1mangesh1/dependency-audit
skills/dependency-audit/SKILL.md
Dependency auditing, updating, and vulnerability management for npm, pip, and other package managers. Use when user asks to "audit dependencies", "update packages", "fix vulnerabilities", "check outdated", "npm audit", "pip audit", "upgrade dependencies safely", or any dependency management tasks.
$ install --global
skillsauthnpx skillsauth add 1mangesh1/dev-skills-collection dependency-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Error
VirusTotalMulti-engine malware detection
70%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 24, 2026, 9:41 PM45.0s7 files scanned
SKILL.md
- name:
- dependency-audit
- description:
- Dependency auditing, updating, and vulnerability management for npm, pip, and other package managers. Use when user asks to "audit dependencies", "update packages", "fix vulnerabilities", "check outdated", "npm audit", "pip audit", "upgrade dependencies safely", or any dependency management tasks.
Dependency Audit
Audit, update, and manage dependencies safely.
npm / Node.js
Audit
# Run security audit
npm audit
npm audit --json # Machine-readable
npm audit --production # Production deps only
# Fix automatically
npm audit fix
npm audit fix --force # Allow major version bumps
# Check specific advisory
npm audit --advisory=1234
Check Outdated
# List outdated packages
npm outdated
# Output:
# Package Current Wanted Latest Location
# express 4.17.1 4.17.3 5.0.0 my-app
# lodash 4.17.20 4.17.21 4.17.21 my-app
# Wanted = highest version matching semver range in package.json
# Latest = latest version published
Update Strategies
# Update within semver range (safe)
npm update
# Update specific package
npm update express
# Update to latest (may break)
npm install express@latest
# Interactive update tool
npx npm-check-updates # List all updates
npx npm-check-updates -u # Update package.json
npm install # Install updated
# Update with target
npx npm-check-updates --target minor # Only minor+patch
npx npm-check-updates --target patch # Only patch
Lock File
# Regenerate lock file
rm package-lock.json && npm install
# Check lock file integrity
npm ci # Clean install from lock file (CI)
# Deduplicate
npm dedupe
Python / pip
Audit
# pip-audit (recommended)
pip install pip-audit
pip-audit
pip-audit -r requirements.txt
pip-audit --fix # Auto-fix vulnerabilities
pip-audit --json # Machine-readable
# Safety (alternative)
pip install safety
safety check
safety check -r requirements.txt
Check Outdated
# List outdated packages
pip list --outdated
pip list --outdated --format=json
# Check specific package
pip show package-name
Update Strategies
# Update single package
pip install --upgrade requests
# Update all packages (careful!)
pip list --outdated --format=json | python -c "
import json, sys
for pkg in json.load(sys.stdin):
print(pkg['name'])" | xargs -n1 pip install --upgrade
# Pin versions after updating
pip freeze > requirements.txt
pip-tools (Recommended)
pip install pip-tools
# Define requirements.in (unpinned)
# requirements.in:
# flask
# sqlalchemy>=2.0
# Compile to pinned requirements.txt
pip-compile requirements.in
# Update all
pip-compile --upgrade requirements.in
# Update specific package
pip-compile --upgrade-package flask requirements.in
# Sync environment to match
pip-sync requirements.txt
Yarn
# Audit
yarn audit
yarn audit --level moderate # Only moderate+
# Outdated
yarn outdated
# Update
yarn upgrade # Within ranges
yarn upgrade --latest # To latest versions
yarn upgrade-interactive # Interactive picker
# Dedupe
yarn dedupe
pnpm
# Audit
pnpm audit
pnpm audit --fix
# Outdated
pnpm outdated
# Update
pnpm update
pnpm update --latest
pnpm update --interactive
Renovate / Dependabot
Dependabot (GitHub)
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers:
- "team-name"
labels:
- "dependencies"
groups:
dev-deps:
patterns:
- "*"
dependency-type: "development"
prod-deps:
patterns:
- "*"
dependency-type: "production"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
Renovate
// renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"],
"schedule": ["before 6am on Monday"],
"automerge": true,
"automergeType": "pr",
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"automerge": false,
"labels": ["breaking"]
}
]
}
Update Workflow
1. Check what's outdated
npm outdated / pip list --outdated
2. Run audit for vulnerabilities
npm audit / pip-audit
3. Update patch versions first (safest)
npx ncu --target patch -u && npm install
4. Run tests
npm test / pytest
5. Update minor versions
npx ncu --target minor -u && npm install && npm test
6. Update major versions one at a time
npm install package@latest && npm test
Read migration guides for major bumps
7. Commit and push
git add package.json package-lock.json
git commit -m "chore: update dependencies"
License Checking
# npm
npx license-checker --summary
npx license-checker --onlyAllow "MIT;ISC;BSD-3-Clause;Apache-2.0"
# Python
pip install pip-licenses
pip-licenses --summary
pip-licenses --allow-only "MIT;BSD;Apache-2.0"
Reference
For CI integration and automation: references/automation.md
Related Skills
1mangesh1/xargs-parallel
tools
VerifiedTrustedCommunity
Parallel execution with xargs, GNU parallel, and batch processing patterns. Use when user mentions "xargs", "parallel", "batch processing", "run in parallel", "parallel execution", "process list of files", "bulk operations", "concurrent commands", "map over files", or running commands on multiple inputs.
3SKILL.mdUpdated Apr 28, 2026
1mangesh1/websockets
development
VerifiedTrustedCommunity
WebSocket implementation for real-time bidirectional communication. Use when user mentions "websocket", "ws://", "wss://", "real-time", "live updates", "chat application", "socket.io", "Server-Sent Events", "SSE", "push notifications", "live data", "streaming data", "bidirectional communication", "websocket server", "reconnection", or building real-time features.
3SKILL.mdUpdated Apr 28, 2026
1mangesh1/webpack-vite
tools
VerifiedTrustedCommunity
Frontend bundler configuration for Webpack and Vite. Use when user mentions "webpack", "vite", "bundler", "vite config", "webpack config", "code splitting", "tree shaking", "hot module replacement", "HMR", "build optimization", "bundle size", "chunk splitting", "loader", "plugin", "esbuild", "rollup", "dev server", or configuring JavaScript build tools.
3SKILL.mdUpdated Apr 28, 2026
1mangesh1/vscode-settings
tools
VerifiedTrustedCommunity
VS Code configuration, extensions, keybindings, and workspace optimization. Use when user mentions "vscode", "vs code", "vscode settings", "vscode extensions", "keybindings", "code editor", "workspace settings", "settings.json", "launch.json", "tasks.json", "vscode snippets", "devcontainer", "remote development", or customizing their VS Code setup.
3SKILL.mdUpdated Apr 28, 2026