S
SkillsMD 发现、学习和掌握最新的 AI 技术 Skills。基于真实社区数据,为开发者提供最权威的 AI 工具导航。
关于 聚焦 AI 技术 Skills 每周数据更新 中英双语文档 © 2026 SkillsMD. All rights reserved.
Preen依赖项安全检查:主动审计单体仓库漏洞与版本风险,提升CI与生产安全 | SkillsMD
首页 / Skills / preen-dependency-security Preen依赖项安全检查:主动审计单体仓库漏洞与版本风险,提升CI与生产安全 preen-dependency-security by a2f0/tearleads
npx skills add https://github.com/a2f0/tearleads --skill preen-dependency-security🇨🇳 中文介绍 Preen 依赖项安全检查
主动审计整个单体仓库中的依赖项风险,查找高/严重级别的漏洞、不安全的版本控制模式以及可能削弱 CI 可靠性或生产安全性的依赖项漂移。
运行时机
在以下情况下运行此技能:
Preen 轮转选择 preen-dependency-security 时
包更新或锁文件变更发生在广泛区域时
CI 因依赖项或传递性问题开始失败时
安全审查要求进行依赖项加固时
发现阶段
首先使用快速、有界的发现命令:
# 漏洞信号(仅限高/严重级别)
pnpm audit --prod --audit-level high --json 2>/dev/null | head -40 || true
# 清单中的风险版本控制模式
rg -n --glob 'package.json' 'latest|next|canary|beta|\*|\^0\.' packages scripts . | head -40
# 可能在安装时执行的依赖项脚本
rg -n --glob 'package.json' '"preinstall"|"install"|"postinstall"|"prepare"' packages . | head -40
# 工作区覆盖和固定策略热点
rg -n --glob 'package.json' '"overrides"|"resolutions"' . | head -20
# 过时包快照(信息性)
pnpm outdated -r 2>/dev/null | head -40 || true
问题类别
1. 高/严重级别漏洞
任何运行时依赖项可访问的高/严重级别漏洞都是最高优先级。
在可能的情况下,优先选择最小版本升级而非大版本跳跃。
如果无法直接升级传递性问题,请使用 pnpm.overrides 并附上明确的理由。
2. 不安全的版本指定符
🇺🇸 English Preen Dependency Security
Proactively audit dependency risk across the monorepo by finding high/critical vulnerabilities, unsafe versioning patterns, and dependency drift that can weaken CI reliability or production security.
When to Run
Run this skill when:
Preen rotation selects preen-dependency-security
A package update or lockfile change lands in a broad area
CI starts failing due to dependency or transitive issues
Security review asks for dependency hardening
Discovery Phase
Use fast, bounded discovery commands first:
# Vulnerability signal (high/critical only)
pnpm audit --prod --audit-level high --json 2>/dev/null | head -40 || true
# Risky versioning patterns in manifests
rg -n --glob 'package.json' 'latest|next|canary|beta|\*|\^0\.' packages scripts . | head -40
# Dependency scripts that can execute at install time
rg -n --glob 'package.json' '"preinstall"|"install"|"postinstall"|"prepare"' packages . | head -40
# Workspace overrides and pinning policy hotspots
rg -n --glob 'package.json' '"overrides"|"resolutions"' . | head -20
# Outdated packages snapshot (informational)
pnpm outdated -r 2>/dev/null | head -40 || true
Issue Categories
1. High/Critical Vulnerabilities
广告位招租
在这里展示您的产品或服务
触达数万 AI 开发者,精准高效
联系我们
避免在提交的清单中使用 latest、next、canary 和宽泛的通配符。
为核心基础设施包固定已知稳定的版本。
谨慎对待 ^0.x 范围;在 1.0 之前的包中,次要版本更新可能具有破坏性。
3. 安装时脚本风险
审查 preinstall/install/postinstall 脚本中不必要的特权行为。
优先在 CI 管道中使用确定性的构建步骤,而非隐式的安装时逻辑。
保持 postinstall 步骤的范围明确且可审计。
4. 覆盖/决议漂移
移除不再影响决议的陈旧覆盖项。
保持覆盖项最少且有文档记录;宽泛的覆盖项可能掩盖不兼容问题。
验证覆盖项变更不会导致运行时行为退化。
优先级排序
高/严重级别的运行时漏洞
核心包中不安全或浮动的版本约束
广泛使用的包中的风险安装时脚本
陈旧的覆盖项 / 依赖项卫生清理
修复模式
以最小影响范围修补漏洞 {
"pnpm": {
"overrides": {
"vulnerable-package": "1.2.3"
}
}
}
添加覆盖项后,验证受影响的包,并在上游依赖项跟进后移除覆盖项。
替换风险版本指定符 {
"dependencies": {
"safe-lib": "4.8.2"
}
}
验证安全性 pnpm install
pnpm exec tsx scripts/ciImpact/runImpactedQuality.ts >/dev/null
pnpm exec tsx scripts/ciImpact/runImpactedTests.ts >/dev/null
pnpm typecheck >/dev/null
pnpm lint >/dev/null
pnpm test >/dev/null
工作流程
发现 :收集漏洞和版本风险信号。选择一个修复项 :选择一个聚焦的、高置信度的变更。创建分支 :git checkout -b security/dependency-<area>实施 :应用最小的安全升级或覆盖项。验证 :运行受影响的质控/测试,如有需要则扩大范围。记录 :记录前后指标(例如,高/严重级别计数)。提交并合并 :运行 /commit-and-push,然后运行 /enter-merge-queue。
防护措施
不要在单个 preen 运行中批量处理不相关的依赖项升级。
不要在没有明确风险审查的情况下静默引入主版本升级。
不要留下没有理由的临时覆盖项。
不要降低覆盖率阈值。
质量标准
选定范围内的高/严重级别发现项减少
未引入新的安装时脚本风险
受影响的质控/测试通过
变更保持聚焦且可审查
令牌效率 pnpm audit --prod --audit-level high --json 2>/dev/null | head -40 || true
rg -n --glob 'package.json' 'latest|next|canary|beta|\*|\^0\.' packages scripts . | head -40
pnpm exec tsx scripts/ciImpact/runImpactedQuality.ts >/dev/null
pnpm exec tsx scripts/ciImpact/runImpactedTests.ts >/dev/null
git commit -S -m "message" >/dev/null
git push >/dev/null
Any high/critical vulnerability reachable by runtime dependencies is top priority.
Prefer minimal-version upgrades over major jumps when possible.
If a transitive issue cannot be upgraded directly, use pnpm.overrides with explicit rationale.
2. Unsafe Version Specifiers
Avoid latest, next, canary, and broad wildcards in committed manifests.
Pin known-stable versions for infrastructure-critical packages.
Treat ^0.x ranges carefully; minor bumps can be breaking in pre-1.0 packages.
3. Install-Time Script Risk
Review preinstall/install/postinstall scripts for unnecessary privileged behavior.
Prefer deterministic build steps in CI pipelines over implicit install-time logic.
Keep postinstall steps scoped and auditable.
4. Override/Resolution Drift
Remove stale overrides that no longer affect resolution.
Keep overrides minimal and documented; broad overrides can mask incompatibilities.
Validate that override changes do not regress runtime behavior.
Prioritization
High/critical runtime vulnerabilities
Unsafe or floating version constraints in critical packages
Risky install-time scripts in widely used packages
Stale overrides / dependency hygiene cleanup
Fix Patterns
Patch Vulnerability with Minimal Blast Radius {
"pnpm": {
"overrides": {
"vulnerable-package": "1.2.3"
}
}
}
After adding overrides, validate the impacted packages and remove overrides when upstream dependencies catch up.
Replace Risky Version Specs {
"dependencies": {
"safe-lib": "4.8.2"
}
}
Validate Safety pnpm install
pnpm exec tsx scripts/ciImpact/runImpactedQuality.ts >/dev/null
pnpm exec tsx scripts/ciImpact/runImpactedTests.ts >/dev/null
Run broader checks when dependency changes are wide:
pnpm typecheck >/dev/null
pnpm lint >/dev/null
pnpm test >/dev/null
Workflow
Discovery : Collect vulnerability and version-risk signals.Select one fix : Choose one focused, high-confidence change.Create branch : git checkout -b security/dependency-<area>Implement : Apply the minimal safe upgrade or override.Validate : Run impacted quality/tests, then broaden if needed.Document : Record before/after metric (for example, high/critical count).Commit and merge : Run /commit-and-push, then /enter-merge-queue. If no high-value fix is found, do not create a branch.
Guardrails
Do not batch unrelated dependency upgrades in a single preen run.
Do not silently introduce major-version upgrades without explicit risk review.
Do not leave temporary overrides without rationale.
Do not reduce coverage thresholds.
Quality Bar
High/critical findings reduced for selected scope
No new install-time script risk introduced
Impacted quality/tests pass
Change remains focused and reviewable
Token Efficiency pnpm audit --prod --audit-level high --json 2>/dev/null | head -40 || true
rg -n --glob 'package.json' 'latest|next|canary|beta|\*|\^0\.' packages scripts . | head -40
pnpm exec tsx scripts/ciImpact/runImpactedQuality.ts >/dev/null
pnpm exec tsx scripts/ciImpact/runImpactedTests.ts >/dev/null
git commit -S -m "message" >/dev/null
git push >/dev/null
On failure, rerun the failing command without suppression.
Azure Data Explorer (Kusto) 查询技能:KQL数据分析、日志遥测与时间序列处理
114,200 周安装
