laurigates/code-dep-audit
code-quality-plugin/skills/code-dep-audit/SKILL.md
Audit dependencies for security vulnerabilities, outdated packages, and license compliance. Use when checking supply chain security, preparing releases, or responding to CVEs.
$ install --global
skillsauthnpx skillsauth add laurigates/claude-plugins code-dep-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 8:01 AM208.5s1 file scanned
SKILL.md
- name:
- code-dep-audit
- description:
- Audit dependencies for security vulnerabilities, outdated packages, and license compliance. Use when checking supply chain security, preparing releases, or responding to CVEs.
- args:
- [--type <security|outdated|licenses|all>] [--fix]
- argument-hint:
- --type security to check vulnerabilities, --type outdated for updates
- allowed-tools:
- Bash(npm audit *), Bash(npx *), Bash(pip-audit *), Bash(cargo audit *), Bash(pip *), Bash(uv *), Bash(cargo *), Read, Grep, Glob, TodoWrite
- created:
- 2026-04-10
- modified:
- 2026-05-09
- reviewed:
- 2026-04-10
/code:dep-audit
Audit project dependencies for vulnerabilities and freshness.
When to Use This Skill
| Use this skill when... | Use something else when... | |---|---| | Checking for known CVEs in dependencies | Setting up security scanning CI → /configure:security | | Preparing a release and need dep health check | Looking for code-level security issues → /code:antipatterns | | Responding to a vulnerability advisory | Reviewing code quality → /code:review | | Auditing license compliance | Configuring dependency management → /configure:package-management |
Context
- Package files: !
find . -maxdepth 1 \( -name "package.json" -o -name "package-lock.json" -o -name "yarn.lock" -o -name "bun.lockb" -o -name "pyproject.toml" -o -name "requirements.txt" -o -name "Cargo.toml" -o -name "Cargo.lock" -o -name "go.mod" -o -name "go.sum" \) -type f
Parameters
--type: Audit type —security(default),outdated,licenses, orall--fix: Automatically apply safe updates for vulnerable packages
Execution
Execute this dependency audit workflow:
Step 1: Detect package ecosystem
Identify all package manifests and lock files present. Determine which audit tools are available for each ecosystem.
Step 2: Run security audit
JavaScript/TypeScript:
npm audit --json
For bun projects:
bun pm ls
Python:
pip-audit --format json
Or with uv:
uv pip audit
Rust:
cargo audit --json
Go:
go list -m -json all
govulncheck ./...
If the audit tool is not installed, report which tool is needed and suggest /configure:security to set up the project.
Step 3: Check outdated packages (if --type outdated or all)
JavaScript/TypeScript:
npm outdated --json
Python:
pip list --outdated --format json
Rust:
cargo outdated --format json
Step 4: Check license compliance (if --type licenses or all)
JavaScript/TypeScript:
npx license-checker --json --summary
Python:
pip-licenses --format json
Rust:
cargo license --json
Flag problematic licenses: GPL (in proprietary projects), AGPL, unlicensed, or unknown.
Step 5: Apply fixes (if --fix)
For security vulnerabilities:
- Run
npm audit fix/cargo update/pip install --upgradefor safe updates - Report which vulnerabilities were fixed and which require manual intervention
- Run project tests to verify nothing broke
Step 6: Report results
Print summary:
Dependency Audit Report
=======================
Ecosystem: [JS/TS | Python | Rust | Go]
Security:
Critical: N
High: N
Medium: N
Low: N
Outdated: N packages behind latest
License issues: N flagged
Top actions:
1. [package@version] - critical CVE-XXXX-XXXX
2. [package] - N major versions behind
Post-Actions
- If many vulnerabilities found → suggest
npm audit fixor equivalent - If audit tools not configured → suggest
/configure:security - If outdated packages found → suggest updating in a separate branch
Agentic Optimizations
| Context | Command |
|---|---|
| Quick JS audit | npm audit --json |
| Python audit | pip-audit --format json |
| Rust audit | cargo audit --json |
| Outdated check | npm outdated --json |
| License check | npx license-checker --json --summary |
| CI mode | npm audit --audit-level=critical --json |
Related Skills
laurigates/comfyui-node-scaffold
tools
VerifiedTrustedCommunity
Scaffold a new ComfyUI custom-node repo (pyproject, CI, release-please, vitest+pytest, JS extension skeleton) in the picker/gesture vein. Use when bootstrapping or init-ing a comfyui node pack.
35SKILL.mdUpdated Jun 5, 2026
laurigates/comfy-node
tools
VerifiedTrustedCommunity
Orchestrate a ComfyUI node pack from idea to registry: scaffold, create + seed the repo, open the gitops adoption PR. Use when releasing or spinning up a new comfyui node pack.
35SKILL.mdUpdated Jun 5, 2026
laurigates/endpoint-security-cpu
testing
VerifiedTrustedCommunity
macOS EndpointSecurity/EDR high CPU & battery drain. Use when Kandji ESF / XProtect pegs a core; trace the exec storm via powermetrics + eslogger.
35SKILL.mdUpdated Jun 4, 2026
laurigates/odiff-image-diffing
development
VerifiedTrustedCommunity
odiff pixel-by-pixel image diffing. Use when comparing screenshots, detecting visual regressions, diffing before/after PNGs, asserting golden images.
35SKILL.mdUpdated May 30, 2026