| name | package-audit |
| description | Scan for security vulnerabilities using pnpm audit, Snyk, and automated tools. Use when checking security, before deployments, or resolving CVEs. |
| allowed-tools | Read, Edit, Write, Bash, Grep |
Package Audit Skill
This skill helps you scan for and fix security vulnerabilities in npm dependencies.
When to Use This Skill
- Scanning for security vulnerabilities
- Before production deployments
- Resolving CVE alerts
- Regular security audits
- Dependency health checks
- Compliance requirements
- Pre-commit security checks
Security Audit Tools
pnpm audit
Built-in vulnerability scanner:
# Run audit
pnpm audit
# Output example:
# ┌───────────────┬──────────────────────────────────────────────────────────────┐
# │ moderate │ Prototype Pollution in lodash │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Package │ lodash │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Vulnerable │ <4.17.21 │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Patched in │ >=4.17.21 │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Path │ lodash │
# └───────────────┴──────────────────────────────────────────────────────────────┘
Snyk
Advanced vulnerability scanning:
# Install Snyk CLI
pnpm add -g snyk
# Authenticate
snyk auth
# Test for vulnerabilities
snyk test
# Monitor project
snyk monitor
# Fix vulnerabilities
snyk fix
Running Audits
Basic Audit
# Audit all packages
pnpm audit
# Audit specific workspace
pnpm -F @sgcarstrends/api audit
# Audit production dependencies only
pnpm audit --prod
# Get JSON output
pnpm audit --json > audit-report.json
Severity Levels
# Only show high/critical
pnpm audit --audit-level=high
# Audit levels:
# - info
# - low
# - moderate
# - high
# - critical
Automated Fix
# Automatically fix vulnerabilities
pnpm audit --fix
# Dry run (preview fixes)
pnpm audit --fix --dry-run
Understanding Audit Results
Vulnerability Report
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ semver │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Vulnerable │ <5.7.2 || >=6.0.0 <6.3.1 || >=7.0.0 <7.5.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.7.2 <6.0.0 || >=6.3.1 <7.0.0 || >=7.5.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │
└───────────────┴──────────────────────────────────────────────────────────────┘
Key Information:
- Severity: critical, high, moderate, low, info
- Package: Affected package name
- Vulnerable: Vulnerable version range
- Patched in: Fixed version range
- Path: Dependency path (direct or transitive)
JSON Report Analysis
# Generate JSON report
pnpm audit --json > audit.json
# Parse with jq
cat audit.json | jq '.vulnerabilities | length'
cat audit.json | jq '.vulnerabilities | group_by(.severity)'
# Filter critical vulnerabilities
cat audit.json | jq '.vulnerabilities[] | select(.severity == "critical")'
Fixing Vulnerabilities
Direct Dependencies
# Step 1: Identify vulnerable package
pnpm audit
# Step 2: Check available versions
pnpm view package-name versions
# Step 3: Update catalog
# pnpm-workspace.yaml
catalog:
lodash: ^4.17.21 # Updated from ^4.17.19
# Step 4: Install
pnpm install
# Step 5: Verify fix
pnpm audit
Transitive Dependencies
# Step 1: Identify dependency chain
pnpm why vulnerable-package
# Output:
# parent-package 1.0.0
# └─┬ intermediate-package 2.0.0
# └── vulnerable-package 3.0.0
# Step 2: Update parent package
catalog:
parent-package: ^2.0.0 # Newer version with fixed dependency
# Step 3: Or use overrides (last resort)
{
"pnpm": {
"overrides": {
"vulnerable-package": "^3.1.0"
}
}
}
Using Overrides
// package.json
{
"pnpm": {
"overrides": {
// Fix specific vulnerability
"lodash": "^4.17.21",
// Fix across all dependencies
"semver@<7.5.2": "^7.5.2",
// Fix in specific dependency
"some-package>vulnerable-dep": "^2.0.0"
}
}
}
Snyk Integration
Setup
# Install Snyk
pnpm add -g snyk
# Authenticate
snyk auth
# Test project
snyk test
# Monitor for new vulnerabilities
snyk monitor
Snyk Commands
# Test for vulnerabilities
snyk test
# Test with severity threshold
snyk test --severity-threshold=high
# Test specific file
snyk test --file=package.json
# Ignore specific vulnerabilities
snyk ignore --id=SNYK-JS-LODASH-1018905
# Generate HTML report
snyk test --json | snyk-to-html -o snyk-report.html
Snyk Configuration
# .snyk
version: v1.25.0
ignore:
# Ignore low severity
'SNYK-JS-LODASH-1018905':
- '*':
reason: Low severity, no fix available
expires: 2024-12-31
# Ignore specific path
'SNYK-JS-AXIOS-1234567':
- 'dev-dependency > axios':
reason: Dev dependency only
expires: never
CI Integration
GitHub Actions
# .github/workflows/security.yml
name: Security Audit
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 1' # Weekly on Monday
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v2
- uses: actions/setup-node@v4
with:
node-version: 20
cache: "pnpm"
- run: pnpm install
- run: pnpm audit --audit-level=moderate
# Fail on high/critical vulnerabilities
- name: Check for high/critical vulnerabilities
run: |
AUDIT_OUTPUT=$(pnpm audit --json)
HIGH=$(echo $AUDIT_OUTPUT | jq '.metadata.vulnerabilities.high // 0')
CRITICAL=$(echo $AUDIT_OUTPUT | jq '.metadata.vulnerabilities.critical // 0')
if [ $HIGH -gt 0 ] || [ $CRITICAL -gt 0 ]; then
echo "High or critical vulnerabilities found!"
exit 1
fi
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: snyk/actions/setup@master
- uses: pnpm/action-setup@v2
- uses: actions/setup-node@v4
with:
node-version: 20
cache: "pnpm"
- run: pnpm install
- name: Snyk test
run: snyk test --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk monitor
run: snyk monitor
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Automated Dependency Updates
Dependabot
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
# Auto-merge security patches
groups:
security:
patterns:
- "*"
update-types:
- "patch"
# Ignore major versions
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
Renovate
// renovate.json
{
"extends": ["config:base"],
"vulnerabilityAlerts": {
"enabled": true,
"automerge": true
},
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"matchCurrentVersion": "!/^0/",
"automerge": true,
"automergeType": "branch"
},
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
]
}
Best Practices
1. Regular Audits
# ❌ Only audit before deployment
pnpm audit # Once every few months
# ✅ Regular schedule
# - Daily: Automated CI checks
# - Weekly: Manual review
# - Before deployment: Final check
2. Prioritize Fixes
# ❌ Try to fix everything at once
pnpm audit --fix
# ✅ Prioritize by severity
# 1. Critical: Fix immediately
# 2. High: Fix within 1 week
# 3. Moderate: Fix within 1 month
# 4. Low: Fix when convenient
3. Verify Fixes
# ❌ Just update and deploy
pnpm audit --fix
git push
# ✅ Test after fixing
pnpm audit --fix
pnpm test # Run tests
pnpm build # Build check
pnpm dev # Manual testing
git commit && git push
4. Document Decisions
# .snyk
ignore:
'SNYK-JS-LODASH-1018905':
- '*':
reason: >
Low severity prototype pollution.
Package only used in dev scripts.
No fix available yet.
Monitoring for updates.
expires: 2024-12-31
created: 2024-01-15
Handling Common Scenarios
No Fix Available
# Issue: Vulnerability with no fix
# Options:
# 1. Wait for fix (monitor regularly)
snyk monitor
# 2. Find alternative package
pnpm remove vulnerable-package
pnpm add alternative-package
# 3. Accept risk (document decision)
# Add to .snyk with expiration date
Breaking Changes in Fix
# Issue: Fix requires major version upgrade
# Solution:
# 1. Review breaking changes
pnpm view package-name changelog
# 2. Create migration branch
git checkout -b upgrade/package-name
# 3. Update and test
catalog:
package-name: ^2.0.0 # Major version
pnpm install
pnpm test
# 4. Fix breaking changes
# 5. Commit and merge
False Positives
# Issue: Vulnerability doesn't affect your code
# Solution: Ignore with justification
# .snyk
ignore:
'SNYK-ID':
- 'package-name':
reason: >
False positive.
Vulnerable code path not used in our application.
Only affects feature X which we don't use.
expires: never
Security Audit Checklist
- Run
pnpm auditregularly - Fix critical and high vulnerabilities immediately
- Monitor for new vulnerabilities (Snyk/Dependabot)
- Document ignored vulnerabilities
- Review security patches before applying
- Test thoroughly after fixes
- Keep audit logs for compliance
- Update security policy as needed
References
- pnpm Audit: https://pnpm.io/cli/audit
- Snyk: https://snyk.io
- npm Security Advisories: https://github.com/advisories
- OWASP Dependency Check: https://owasp.org/www-project-dependency-check
- Related files:
.snyk- Snyk configuration.github/dependabot.yml- Dependabot config- Root CLAUDE.md - Security guidelines
Best Practices Summary
- Regular Audits: Run audits daily in CI, weekly manually
- Prioritize Severity: Fix critical/high first, then moderate/low
- Automate Security: Use Dependabot or Renovate
- Test Fixes: Always test after applying security patches
- Document Decisions: Explain ignored vulnerabilities
- Monitor Continuously: Use Snyk monitor for ongoing tracking
- Review Dependencies: Regularly review and remove unused packages
- Stay Informed: Subscribe to security advisories for key packages