dependency-auditlisted

Provides dependency management and supply chain security practices for auditing vulnerabilities, checking licenses, assessing dependency health, and managing upgrades safely. Use when auditing packages, reviewing security, managing dependencies, or when user mentions 'audit', 'vulnerability', 'dependency', 'supply chain', 'npm audit', 'license', 'bundle size'.
Tibsfox/gsd-skill-creator · ★ 61 · AI & Automation · score 74

Install: claude install-skill Tibsfox/gsd-skill-creator

# Dependency Audit Read-only analysis patterns for dependency security, license compliance, and health assessment. This skill does NOT auto-upgrade packages -- it helps you understand your dependency landscape and make informed decisions. ## Security-First Principles | Principle | Practice | |-----------|----------| | Audit before merge | Run security checks in CI on every PR | | Understand before upgrading | Read changelogs, check breaking changes | | Never blindly force-fix | `npm audit fix --force` can introduce breaking changes | | Pin production dependencies | Use exact versions or lock files | | Verify publisher identity | Check package ownership, download counts, repo activity | ## Security Audit Workflow ### Step 1: Run the Audit ```bash # npm (built-in) npm audit # npm -- JSON output for parsing npm audit --json # Yarn yarn audit # pnpm pnpm audit ``` ### Step 2: Read the Report ``` # Example npm audit output ┌───────────────┬──────────────────────────────────────────────┐ │ Severity │ high │ ├───────────────┼──────────────────────────────────────────────┤ │ Package │ lodash │ │ Dependency of │ my-library │ │ Path │ my-library > lodash │ │ More info │ https://github.com/advisories/GHSA-xxxx-xxxx │ └───────────────┴──────────────────────────────────────────────┘ ``` ### Step 3: Assess Each Vulnerab