Claude Code Plugins

Community-maintained marketplace

Feedback

dependency-audit

@armanzeroeight/fastagent-plugins
19
0

Analyzes project dependencies for known security vulnerabilities using npm audit, pip-audit, or similar tools. Use when auditing packages, checking for CVEs, or updating vulnerable dependencies.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name dependency-audit
description Analyzes project dependencies for known security vulnerabilities using npm audit, pip-audit, or similar tools. Use when auditing packages, checking for CVEs, or updating vulnerable dependencies.

Dependency Audit

Quick Start

Audit dependencies based on project type:

# Node.js
npm audit

# Python
pip-audit

# Go
govulncheck ./...

Instructions

Step 1: Identify Package Manager

Check for manifest files:

  • package.json / package-lock.json → npm/yarn
  • requirements.txt / pyproject.toml → pip
  • go.mod → Go modules
  • Cargo.toml → Cargo (Rust)
  • Gemfile → Bundler (Ruby)

Step 2: Run Audit

Node.js (npm):

npm audit
npm audit --json  # Machine-readable output

Node.js (yarn):

yarn audit
yarn audit --json

Python:

pip install pip-audit
pip-audit
pip-audit -r requirements.txt

Go:

govulncheck ./...

Ruby:

bundle audit check --update

Step 3: Analyze Results

Categorize by severity:

Severity CVSS Action
Critical 9.0+ Update immediately
High 7.0-8.9 Update within 24h
Moderate 4.0-6.9 Update this sprint
Low < 4.0 Update when convenient

Step 4: Fix Vulnerabilities

npm - Auto-fix:

npm audit fix
npm audit fix --force  # Breaking changes allowed

npm - Manual update:

npm update vulnerable-package
# or specific version
npm install vulnerable-package@2.0.0

Python - Update package:

pip install --upgrade vulnerable-package
# or pin safe version in requirements.txt
vulnerable-package>=2.0.0

Step 5: Verify Fixes

Re-run audit to confirm:

npm audit  # Should show 0 vulnerabilities
pip-audit  # Should show no issues

Common Scenarios

Transitive Dependencies

When vulnerability is in a sub-dependency:

# Check dependency tree
npm ls vulnerable-package

# Force resolution (npm)
# Add to package.json:
{
  "overrides": {
    "vulnerable-package": "2.0.0"
  }
}

No Fix Available

When no patched version exists:

  1. Check if vulnerability affects your usage
  2. Consider alternative packages
  3. Implement workarounds if possible
  4. Monitor for updates

Breaking Changes

When fix requires major version bump:

  1. Review changelog for breaking changes
  2. Update code to accommodate changes
  3. Run tests thoroughly
  4. Consider gradual rollout

Report Format

## Dependency Audit Report

**Project:** my-app
**Date:** 2024-01-15
**Total Dependencies:** 245
**Vulnerabilities Found:** 3

### Critical (1)

**lodash** - Prototype Pollution
- Installed: 4.17.15
- Fixed in: 4.17.21
- CVE: CVE-2021-23337
- Fix: `npm install lodash@4.17.21`

### High (1)

**axios** - SSRF Vulnerability
- Installed: 0.21.0
- Fixed in: 0.21.2
- CVE: CVE-2021-3749
- Fix: `npm install axios@0.21.2`

### Moderate (1)

**minimist** - Prototype Pollution
- Installed: 1.2.5
- Fixed in: 1.2.6
- CVE: CVE-2021-44906
- Fix: `npm audit fix`

CI/CD Integration

GitHub Actions

- name: Audit dependencies
  run: |
    npm audit --audit-level=high
    # Fails if high or critical vulnerabilities found

Pre-commit

# package.json scripts
{
  "scripts": {
    "precommit": "npm audit --audit-level=moderate"
  }
}