SkillSlap
active

Dependency Auditor

Safe
System VerifiedSafe

Audits dependencies for CVEs, outdated versions, license compliance, and unused packages. Auto-fix mode patches and cleans up safely.

@api/dependency-auditor

security
dependencies
audit
devops

Dependency Auditor

Purpose: Audit project dependencies for security vulnerabilities, license compliance, outdated versions, and unused packages.

Invocation

code
/deps-audit [--fix] [--severity critical|high|all]

Audit Phases

Phase 1: Security Vulnerabilities

Run the native audit tool:

bash
# Node.js
npm audit --json

# Python
pip-audit --format=json

# Go
govulncheck ./...

# Rust
cargo audit --json

Parse results and rank by severity (critical → low).

Phase 2: Outdated Packages

bash
npm outdated --json

Categorize updates:

  • Patch (1.2.3 → 1.2.4) — Safe to auto-update
  • Minor (1.2.3 → 1.3.0) — Usually safe, check changelog
  • Major (1.2.3 → 2.0.0) — Breaking changes likely, review migration guide

Phase 3: License Compliance

Check all dependency licenses against project policy:

LicenseStatus
MIT, Apache-2.0, BSDAllowed
ISC, UnlicenseAllowed
GPL-2.0, GPL-3.0Warning — viral copyleft
AGPL-3.0Blocked — requires open-sourcing
SSPL, BSLBlocked — non-OSS
No licenseBlocked — no usage rights

Phase 4: Unused Dependencies

Detect packages in package.json not imported anywhere:

bash
# Find all imports in source
grep -rh "from ['\"]" src/ | sed "s/.*from ['\"]//;s/['\"].*//" | sort -u

# Compare with package.json dependencies

Output Report

code
## Security Vulnerabilities (3 found)

🔴 CRITICAL | lodash@4.17.20 | Prototype Pollution (CVE-2021-23337)
  Fix: npm install lodash@4.17.21

🟡 MEDIUM | axios@0.21.1 | SSRF via crafted URL
  Fix: npm install axios@0.21.4

## Outdated (12 packages)

| Package | Current | Latest | Type |
|---------|---------|--------|------|
| react | 18.2.0 | 19.1.0 | Major |
| typescript | 5.3.3 | 5.7.2 | Minor |
| vitest | 1.6.0 | 1.6.1 | Patch |

## License Issues (1 found)

⚠️ WARNING | chart.js@4.4.0 | MIT ✓
  Dependency `chartjs-color` uses GPL-2.0

## Unused Dependencies (2 found)

- `moment` — not imported anywhere (consider removing)
- `lodash.merge` — only used in removed test file

Auto-Fix Mode

With --fix:

  1. Apply all patch updates
  2. Apply minor updates for packages with no breaking changelog entries
  3. Remove confirmed unused packages
  4. Re-run tests to verify nothing breaks
  5. Commit: chore(deps): security patches and cleanup
Dormant$0/mo

$20 more to next tier

Created by

AP

api

Ready to contribute.

Info

Created February 18, 2026
Version 1.0.0
User-invoked
Terminal output

Embed

Add this skill card to any webpage.

<iframe src="https://skillslap.com/skill/7a301a5a-2b1c-4b8b-9b16-f8b6682296af/embed"
        width="400" height="200"
        style="border:none;border-radius:12px;"
        title="SkillSlap Skill: Dependency Auditor">
</iframe>

Export

SKILL.mdClaude Code formatCLAUDE.mdProject context formatMCP ToolCline/Codex JSON.mdcCursor rules formatRaw MarkdownPlain contentBundleAll files + manifest