ Low: CVE-2024-3333
└── mongoose@6.7.0
└── mongodb@4.10.0 🔴 High: CVE-2024-4444
Recommendations:
- Update express to 4.18.2 (fixes qs and send issues)
- Update mongoose to 6.8.0 (fixes mongodb issue)
Supply Chain Security Issues
Suspicious Packages (0)
✅ No suspicious packages detected
Deprecated Packages (3)
request@2.88.2
Status: Deprecated (since 2020-02-11) Reason: No longer maintained Used By: src/api/client.js
Recommendation: Migrate to modern alternatives
// Replace with axios
npm install axios
npm uninstall request
// Migration example
// Old:
const request = require('request');
request('https://api.example.com', (err, res, body) => {});
// New:
const axios = require('axios');
const response = await axios.get('https://api.example.com');
node-uuid@1.4.8
Status: Deprecated Reason: Renamed to 'uuid' Replacement: uuid@9.0.0
npm uninstall node-uuid
npm install uuid@9.0.0
License Compliance
License Summary
- MIT: 287 packages ✅
- Apache-2.0: 34 packages ✅
- BSD-3-Clause: 15 packages ✅
- ISC: 5 packages ✅
- AGPL-3.0: 1 package ⚠️
License Issues (1)
Package: some-library@1.0.0 License: AGPL-3.0 Issue: May require source code disclosure
Recommendation:
- Review legal implications
- Consider alternative with permissive license
- Ensure compliance with AGPL terms
Package Integrity
Checksum Verification: ✅ Passed
All packages verified against npm registry checksums.
Package Size Analysis
Largest packages:
1. @tensorflow/tfjs - 45.2 MB
2. puppeteer - 23.7 MB
3. aws-sdk - 18.3 MB
Recommendation: Consider using specific AWS SDK modules instead of full SDK.
Outdated Packages (12)
| Package | Current | Latest | Type | Security |
|---|---|---|---|---|
| react | 17.0.2 | 18.2.0 | major | ✅ No issues |
| axios | 0.27.2 | 1.6.0 | major | ⚠️ 2 medium issues |
| eslint | 8.0.0 | 8.54.0 | minor | ✅ No issues |
| jest | 27.5.1 | 29.7.0 | major | ⚠️ 1 low issue |
Recommendation: Review and update packages, especially those with security issues.
Remediation Plan
Phase 1: Critical (Immediate - 24 hours)
# Update critical vulnerabilities
npm install lodash@4.17.21
npm install sequelize@6.6.5
# Run tests
npm test
# Deploy hotfix
Estimated Time: 2-4 hours Risk: Low (no breaking changes) Testing Required: Regression testing for auth and data queries
Phase 2: High Priority (Within 7 days)
# Update high severity packages
npm install marked@4.0.16
npm install express-fileupload@1.4.0
npm update mocha # Fixes minimist
# Update express ecosystem
npm install express@4.18.2
# Run full test suite
npm test
npm run test:e2e
# Deploy to staging for testing
Estimated Time: 1 day Risk: Low-Medium (minor breaking changes possible) Testing Required: Full regression testing
Phase 3: Medium Priority (Within 30 days)
# Update medium severity packages
npm install validator@13.9.0
# ... (other medium priority updates)
# Replace deprecated packages
npm uninstall request
npm install axios@1.6.0
# Update code to use axios
# Run migration script
Estimated Time: 2-3 days Risk: Medium (code changes required) Testing Required: Full QA cycle
Phase 4: Maintenance (Next sprint)
# Update remaining outdated packages
npm update
npm outdated # Verify all updated
# Clean up unused dependencies
npm prune
Estimated Time: 1 day Risk: Low
Automated Monitoring Setup
1. Enable npm audit in CI/CD
# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: npm ci
- run: npm audit --audit-level=moderate
- run: npm outdated || true
2. Configure Dependabot
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "security-team"
labels:
- "dependencies"
- "security"
3. Add pre-commit hook
# .husky/pre-commit
#!/bin/sh
npm audit --audit-level=high
4. Continuous monitoring
# Use Snyk
npm install -g snyk
snyk auth
snyk monitor
# Or use GitHub Advanced Security
# Enable Dependabot alerts in repo settings
Best Practices
Dependency Management
- ✅ Pin exact versions in production (no ^ or ~)
- ✅ Use lock files (package-lock.json, yarn.lock)
- ✅ Regular dependency audits (weekly)
- ✅ Test updates in staging first
- ✅ Keep dependencies minimal (avoid over-dependence)
- ✅ Review new dependencies before adding
- ✅ Monitor security advisories
Lockfile Best Practices
{
"dependencies": {
"express": "4.18.2", // Exact version in production
"lodash": "^4.17.21" // Allow patches in development
}
}
Security Policies
- Set up security policy (SECURITY.md)
- Configure vulnerability disclosure process
- Establish SLA for vulnerability fixes
- Critical: 24 hours
- High: 7 days
- Medium: 30 days
- Low: Next maintenance cycle
Code Review Checklist
- New dependencies reviewed and approved
- Dependency licenses checked
- Package size considered
- Alternatives evaluated
- Security audit run
- Transitive dependencies reviewed
Tools and Resources
Vulnerability Databases
- National Vulnerability Database (NVD)
- GitHub Advisory Database
- Snyk Vulnerability DB
- NPM Security Advisories
Scanning Tools
- npm audit: Built-in npm scanner
- Snyk: Comprehensive security platform
- WhiteSource: Enterprise dependency management
- OWASP Dependency-Check: Multi-language scanner
- Socket: Supply chain security
- Dependabot: Automated updates
CI/CD Integration
- GitHub Actions security scanning
- GitLab security dashboard
- Jenkins OWASP plugin
- CircleCI security orbs
Summary Statistics
Total Packages: 342
- Direct: 45
- Transitive: 297
Vulnerabilities:
- Critical: 2 (0.6%)
- High: 8 (2.3%)
- Medium: 10 (2.9%)
- Low: 3 (0.9%)
- Total: 23 (6.7%)
Package Health:
- Up-to-date: 330 (96.5%)
- Outdated: 12 (3.5%)
- Deprecated: 3 (0.9%)
Estimated Remediation Time: 4-5 days Risk After Remediation: Low
Action Items Summary
Immediate (Critical):
- Update lodash to 4.17.21
- Update sequelize to 6.6.5
Short-term (High): 3. Update express ecosystem packages 4. Update marked to 4.0.16 5. Update express-fileupload to 1.4.0 6. Fix minimist via mocha update
Medium-term: 7. Replace deprecated packages (request, node-uuid) 8. Update medium severity vulnerabilities 9. Review and update outdated packages
Long-term: 10. Set up automated monitoring 11. Implement security scanning in CI/CD 12. Establish regular audit schedule
## Notes
- Run audits regularly (at least weekly)
- Don't ignore low severity issues (they can become high)
- Keep dependencies minimal
- Prefer well-maintained packages with active communities
- Monitor security advisories for your ecosystem
- Test all updates in staging environment first
- Document security exceptions with justification
- Automated tools help but manual review is still important
- Balance security with stability (don't update everything blindly)