hjemmesidekongen/package-audit
plugins/smedjen/skills/package-audit/SKILL.md
npm audit workflow, outdated dependency triage, license compliance checking, and update strategies for patch, minor, and major version bumps. Covers Renovate/Dependabot config and monorepo update coordination.
testing
Updated Apr 5, 2026
$ install --global
skillsauthnpx skillsauth add hjemmesidekongen/ai package-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 5:29 PM29.0s2 files scanned
SKILL.md
- name:
- package-audit
- description:
- >
- user_invocable:
- false
- interactive:
- false
- model_tier:
- senior
- depends_on:
- []
- type:
- data_validation
- - name:
- critical_vulns_addressed
- verify:
- All critical and high CVEs have a resolution path documented
- fail_action:
- Document fix, workaround, or accepted risk for every critical/high finding
- on_fail:
- Package audit incomplete — all checks required before reporting
- on_pass:
- Audit complete — update plan and license report ready for review
- origin:
- smedjen
- inspired_by:
- original
- ported_date:
- 2026-03-10
- iteration:
- 1
- changes:
- Built for smedjen covering npm audit, license compliance, and update triage
package-audit
Structured dependency audit: security vulnerabilities, outdated packages, license compliance, and update planning. Produces a triage report with per-package decisions.
Audit Scope
| Area | What gets checked | |------|------------------| | CVEs | npm audit / Snyk / Socket — vulnerability counts by severity | | Outdated packages | npm outdated — current vs wanted vs latest | | License compliance | license-checker — compare against allowed/denied list | | Lock file integrity | Committed lock file matches package.json ranges | | Automation config | Renovate / Dependabot configured and scoped correctly |
Update Strategies
| Strategy | When to use | |----------|------------| | patch | Apply immediately — bug fixes, no API change | | minor | Test in branch — new features, backward compatible | | major | Assess breaking changes, plan migration, test thoroughly | | hold | Pin with documented reason — incompatible, high-risk, awaiting upstream |
Rules
- Never run
npm audit fix --forcewithout reviewing what it changes first. - Pin major version bumps behind a branch — do not update directly on main.
- A held package requires a documented reason and a revisit date.
- License violations in production deps are blockers — dev dep violations are warnings.
See references/process.md for audit commands, semver decision rules, license lists,
Renovate/Dependabot config templates, and report schema.
Related Skills
hjemmesidekongen/brand-strategy
development
VerifiedTrustedCommunity
Creates a brand from scratch through market research and interactive sparring. Runs competitive research via Perplexity, then guides the user through positioning, audience, voice, values, and content pillars. Produces the full brand guideline set at .ai/brand/{name}/. Use when building a new brand, defining brand strategy for a product, or when /våbenskjold:create is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-loader
testing
VerifiedTrustedCommunity
Loads brand guidelines from .ai/brand/{name}/ and makes them available to the current context. Progressive disclosure: L1 confirms brand exists, L2 loads summary, L3 loads specific files on demand. Use when a downstream skill or user needs brand context, or when /våbenskjold:apply is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-evolve
documentation
VerifiedTrustedCommunity
Guided reinvention of an existing brand guideline. Loads current brand from .ai/brand/{name}/, identifies what to keep vs change, and walks the user through targeted evolution. Preserves brand equity while updating positioning, voice, or values. Use when refreshing a brand or when /våbenskjold:evolve is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-audit
development
VerifiedTrustedCommunity
Codifies an existing brand from materials, samples, and references. Analyzes provided content to extract voice patterns, values, and positioning. Produces the same guideline format as brand-strategy. Use when a brand already exists but isn't documented, or when /våbenskjold:audit is invoked.
SKILL.mdUpdated Apr 5, 2026