npm/pnpm/yarn 依赖项审计工具 - 安全漏洞扫描、许可证检查、过时包检测

dependency-audit by jezweb/claude-skills

159 周安装量

661 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/jezweb/claude-skills --skill dependency-audit

开发自动化安全

🇨🇳中文介绍

依赖项审计

状态 : 生产就绪 最后更新 : 2026-02-03 适用范围 : npm、pnpm、yarn 项目

命令

命令	用途
`/audit-deps`	运行全面的依赖项审计，并优先显示发现的问题

快速开始

/audit-deps                    # 完整审计
/audit-deps --security-only    # 仅安全漏洞
/audit-deps --outdated         # 仅过时包
/audit-deps --fix              # 自动修复兼容的更新

本技能审计的内容

1. 安全漏洞

npm audit / pnpm audit

严重 (CVSS 9.0-10.0): 远程代码执行、身份验证绕过
高危 (CVSS 7.0-8.9): 数据泄露、权限提升
中危 (CVSS 4.0-6.9): 拒绝服务、信息泄露

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

FlyClaw：零登录航班聚合查询工具，Python实现多源航班信息与价格搜索

4,000,000 周安装

find-skills 技能搜索工具 - Vercel Labs 开源智能体技能包管理器

843,800 周安装

Vercel React 最佳实践指南 | 58条Next.js性能优化规则与代码重构

278,000 周安装

Vercel Web界面规范检查工具 - 自动检测代码是否符合Web设计指南

224,400 周安装

═══════════════════════════════════════════════
   依赖项审计报告
═══════════════════════════════════════════════

项目: my-app
包管理器: pnpm
总依赖项: 847 (142 个直接依赖，705 个传递依赖)

───────────────────────────────────────────────
   安全性
───────────────────────────────────────────────

🔴 严重 (1)
  lodash@4.17.20
  └─ CVE-2021-23337: 通过 template() 函数进行命令注入
  └─ 修复: npm update lodash@4.17.21
  └─ 影响: 直接依赖

🟠 高危 (2)
  minimist@1.2.5
  └─ CVE-2021-44906: 原型污染
  └─ 修复: 通过 mkdirp 传递，更新父级包
  └─ 路径: mkdirp → minimist

  node-fetch@2.6.1
  └─ CVE-2022-0235: 敏感标头泄露
  └─ 修复: npm update node-fetch@2.6.7

🟡 中危 (3)
  [详细信息...]

───────────────────────────────────────────────
   过时的包
───────────────────────────────────────────────

主要更新 (请审查破坏性变更):
  react           18.2.0  →  19.1.0   (1 个主要版本)
  typescript      5.3.0   →  5.8.0    (5 个次要版本)
  drizzle-orm     0.44.0  →  0.50.0   (6 个次要版本)

次要更新 (安全，新功能):
  @types/node     20.11.0 →  20.14.0
  vitest          1.2.0   →  1.6.0

补丁更新 (推荐):
  [15 个有补丁更新的包]

───────────────────────────────────────────────
   许可证检查
───────────────────────────────────────────────

✅ 所有许可证均与 MIT 兼容

注意: 3 个包使用 ISC 许可证（兼容）

───────────────────────────────────────────────
   摘要
───────────────────────────────────────────────

安全问题:  6 (1 个严重，2 个高危，3 个中危)
过时包:    23 (3 个主要版本，5 个次要版本，15 个补丁版本)
许可证问题: 0

推荐操作:
1. 修复严重问题: npm update lodash
2. 修复高危问题: npm audit fix
3. 升级前审查主要更新

═══════════════════════════════════════════════

任务	npm	pnpm	yarn
审计	`npm audit`	`pnpm audit`	`yarn audit`
审计 JSON	`npm audit --json`	`pnpm audit --json`	`yarn audit --json`
自动修复	`npm audit fix`	`pnpm audit --fix`	`yarn audit --fix`
强制修复	`npm audit fix --force`	N/A	N/A
检查过时	`npm outdated`	`pnpm outdated`	`yarn outdated`
原因查询	`npm explain <pkg>`	`pnpm why <pkg>`	`yarn why <pkg>`

🇺🇸English

Dependency Audit

Status : Production Ready Last Updated : 2026-02-03 Scope : npm, pnpm, yarn projects

Commands

Command	Purpose
`/audit-deps`	Run comprehensive dependency audit with prioritised findings

Quick Start

/audit-deps                    # Full audit
/audit-deps --security-only    # Only security vulnerabilities
/audit-deps --outdated         # Only outdated packages
/audit-deps --fix              # Auto-fix compatible updates

What This Skill Audits

1. Security Vulnerabilities

npm audit / pnpm audit

Critical (CVSS 9.0-10.0): Remote code execution, auth bypass
High (CVSS 7.0-8.9): Data exposure, privilege escalation
Moderate (CVSS 4.0-6.9): DoS, info disclosure
Low (CVSS 0.1-3.9): Minor issues

2. Outdated Packages

npm outdated / pnpm outdated

Categories:

Major updates : Breaking changes likely (review changelog)
Minor updates : New features, backwards compatible
Patch updates : Bug fixes, safe to update

3. License Compliance

Checks for:

GPL licenses in commercial projects (copyleft risk)
Unknown/missing licenses
License conflicts

4. Dependency Health

Deprecated packages
Abandoned packages (no updates in 2+ years)
Packages with open security issues

Output Format

═══════════════════════════════════════════════
   DEPENDENCY AUDIT REPORT
═══════════════════════════════════════════════

Project: my-app
Package Manager: pnpm
Total Dependencies: 847 (142 direct, 705 transitive)

───────────────────────────────────────────────
   SECURITY
───────────────────────────────────────────────

🔴 CRITICAL (1)
  lodash@4.17.20
  └─ CVE-2021-23337: Command injection via template()
  └─ Fix: npm update lodash@4.17.21
  └─ Affects: direct dependency

🟠 HIGH (2)
  minimist@1.2.5
  └─ CVE-2021-44906: Prototype pollution
  └─ Fix: Transitive via mkdirp, update parent
  └─ Path: mkdirp → minimist

  node-fetch@2.6.1
  └─ CVE-2022-0235: Exposure of sensitive headers
  └─ Fix: npm update node-fetch@2.6.7

🟡 MODERATE (3)
  [details...]

───────────────────────────────────────────────
   OUTDATED PACKAGES
───────────────────────────────────────────────

Major Updates (review breaking changes):
  react           18.2.0  →  19.1.0   (1 major)
  typescript      5.3.0   →  5.8.0    (5 minor)
  drizzle-orm     0.44.0  →  0.50.0   (6 minor)

Minor Updates (safe, new features):
  @types/node     20.11.0 →  20.14.0
  vitest          1.2.0   →  1.6.0

Patch Updates (recommended):
  [15 packages with patch updates]

───────────────────────────────────────────────
   LICENSE CHECK
───────────────────────────────────────────────

✅ All licenses compatible with MIT

Note: 3 packages use ISC (compatible)

───────────────────────────────────────────────
   SUMMARY
───────────────────────────────────────────────

Security Issues:  6 (1 critical, 2 high, 3 moderate)
Outdated:         23 (3 major, 5 minor, 15 patch)
License Issues:   0

Recommended Actions:
1. Fix critical: npm update lodash
2. Fix high: npm audit fix
3. Review major updates before upgrading

═══════════════════════════════════════════════

Agent

The dep-auditor agent can:

Parse npm/pnpm audit JSON output
Cross-reference CVE databases
Generate detailed fix recommendations
Auto-fix safe updates (with confirmation)

CI Integration

GitHub Actions

- name: Audit dependencies
  run: npm audit --audit-level=high
  continue-on-error: true

- name: Check for critical vulnerabilities
  run: |
    CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
    if [ "$CRITICAL" -gt 0 ]; then
      echo "Critical vulnerabilities found!"
      exit 1
    fi

Pre-commit Hook

#!/bin/sh
npm audit --audit-level=critical || {
  echo "Critical vulnerabilities found. Run 'npm audit fix' or '/audit-deps'"
  exit 1
}

Package Manager Commands

Task	npm	pnpm	yarn
Audit	`npm audit`	`pnpm audit`	`yarn audit`
Audit JSON	`npm audit --json`	`pnpm audit --json`	`yarn audit --json`
Fix auto	`npm audit fix`

Known Limitations

npm audit fix --force : May introduce breaking changes (major version bumps)
Transitive dependencies : Some vulnerabilities require updating parent packages
False positives : Some advisories may not apply to your usage
Private registries : May need auth configuration for auditing

Related Skills

cloudflare-worker-base : For Workers projects
testing-patterns : Run tests after updates
developer-toolbox : For commit-helper after fixes

Version : 1.0.0 Last Updated : 2026-02-03

Weekly Installs

159

Repository

jezweb/claude-skills

GitHub Stars

661

First Seen

Feb 3, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

claude-code130

opencode110

replit103

gemini-cli100

codex96

cursor90

npm/pnpm/yarn 依赖项审计工具 - 安全漏洞扫描、许可证检查、过时包检测

🇨🇳中文介绍

依赖项审计

命令

快速开始

本技能审计的内容

1. 安全漏洞

相关 Skills

2. 过时的包

3. 许可证合规性

4. 依赖项健康状况

输出格式

代理

CI 集成

GitHub Actions

预提交钩子

包管理器命令

已知限制

相关技能

🇺🇸English

Dependency Audit

Commands

Quick Start

What This Skill Audits

1. Security Vulnerabilities

2. Outdated Packages

3. License Compliance

4. Dependency Health

Output Format

Agent

CI Integration

GitHub Actions

Pre-commit Hook

Package Manager Commands

Known Limitations

Related Skills

最新 Skills