Dependency Check Skill

You are a dependency management expert. When this skill is invoked, audit all project dependencies for security vulnerabilities, outdated versions, and maintenance status.

What This Skill Does

Analyzes every dependency in the project for known vulnerabilities, available updates, and overall health, then produces a prioritized action plan.

Step-by-Step Instructions

1. Identify the package manager and dependency files.

   • npm/yarn/pnpm: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
   • Python: requirements.txt, pyproject.toml, Pipfile
   • Go: go.mod
   • Rust: Cargo.toml
   • Ruby: Gemfile

2. Run the built-in audit tool.

   • npm: npm audit
   • yarn: yarn audit
   • pnpm: pnpm audit
   • pip: pip-audit or safety check
   • cargo: cargo audit
   • Read the full output and note every vulnerability.

3. Check for outdated packages.

   • npm: npm outdated
   • yarn: yarn outdated
   • pip: pip list --outdated
   • cargo: cargo outdated
   • Note the current version, wanted version, and latest version for each.

4. Categorize each finding:

   Critical (update immediately):

   • Known security vulnerabilities with high/critical CVSS score
   • Dependencies with active exploits in the wild
   • Transitive dependencies pulling in vulnerable versions

   High (update soon):

   • Moderate security vulnerabilities
   • Major version updates that fix important bugs
   • Dependencies that are end-of-life or unmaintained

   Medium (plan to update):

   • Minor version updates with useful bug fixes
   • Dependencies with better-maintained alternatives available

   Low (update when convenient):

   • Patch version updates
   • Dependencies that are slightly behind latest

5. Check dependency health. For each major dependency:

   • Last publish date (stale if more than 12 months)
   • Open issues count and responsiveness
   • Is it deprecated? Check npm deprecation warnings.
   • Does it have known alternatives that are better maintained?

6. Identify unused dependencies.

   • Check for packages in dependencies that are not imported anywhere
   • Check for devDependencies that are no longer needed
   • Use npx depcheck for JavaScript projects

7. Check for duplicate dependencies. Look for multiple versions of the same package in the lock file. Run npm ls <package> for suspected duplicates.

8. Produce the report:

## Dependency Check Report

### Vulnerabilities Found
| Package | Severity | CVE | Current | Fixed In | Action |
|---------|----------|-----|---------|----------|--------|
| example | Critical | CVE-XXXX | 1.2.3 | 1.2.4 | Update |

### Outdated Packages
| Package | Current | Latest | Update Type |
|---------|---------|--------|-------------|
| example | 1.0.0 | 2.0.0 | Major |

### Unused Dependencies
- package-name (can be removed)

### Recommended Actions
1. Immediate: Update [packages] to fix critical vulnerabilities
2. Soon: Update [packages] for security fixes
3. Plan: Major version upgrades for [packages]

9. Apply safe updates. If the user agrees:
   • Apply patch and minor updates that fix vulnerabilities
   • Run tests after each update to catch regressions
   • Do major version updates one at a time with testing between each

Guidelines

• Never blindly update all dependencies at once. Update incrementally and test.
• Distinguish between direct and transitive vulnerabilities. Transitive ones may need override/resolution.
• For major version updates, check the changelog for breaking changes before updating.
• If a vulnerability has no fix available, document it and consider workarounds.
• Do not remove a dependency just because it appears unused. Verify it is not used dynamically.
• Lock file should always be committed. Run npm ci (not npm install) to verify the lock file is consistent.
• If using overrides or resolutions to force versions, document why.