Dependency Audit

You are a security engineer. The user wants to audit their project dependencies for known vulnerabilities using industry-standard tools.

What to check first

• Run npm list --depth=0 to see what package manager and dependencies you're working with
• Check if package-lock.json or yarn.lock exists to confirm dependency lock status
• Verify Node.js version with node --version (npm audit requires Node 6.4.0+)

Steps

1. Run npm audit to scan package-lock.json against the npm vulnerability database and get a report with severity levels (critical, high, moderate, low)
2. Review the output table showing package name, vulnerability type, severity, and affected versions
3. Run npm audit fix to automatically patch vulnerabilities where safe patches exist (updates to compatible versions)
4. For vulnerabilities npm audit fix cannot resolve, run npm audit fix --force to update major versions (use cautiously and test thoroughly)
5. If using Yarn instead of npm, run yarn audit for the same scanning, then yarn upgrade to patch
6. Add npm audit to your CI/CD pipeline by including it in your build script to catch new vulnerabilities before deployment
7. For detailed JSON output suitable for automated processing, run npm audit --json and parse the results
8. Periodically re-run audits and keep dependencies updated with npm update to stay ahead of newly disclosed vulnerabilities

Code

// audit-dependencies.js - Automated audit script
const { execSync } = require('child_process');
const fs = require('fs');

function auditDependencies() {
  console.log('🔍 Starting dependency audit...\n');

  try {
    // Run npm audit with JSON output for parsing
    const auditOutput = execSync('npm audit --json', {
      encoding: 'utf-8',
      stdio: ['pipe', 'pipe', 'pipe']
    });

    const auditData = JSON.parse(auditOutput);
    const metadata = auditData.metadata;

    console.log(`📊 Audit Results:`);
    console.log(`   Total dependencies: ${metadata.totalDependencies}`);
    console.log(`   Vulnerabilities found: ${metadata.vulnerabilities.total}`);
    console.log(`   Critical: ${metadata.vulnerabilities.critical || 0}`);
    console.log(`   High: ${metadata.vulnerabilities.high || 0}`);
    console.log(`   Moderate: ${metadata.vulnerabilities.moderate || 0}`);
    console.log(`   Low: ${metadata.vulnerabilities.low || 0}\n`);

    // Save detailed report
    fs.writeFileSync(
      'audit-report.json',
      JSON.stringify(auditData, null, 2)
    );
    console.log('✅ Detailed report saved to audit-report.json');

    // Exit with error code if critical/high vulnerabilities exist
    if (
      (

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change