onewave-ai/dependency-auditor
dependency-auditor/SKILL.md
Audit npm dependencies for security vulnerabilities, outdated packages, and unused dependencies. Use when checking for security issues, updating packages, or cleaning up dependencies.
$ install --global
skillsauthnpx skillsauth add onewave-ai/claude-skills dependency-auditorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 5, 2026, 5:37 AM136.2s1 file scanned
SKILL.md
- name:
- dependency-auditor
- description:
- Audit npm dependencies for security vulnerabilities, outdated packages, and unused dependencies. Use when checking for security issues, updating packages, or cleaning up dependencies.
Dependency Auditor
Instructions
When auditing dependencies:
- Run security audit
- Check for outdated packages
- Find unused dependencies
- Analyze bundle size impact
- Review and update
Security Audit
# NPM audit
npm audit
# Get JSON output for processing
npm audit --json
# Fix automatically (safe fixes only)
npm audit fix
# Force fix (may have breaking changes)
npm audit fix --force
# PNPM
pnpm audit
# Yarn
yarn audit
Check Outdated Packages
# NPM
npm outdated
# Interactive update
npx npm-check-updates -i
# Update all to latest
npx npm-check-updates -u
npm install
# Check specific package
npm view <package> versions
Find Unused Dependencies
# Using depcheck
npx depcheck
# With details
npx depcheck --detailed
# Ignore patterns
npx depcheck --ignores="@types/*,eslint-*"
Common False Positives
Depcheck may flag these as unused when they're actually needed:
@types/*packages (used by TypeScript)- ESLint/Prettier plugins (referenced in config)
- PostCSS plugins (referenced in config)
- Next.js plugins
- Babel presets
Analyze Bundle Size
# For Next.js
npx @next/bundle-analyzer
# General purpose
npx source-map-explorer dist/**/*.js
# Check package size before installing
npx package-phobia <package-name>
# Compare alternatives
npx bundlephobia-cli compare lodash ramda
Dependency Review Checklist
Security
- [ ] No critical/high vulnerabilities
- [ ] Dependencies actively maintained
- [ ] No known malicious packages
- [ ] Lock file committed
Freshness
- [ ] No major version behind (unless intentional)
- [ ] Security patches applied
- [ ] Deprecated packages replaced
Cleanliness
- [ ] No unused dependencies
- [ ] No duplicate packages (check lock file)
- [ ] devDependencies vs dependencies correct
Update Strategies
Conservative (Recommended)
# Update patch versions only
npm update
# Update specific package
npm install package@latest
Aggressive
# Update everything
npx npm-check-updates -u
npm install
npm test
Interactive
npx npm-check-updates -i
# Options:
# a - update all
# space - toggle selection
# enter - apply selected
Package.json Cleanup
{
"dependencies": {
// Runtime dependencies only
},
"devDependencies": {
// Build/test tools only
},
"peerDependencies": {
// For libraries only
},
"optionalDependencies": {
// Platform-specific (rare)
}
}
Lock File Best Practices
- Always commit lock files (package-lock.json, pnpm-lock.yaml, yarn.lock)
- Use
npm ciin CI/CD (notnpm install) - Regenerate if corrupted: delete lock file + node_modules, reinstall
- Single lock file per project (don't mix package managers)
Automated Monitoring
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
groups:
dev-dependencies:
dependency-type: "development"
Related Skills
onewave-ai/gmail-to-crm-pipeline
tools
VerifiedTrustedCommunity
Uses MCP Connectors to read Gmail inbound leads, score them by ICP fit, draft personalized responses, and log qualified leads to your CRM. Turns your inbox into an automated pipeline.
172SKILL.mdUpdated Jun 5, 2026
onewave-ai/full-codebase-migrator
development
VerifiedTrustedCommunity
Uses 1M context window to ingest an entire codebase and output a file-by-file migration plan. Supports JS to TS, React class to hooks, framework migrations, and more. Generates migration-plan.md with file inventory, dependency graph, migration order, file-by-file changes, estimated effort, and risk assessment.
172SKILL.mdUpdated Jun 5, 2026
onewave-ai/financial-document-parser
development
VerifiedTrustedCommunity
Extract and analyze data from invoices, receipts, bank statements, and financial documents. Categorize expenses, track recurring charges, and generate expense reports. Use when user provides financial PDFs or images.
172SKILL.mdUpdated Jun 5, 2026
onewave-ai/expansion-revenue-finder
tools
VerifiedTrustedCommunity
Identifies upsell and cross-sell opportunities within existing customer accounts. Analyzes product usage, feature gaps, team growth, industry benchmarks, and competitive pressure to surface revenue expansion plays scored by potential, effort, and likelihood. Generates an expansion-playbook.md with account-by-account opportunities, recommended pitch, timing, and approach.
172SKILL.mdUpdated Jun 5, 2026