dependency-auditlisted

Audit dependencies across ALL of Y4NN's projects and coordinate updates portfolio-wide. Inventories manifests/lockfiles across the project registry, runs OSV/trivy, aggregates shared vulnerabilities and shared packages, prioritises, and produces a coordinated update plan. Use for periodic cross-project security audits and fleet-wide upgrades. Cross-harness scope.
Y4NN777/mishkan-cc-harness · ★ 3 · AI & Automation · score 76

Install: claude install-skill Y4NN777/mishkan-cc-harness

# dependency-audit Audit and update dependencies **across every project**, not one repo at a time. A vulnerability in a package Y4NN uses in five projects is one finding with five blast points. Cross-harness scope — owned by Benaiah, documented by Seraiah (org layer), rolled out via Migdal. ## When to use - Periodic portfolio security audit (recommended every sprint close, or on demand). - When a high-profile CVE drops in a widely-used package. - Before a fleet-wide framework bump. ## Procedure 1. **Inventory** — run `~/.claude/mishkan/scripts/dependency-audit.sh`, which reads the project registry (`~/.claude/mishkan/config/projects.yaml`) and collects every manifest/lockfile across the listed project roots. 2. **Scan** — the script runs OSV-Scanner / `trivy fs` per project where available and aggregates results. 3. **Aggregate cross-project** — - **Shared packages:** which dependency+version appears in which projects. - **Shared vulnerabilities:** one CVE → all affected projects (the portfolio view). - **Version drift:** the same package pinned to different versions across projects. 4. **Prioritise** — order by severity × blast radius (how many projects affected × exposure). Critical-in-many-projects first. 5. **Vet upgrades** — for each fix, run **dependency-vetting** on the target version, then **dependency-upgrade** for compatibility/breaking-change analysis per project. 6. **Coordinate the rollout** — Migdal sequences the update across projec