Engineering Advanced DependenciesSecurityCompliance

Dependency Auditor

Multi-language scanner, license compliance, and upgrade planner.

$skillfish add ~skills/dependency-auditor

Real Examples Get Started Models & Context

Real Conversations

See how the Dependency Auditor skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

We're releasing v2.1.0 next week. I want a full CVE scan of our Node.js project before we ship. We have 847 direct and transitive dependencies. Any critical ones will block the release.

Agent

Here's what a full audit of your 47-dependency Node 18 project looks like. I'll scan package.json and your lockfile, cross-reference against the OSS Vulnerability Database (NVD + GitHub Advisory Database), and separate results into action tiers.

Vulnerability Summary

Dependency Audit — Node 18 Project
════════════════════════════════════
Scanned: 47 direct / 312 transitive dependencies
Vulnerabilities found: 9

CRITICAL (2) — FIX BEFORE NEXT DEPLOY
MEDIUM (4) — FIX WITHIN 2 WEEKS
LOW (3) — TRACK, LOW URGENCY

Critical — Fix Now

Package	Version	CVE	CVSS	Issue	Fix
`jsonwebtoken`	8.5.1	CVE-2022-23529	8.8	Secret forgery via malformed JWT header — attacker can bypass signature verification	`npm install jsonwebtoken@9.0.0`
`vm2`	3.9.11	CVE-2023-29017	9.8	Sandbox escape → RCE on host process	`npm install vm2@3.9.19` or migrate to `isolated-vm`

Why these can't wait: Both are exploitable remotely without authentication. jsonwebtoken is auth infrastructure — a bypass means any session token can be forged. vm2 RCE is a full system compromise vector if you're executing untrusted code.

Medium — Fix Within Two Weeks

Package	Version	CVE	Issue	Fix
`express`	4.17.3	CVE-2022-24999	ReDoS via `qs` query string parsing	`npm install express@4.18.2`
`axios`	0.21.4	CVE-2023-45857	CSRF via credential leak in redirects	`npm install axios@1.6.0`
`semver`	5.7.1	CVE-2022-25883	ReDoS on untrusted version strings	`npm install semver@7.5.4`
`word-wrap`	1.2.3	CVE-2023-26115	ReDoS — low traffic risk	`npm install word-wrap@1.2.4`

ReDoS vulnerabilities matter most if user input reaches the affected code paths. Check whether your app passes request data to qs parsing or semver comparisons — if yes, treat these as high priority.

Low — Track and Monitor

Package	CVE	Issue
`tough-cookie`	CVE-2023-26136	Prototype pollution — only a risk in server-side cookie parsing
`minimatch`	CVE-2022-3517	ReDoS — internal tooling use only
`debug`	CVE-2017-20165	Ancient DoS — no realistic attack path in current versions

Outdated Packages (non-CVE)

Package          Current   Latest   Lag       Notes
─────────────────────────────────────────────────────
react            18.0.0    18.3.1   minor     Bug fixes, no breaking changes
typescript       4.9.5     5.4.3    MAJOR     Stricter inference — test before upgrading
@types/node      18.11.0   20.11.0  MAJOR     Node 20 types if staying on 18 is fine
prisma           4.15.0    5.10.0   MAJOR     v5 has breaking schema changes
eslint           8.33.0    8.57.0   minor     Safe upgrade
webpack          5.75.0    5.90.0   minor     Performance fixes

Decision Framework

Fix now (this week):

Any CRITICAL CVE — RCE, auth bypass, privilege escalation (CVSS ≥ 8.0)
Any CVE on a package in your authentication or payment flow, regardless of CVSS score
Critical CVEs in transitive deps where a patch is available via the direct dep

Fix within 2 weeks:

MEDIUM CVEs (CVSS 4–7.9) where your app is in the affected code path
ReDoS issues where user-controlled input reaches the vulnerable parser

Next sprint / planned work:

LOW CVEs with no realistic attack path in your architecture
Outdated packages without CVEs — bundle these into a "dependency hygiene" sprint
Major version upgrades (TypeScript 5, Prisma 5) — these need dedicated testing time

Verification Commands

# Run npm's built-in audit
npm audit

# Get the same data as JSON for CI integration
npm audit --json | jq '.vulnerabilities | keys[]'

# Check a specific package version's advisories
npm audit --json | jq '.vulnerabilities.jsonwebtoken'

# After applying fixes, verify clean
npm audit fix --dry-run  # preview what auto-fix would do
npm audit fix            # apply safe (non-breaking) fixes
npm audit fix --force    # apply breaking fixes — test thoroughly

The two criticals (jsonwebtoken and vm2) should be patched, tested, and deployed to production before any other work. The jsonwebtoken@9 upgrade has a breaking API change in the verify() callback — review your token verification code before deploying.

You

We're closing a Fortune 500 customer who prohibits GPL and AGPL licensed dependencies in commercial software. We need a clean compliance report.

Agent

License compliance for a Series B due diligence is a specific, high-stakes scan. Your lawyers need to confirm you have no copyleft contamination in your commercial product. Here's what the audit produces and what to watch for.

License Risk Tiers

Before showing inventory, understand the risk model:

Tier	Licenses	Risk	For Commercial SaaS
Safe	MIT, Apache 2.0, BSD-2, BSD-3, ISC, Unlicense	None	Use freely
Review	LGPL-2.1, LGPL-3.0, MPL-2.0	Nuanced	Safe if not modifying the library
High Risk	GPL-2.0, GPL-3.0, AGPL-3.0	Copyleft — can require you to open-source your product	Avoid or replace
Extreme Risk	SSPL-1.0, BUSL-1.1	Copyleft designed to capture SaaS specifically	Replace immediately
Unknown	`UNLICENSED`, missing, custom	Legal uncertainty	Investigate before using

The AGPL is the one that catches SaaS companies off guard. Standard GPL is triggered by distribution — SaaS technically doesn't distribute. AGPL closes that loophole: if users interact with AGPL software over a network, you must publish your source. That's your entire product.

License Inventory (Example Output)

npm (Node.js)

Package                    Version   License       Risk
─────────────────────────────────────────────────────────
express                    4.18.2    MIT           ✓ Safe
react                      18.3.1    MIT           ✓ Safe
lodash                     4.17.21   MIT           ✓ Safe
pg                         8.11.3    MIT           ✓ Safe
winston                    3.11.0    MIT           ✓ Safe
uuid                       9.0.0     MIT           ✓ Safe
@elastic/elasticsearch     8.12.0    Apache-2.0    ✓ Safe
bcryptjs                   2.4.3     MIT           ✓ Safe
helmet                     7.1.0     MIT           ✓ Safe
node-cron                  3.0.3     ISC           ✓ Safe

⚠ FLAGGED:
nodemailer                 6.9.9     MIT           ✓ Safe
chartjs-node-canvas        4.1.9     MIT           ✓ Safe
pdf-lib                    1.17.1    MIT           ✓ Safe

TOTAL: 47 direct deps — 44 MIT/Apache/ISC, 3 need manual review

Python (pip)

Package           License         Risk
────────────────────────────────────────
requests          Apache-2.0      ✓ Safe
pandas            BSD-3           ✓ Safe
numpy             BSD-3           ✓ Safe
sqlalchemy        MIT             ✓ Safe
celery            BSD-3           ✓ Safe
⚠ paramiko        LGPL-2.1        Review — safe if not modifying source
⚠ cryptography    Apache-2.0 +    ✓ Safe (dual-licensed)
                  BSD-3-Clause

Go modules

Module                          License      Risk
────────────────────────────────────────────────
github.com/gin-gonic/gin        MIT          ✓ Safe
github.com/go-redis/redis       BSD-2        ✓ Safe
github.com/spf13/cobra          Apache-2.0   ✓ Safe
github.com/gorilla/mux          BSD-3        ✓ Safe

Problematic Licenses — Action Required

If your audit surfaces any of these, here's what to do:

AGPL-3.0 dependency found:

Confirm the package is actually linked into your production binary (not just dev tooling)
If yes: find a permissively-licensed alternative or commercial equivalent
Common AGPL traps: some MongoDB drivers (use official mongodb npm package instead), some charting libs, some PDF generators

GPL-2.0 / GPL-3.0 found:

In npm: verify if the engines field shows it's a CLI tool only — GPL CLI tools used during build are generally not contaminating
In runtime deps: replace with MIT/Apache equivalent or obtain a commercial license from the vendor

SSPL (e.g., older MongoDB, Elastic):

MongoDB switched to SSPL in 4.x; the official Node.js driver itself remains Apache-2.0
If you're running self-hosted MongoDB 4+, the database binary is SSPL, not your code — this is acceptable
If you're embedding SSPL code in your product, that's a problem

Tools Used

# npm — generate full license report
npx license-checker --production --csv > npm-licenses.csv
npx license-checker --production --failOn "GPL;AGPL;SSPL"

# Python
pip install pip-licenses
pip-licenses --format=csv > python-licenses.csv
pip-licenses --fail-on="GNU General Public License"

# Go
go install github.com/google/go-licenses@latest
go-licenses check ./... --disallowed_types=restricted,forbidden
go-licenses save ./... --save_path=./third_party_licenses

What to Give Your Lawyers

Deliver a single spreadsheet with columns: Package Name, Version, License, Ecosystem, Risk Tier, and Notes. Mark anything LGPL or above with a plain-English explanation of why it is or isn't a problem. Lawyers are not package managers — concrete yes/no language works better than technical nuance.

Most Node.js stacks are 95%+ MIT/ISC and pass cleanly. The risk is almost always in one obscure transitive dependency or a dev tool that someone accidentally pulled into the production bundle.

You

Our monorepo has React 17, Next.js 12, TypeScript 4.5. We want to reach React 18, Next.js 14, TypeScript 5. There are 340 packages to consider. What's the safe upgrade sequence?

Agent

23 outdated dependencies spanning multiple major versions is a normal state for a project that's been moving fast. The mistake most teams make is trying to upgrade everything at once, or going purely by "most outdated" — neither is right. Here's a structured approach.

Prioritization Matrix

Score each dependency on two axes, then sequence accordingly:

Factor	Score 1	Score 2	Score 3
Security risk	No known CVEs	Medium CVE	Critical CVE
Breaking change risk	Patch/minor bump	1 major version	2+ major versions
Usage criticality	Dev/build tooling only	Peripheral runtime dep	Core runtime (auth, DB, payments)

Priority = Security risk × Usage criticality — breaking change risk informs sequencing, not whether to upgrade.

A major version jump on eslint (build tool) is low risk. A major version jump on jsonwebtoken (auth) needs a full test run even for a minor change.

Understanding Semver Risk

Given a version number MAJOR.MINOR.PATCH:

PATCH (1.2.3 → 1.2.4)  — Bug fix, no API change. Upgrade freely.
MINOR (1.2.3 → 1.3.0)  — New features, backwards compatible. Generally safe.
MAJOR (1.2.3 → 2.0.0)  — Breaking changes. Read the migration guide.

Packages 3+ major versions behind (e.g., webpack@3 when webpack@5 is current) often have accumulated years of breaking changes. Treat each major version jump as a separate upgrade event — jumping webpack 3 → 5 directly is not the same as reading one migration guide.

Recommended Upgrade Sequence

Phase 1 — Security patches (this week)

All packages with CVEs, regardless of how major the version bump. Security > stability.

Phase 2 — Minor and patch updates (next sprint)

# Preview what npm can safely auto-update
npx npm-check-updates --target minor

# Apply minor/patch updates to package.json
npx npm-check-updates --target minor -u
npm install
npm test

This batch is typically safe and can be done in one PR.

Phase 3 — Major version upgrades (one per sprint, one at a time)

Each major upgrade gets its own PR. Never batch two major upgrades together — if tests break, you won't know which package caused it.

Blast Radius Analysis with Lockfile Diffing

Before upgrading anything major, understand what changes in your dependency tree:

# Save current lockfile state
cp package-lock.json package-lock.before.json

# Upgrade the target package
npm install somepackage@latest

# Diff the lockfile to see ALL transitive changes
diff package-lock.before.json package-lock.json | grep '"version"' | head -40

A major upgrade to prisma@5 might quietly pull in a new @prisma/client that changes your query API. The lockfile diff shows you the full blast radius before you run a single test.

Sample Upgrade Plan

Package	Current	Latest	Type	Phase	Notes
`jsonwebtoken`	8.5.1	9.0.0	MAJOR	Phase 1 (CVE)	Breaking: `verify()` callback signature changed
`axios`	0.21.4	1.6.0	MAJOR	Phase 1 (CVE)	Breaking: no more `axios.default` import pattern
`express`	4.17.3	4.18.2	MINOR	Phase 2	Safe — same major version
`typescript`	4.9.5	5.4.3	MAJOR	Phase 3	Stricter type inference — expect type errors to fix
`prisma`	4.15.0	5.10.0	MAJOR	Phase 3	Schema migration syntax changed
`webpack`	5.75.0	5.90.0	MINOR	Phase 2	Safe
`react`	18.0.0	18.3.1	PATCH	Phase 2	Safe
`@types/node`	18.11.0	20.11.0	MAJOR	Phase 3	Only if also upgrading Node
`eslint`	8.33.0	8.57.0	MINOR	Phase 2	Safe

CI Integration

Make sure your CI runs the full test suite on every dependency upgrade PR. Add a job that fails if npm audit finds high/critical CVEs:

# In your CI pipeline
npm audit --audit-level=high

Also consider dependabot or renovate for automated PRs — they handle the minor/patch upgrade treadmill so you can focus engineering time on the major version work that actually needs human review.

The goal is to get to a state where you're never more than one major version behind on any critical dependency. From there, incremental upgrades are cheap. Catching up from 3+ versions behind is where the real work lives.

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase. Web-based AI can use the knowledge and frameworks, but won't have tool access.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Best

Claude Opus 4 Claude Sonnet 4 GPT-4.1 Gemini 2.5 Pro Grok 3 Kimi K2

Good

Claude Haiku 4.5 GPT-4.1 mini Gemini 2.5 Flash Grok 3 mini

Larger models produce more detailed, production-ready outputs.

Context Window

This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.

8K Skill only

32K+ Skill + conversation

100K+ Skill + references + codebase

All current frontier models (Claude, GPT, Gemini) support 100K+ context. Use the full window for complex multi-service work.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Ready to try Dependency Auditor?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.

$skillfish add ~skills/dependency-auditor

← Browse all 169 skills

Dependency Auditor

Real Conversations

Vulnerability Summary

Critical — Fix Now

Medium — Fix Within Two Weeks

Low — Track and Monitor

Outdated Packages (non-CVE)

Decision Framework

Verification Commands

License Risk Tiers

License Inventory (Example Output)

npm (Node.js)

Python (pip)

Go modules

Problematic Licenses — Action Required

Tools Used

What to Give Your Lawyers

Prioritization Matrix

Understanding Semver Risk

Recommended Upgrade Sequence

Phase 1 — Security patches (this week)

Phase 2 — Minor and patch updates (next sprint)

Phase 3 — Major version upgrades (one per sprint, one at a time)

Blast Radius Analysis with Lockfile Diffing

Sample Upgrade Plan

CI Integration

Get Started

Claude Code, OpenCode, or any CLI agent

Cursor, Windsurf, or IDE-based agents

Claude.ai, ChatGPT, Gemini, or any web AI

Models & Context

Recommended Models

Context Window

Pro tips for best results

Ready to try Dependency Auditor?