Back to skills
SkillHub ClubRun DevOpsFull StackDevOpsSecurity
package-audit
This skill scans for and fixes security vulnerabilities in npm dependencies using pnpm audit and Snyk, helping ensure secure deployments and resolve CVE alerts through automated tools and detailed reporting.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
20
Hot score
87
Updated
March 20, 2026
Overall rating
C4.6
Composite score
4.6
Best-practice grade
A85.2
Install command
npx @skill-hub/cli install sgcarstrends-sgcarstrends-package-audit
Repository
sgcarstrends/sgcarstrends
Skill path: .claude/skills/package-audit
This skill scans for and fixes security vulnerabilities in npm dependencies using pnpm audit and Snyk, helping ensure secure deployments and resolve CVE alerts through automated tools and detailed reporting.
Open repositoryBest for
Primary workflow: Run DevOps.
Technical facets: Full Stack, DevOps, Security.
Target audience: everyone.
License: Unknown.
Original source
Catalog source: SkillHub Club.
Repository owner: sgcarstrends.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install package-audit into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/sgcarstrends/sgcarstrends before adding package-audit to shared team environments
- Use package-audit for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: package-audit
description: Scan for security vulnerabilities using pnpm audit, Snyk, and automated tools. Use when checking security, before deployments, or resolving CVEs.
allowed-tools: Read, Edit, Write, Bash, Grep
---
# Package Audit Skill
This skill helps you scan for and fix security vulnerabilities in npm dependencies.
## When to Use This Skill
- Scanning for security vulnerabilities
- Before production deployments
- Resolving CVE alerts
- Regular security audits
- Dependency health checks
- Compliance requirements
- Pre-commit security checks
## Security Audit Tools
### pnpm audit
Built-in vulnerability scanner:
```bash
# Run audit
pnpm audit
# Output example:
# ┌───────────────┬──────────────────────────────────────────────────────────────┐
# │ moderate │ Prototype Pollution in lodash │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Package │ lodash │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Vulnerable │ <4.17.21 │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Patched in │ >=4.17.21 │
# ├───────────────┼──────────────────────────────────────────────────────────────┤
# │ Path │ lodash │
# └───────────────┴──────────────────────────────────────────────────────────────┘
```
### Snyk
Advanced vulnerability scanning:
```bash
# Install Snyk CLI
pnpm add -g snyk
# Authenticate
snyk auth
# Test for vulnerabilities
snyk test
# Monitor project
snyk monitor
# Fix vulnerabilities
snyk fix
```
## Running Audits
### Basic Audit
```bash
# Audit all packages
pnpm audit
# Audit specific workspace
pnpm -F @sgcarstrends/api audit
# Audit production dependencies only
pnpm audit --prod
# Get JSON output
pnpm audit --json > audit-report.json
```
### Severity Levels
```bash
# Only show high/critical
pnpm audit --audit-level=high
# Audit levels:
# - info
# - low
# - moderate
# - high
# - critical
```
### Automated Fix
```bash
# Automatically fix vulnerabilities
pnpm audit --fix
# Dry run (preview fixes)
pnpm audit --fix --dry-run
```
## Understanding Audit Results
### Vulnerability Report
```
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ semver │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Vulnerable │ <5.7.2 || >=6.0.0 <6.3.1 || >=7.0.0 <7.5.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.7.2 <6.0.0 || >=6.3.1 <7.0.0 || >=7.5.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw │
└───────────────┴──────────────────────────────────────────────────────────────┘
```
**Key Information:**
- **Severity**: critical, high, moderate, low, info
- **Package**: Affected package name
- **Vulnerable**: Vulnerable version range
- **Patched in**: Fixed version range
- **Path**: Dependency path (direct or transitive)
### JSON Report Analysis
```bash
# Generate JSON report
pnpm audit --json > audit.json
# Parse with jq
cat audit.json | jq '.vulnerabilities | length'
cat audit.json | jq '.vulnerabilities | group_by(.severity)'
# Filter critical vulnerabilities
cat audit.json | jq '.vulnerabilities[] | select(.severity == "critical")'
```
## Fixing Vulnerabilities
### Direct Dependencies
```bash
# Step 1: Identify vulnerable package
pnpm audit
# Step 2: Check available versions
pnpm view package-name versions
# Step 3: Update catalog
# pnpm-workspace.yaml
catalog:
lodash: ^4.17.21 # Updated from ^4.17.19
# Step 4: Install
pnpm install
# Step 5: Verify fix
pnpm audit
```
### Transitive Dependencies
```bash
# Step 1: Identify dependency chain
pnpm why vulnerable-package
# Output:
# parent-package 1.0.0
# └─┬ intermediate-package 2.0.0
# └── vulnerable-package 3.0.0
# Step 2: Update parent package
catalog:
parent-package: ^2.0.0 # Newer version with fixed dependency
# Step 3: Or use overrides (last resort)
{
"pnpm": {
"overrides": {
"vulnerable-package": "^3.1.0"
}
}
}
```
### Using Overrides
```json
// package.json
{
"pnpm": {
"overrides": {
// Fix specific vulnerability
"lodash": "^4.17.21",
// Fix across all dependencies
"semver@<7.5.2": "^7.5.2",
// Fix in specific dependency
"some-package>vulnerable-dep": "^2.0.0"
}
}
}
```
## Snyk Integration
### Setup
```bash
# Install Snyk
pnpm add -g snyk
# Authenticate
snyk auth
# Test project
snyk test
# Monitor for new vulnerabilities
snyk monitor
```
### Snyk Commands
```bash
# Test for vulnerabilities
snyk test
# Test with severity threshold
snyk test --severity-threshold=high
# Test specific file
snyk test --file=package.json
# Ignore specific vulnerabilities
snyk ignore --id=SNYK-JS-LODASH-1018905
# Generate HTML report
snyk test --json | snyk-to-html -o snyk-report.html
```
### Snyk Configuration
```yaml
# .snyk
version: v1.25.0
ignore:
# Ignore low severity
'SNYK-JS-LODASH-1018905':
- '*':
reason: Low severity, no fix available
expires: 2024-12-31
# Ignore specific path
'SNYK-JS-AXIOS-1234567':
- 'dev-dependency > axios':
reason: Dev dependency only
expires: never
```
## CI Integration
### GitHub Actions
```yaml
# .github/workflows/security.yml
name: Security Audit
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * 1' # Weekly on Monday
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v2
- uses: actions/setup-node@v4
with:
node-version: 20
cache: "pnpm"
- run: pnpm install
- run: pnpm audit --audit-level=moderate
# Fail on high/critical vulnerabilities
- name: Check for high/critical vulnerabilities
run: |
AUDIT_OUTPUT=$(pnpm audit --json)
HIGH=$(echo $AUDIT_OUTPUT | jq '.metadata.vulnerabilities.high // 0')
CRITICAL=$(echo $AUDIT_OUTPUT | jq '.metadata.vulnerabilities.critical // 0')
if [ $HIGH -gt 0 ] || [ $CRITICAL -gt 0 ]; then
echo "High or critical vulnerabilities found!"
exit 1
fi
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: snyk/actions/setup@master
- uses: pnpm/action-setup@v2
- uses: actions/setup-node@v4
with:
node-version: 20
cache: "pnpm"
- run: pnpm install
- name: Snyk test
run: snyk test --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk monitor
run: snyk monitor
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
```
## Automated Dependency Updates
### Dependabot
```yaml
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
# Auto-merge security patches
groups:
security:
patterns:
- "*"
update-types:
- "patch"
# Ignore major versions
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
```
### Renovate
```json
// renovate.json
{
"extends": ["config:base"],
"vulnerabilityAlerts": {
"enabled": true,
"automerge": true
},
"packageRules": [
{
"matchUpdateTypes": ["patch"],
"matchCurrentVersion": "!/^0/",
"automerge": true,
"automergeType": "branch"
},
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true
}
]
}
```
## Best Practices
### 1. Regular Audits
```bash
# ❌ Only audit before deployment
pnpm audit # Once every few months
# ✅ Regular schedule
# - Daily: Automated CI checks
# - Weekly: Manual review
# - Before deployment: Final check
```
### 2. Prioritize Fixes
```bash
# ❌ Try to fix everything at once
pnpm audit --fix
# ✅ Prioritize by severity
# 1. Critical: Fix immediately
# 2. High: Fix within 1 week
# 3. Moderate: Fix within 1 month
# 4. Low: Fix when convenient
```
### 3. Verify Fixes
```bash
# ❌ Just update and deploy
pnpm audit --fix
git push
# ✅ Test after fixing
pnpm audit --fix
pnpm test # Run tests
pnpm build # Build check
pnpm dev # Manual testing
git commit && git push
```
### 4. Document Decisions
```yaml
# .snyk
ignore:
'SNYK-JS-LODASH-1018905':
- '*':
reason: >
Low severity prototype pollution.
Package only used in dev scripts.
No fix available yet.
Monitoring for updates.
expires: 2024-12-31
created: 2024-01-15
```
## Handling Common Scenarios
### No Fix Available
```bash
# Issue: Vulnerability with no fix
# Options:
# 1. Wait for fix (monitor regularly)
snyk monitor
# 2. Find alternative package
pnpm remove vulnerable-package
pnpm add alternative-package
# 3. Accept risk (document decision)
# Add to .snyk with expiration date
```
### Breaking Changes in Fix
```bash
# Issue: Fix requires major version upgrade
# Solution:
# 1. Review breaking changes
pnpm view package-name changelog
# 2. Create migration branch
git checkout -b upgrade/package-name
# 3. Update and test
catalog:
package-name: ^2.0.0 # Major version
pnpm install
pnpm test
# 4. Fix breaking changes
# 5. Commit and merge
```
### False Positives
```bash
# Issue: Vulnerability doesn't affect your code
# Solution: Ignore with justification
# .snyk
ignore:
'SNYK-ID':
- 'package-name':
reason: >
False positive.
Vulnerable code path not used in our application.
Only affects feature X which we don't use.
expires: never
```
## Security Audit Checklist
- [ ] Run `pnpm audit` regularly
- [ ] Fix critical and high vulnerabilities immediately
- [ ] Monitor for new vulnerabilities (Snyk/Dependabot)
- [ ] Document ignored vulnerabilities
- [ ] Review security patches before applying
- [ ] Test thoroughly after fixes
- [ ] Keep audit logs for compliance
- [ ] Update security policy as needed
## References
- pnpm Audit: https://pnpm.io/cli/audit
- Snyk: https://snyk.io
- npm Security Advisories: https://github.com/advisories
- OWASP Dependency Check: https://owasp.org/www-project-dependency-check
- Related files:
- `.snyk` - Snyk configuration
- `.github/dependabot.yml` - Dependabot config
- Root CLAUDE.md - Security guidelines
## Best Practices Summary
1. **Regular Audits**: Run audits daily in CI, weekly manually
2. **Prioritize Severity**: Fix critical/high first, then moderate/low
3. **Automate Security**: Use Dependabot or Renovate
4. **Test Fixes**: Always test after applying security patches
5. **Document Decisions**: Explain ignored vulnerabilities
6. **Monitor Continuously**: Use Snyk monitor for ongoing tracking
7. **Review Dependencies**: Regularly review and remove unused packages
8. **Stay Informed**: Subscribe to security advisories for key packages