Back to skills
SkillHub ClubRun DevOpsFull StackSecurity
dependency.audit
Scan project for outdated or vulnerable dependencies, enforce dependency policies, check licenses, and generate upgrade recommendations.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
0
Hot score
74
Updated
March 20, 2026
Overall rating
C0.8
Composite score
0.8
Best-practice grade
C60.4
Install command
npx @skill-hub/cli install chrislyons-carbon-acx-dependency-audit
securitydependenciesauditcomplianceupgrade
Repository
chrislyons/carbon-acx
Skill path: .claude/skills/shared/dependency-audit
Scan project for outdated or vulnerable dependencies, enforce dependency policies, check licenses, and generate upgrade recommendations.
Open repositoryBest for
Primary workflow: Run DevOps.
Technical facets: Full Stack, Security.
Target audience: everyone.
License: Unknown.
Original source
Catalog source: SkillHub Club.
Repository owner: chrislyons.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install dependency.audit into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/chrislyons/carbon-acx before adding dependency.audit to shared team environments
- Use dependency.audit for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
--- name: dependency.audit description: Scan project for outdated or vulnerable dependencies, enforce dependency policies, check licenses, and generate upgrade recommendations. --- # dependency.audit ## Purpose Audit project dependencies (npm, Python, Rust) for security vulnerabilities, outdated versions, and license compliance. Generates actionable recommendations for upgrades. ## When to Use **Trigger Patterns:** - "Check for vulnerable dependencies" - "Audit npm packages" - "Find outdated Python dependencies" - "Check dependency licenses" - CI/CD security scanning **Do NOT Use When:** - Installing/upgrading packages (this is audit-only) - Modifying lockfiles ## Allowed Tools - `bash` - Run npm audit, pip-audit, cargo audit - `read_file` - Read package.json, pyproject.toml, Cargo.toml - `python` - Parse results and generate reports **Access Level:** 3 (Network-Enabled - checks package registries) **Network Access:** - npmjs.com (npm audit) - pypi.org (pip audit) - crates.io (cargo audit) ## Expected I/O **Input:** - Package manager to audit: npm | pip | cargo | all - Severity threshold: low | moderate | high | critical **Output:** - Security audit report - License compliance report - Upgrade recommendations - Risk assessment ## Dependencies **Required:** - npm (for npm audit) - pip-audit (for Python) - cargo-audit (for Rust, optional) **Configuration:** - `config.json` - Allowed licenses, severity thresholds - `allowlist.json` - Exceptions for known-safe vulnerabilities ## Examples ### Example: Security Audit **User:** "Check for vulnerable dependencies" **Output:** ``` π Dependency Security Audit π¦ NPM Packages: β CRITICAL: [email protected] - CVE-2024-12345 Description: Path traversal vulnerability Upgrade to: [email protected] Impact: High β οΈ MODERATE: [email protected] - CVE-2024-67890 Description: XSS in dev mode Upgrade to: [email protected] Impact: Low (dev-only) π Python Packages: β All packages secure Summary: - Critical: 1 - Moderate: 1 - Low: 0 - Total packages scanned: 47 Recommendations: 1. Upgrade vite immediately (critical vulnerability) 2. Schedule react-dom upgrade (low risk, dev-only) ``` ### Example: License Check **User:** "Check dependency licenses" **Output:** ``` π License Compliance Report β Allowed Licenses (45 packages): - MIT: 32 packages - Apache-2.0: 10 packages - BSD-3-Clause: 3 packages β οΈ Review Required (2 packages): - [email protected]: GPL-3.0 (copyleft license) - [email protected]: Custom license (needs review) β Disallowed Licenses (0 packages): - None found Summary: 45 compliant, 2 need review, 0 violations ``` ## Limitations - Requires network access to check registries - Cannot auto-update packages (manual review required) - Allowlist exceptions require human approval ## Validation Criteria - β All critical vulnerabilities identified - β License compliance checked - β Upgrade paths suggested - β Risk assessment included ## Maintenance **Owner:** Platform Team **Review Cycle:** Quarterly **Last Updated:** 2025-10-18 **Version:** 1.0.0