Run npm audit to scan for security vulnerabilities and check for outdated packages.
Scan npm dependencies for known security vulnerabilities and identify outdated packages that need updates.
echo "→ Running security audit..."
# Run npm audit with JSON output
if npm audit --json > .claude/validation/audit-output.json 2>&1; then
AUDIT_STATUS="clean"
echo "✅ No vulnerabilities found"
else
AUDIT_STATUS="vulnerabilities"
echo "⚠️ Vulnerabilities detected"
fi
# Extract vulnerability counts by severity
if [ -f .claude/validation/audit-output.json ]; then
CRITICAL=$(jq '.metadata.vulnerabilities.critical // 0' .claude/validation/audit-output.json)
HIGH=$(jq '.metadata.vulnerabilities.high // 0' .claude/validation/audit-output.json)
MODERATE=$(jq '.metadata.vulnerabilities.moderate // 0' .claude/validation/audit-output.json)
LOW=$(jq '.metadata.vulnerabilities.low // 0' .claude/validation/audit-output.json)
TOTAL=$(jq '.metadata.vulnerabilities.total // 0' .claude/validation/audit-output.json)
echo "Vulnerability Summary:"
echo " Critical: $CRITICAL"
echo " High: $HIGH"
echo " Moderate: $MODERATE"
echo " Low: $LOW"
echo " Total: $TOTAL"
fi
# Get list of vulnerable packages
if [ "$TOTAL" -gt 0 ]; then
AFFECTED_PACKAGES=$(jq -r '.vulnerabilities | to_entries | map({
name: .key,
severity: .value.severity,
via: (.value.via | if type == "array" then .[0].title else . end)
}) | sort_by(.severity) | reverse' .claude/validation/audit-output.json)
# Get top 10 most critical
TOP_VULNS=$(echo "$AFFECTED_PACKAGES" | jq -c '.[:10]')
else
AFFECTED_PACKAGES="[]"
TOP_VULNS="[]"
fi
echo ""
echo "→ Checking for outdated packages..."
# Run npm outdated
if npm outdated --json > .claude/validation/outdated-output.json 2>&1; then
OUTDATED_STATUS="all-current"
OUTDATED_COUNT=0
else
# Parse outdated packages
OUTDATED_COUNT=$(jq 'length' .claude/validation/outdated-output.json 2>/dev/null || echo "0")
OUTDATED_STATUS="updates-available"
echo " $OUTDATED_COUNT packages have updates available"
fi
# Get packages with major version updates
MAJOR_UPDATES=$(jq -r 'to_entries | map(select(
(.value.wanted != .value.latest) and
((.value.latest | split(".")[0] | tonumber?) > (.value.current | split(".")[0] | tonumber?))
)) | length' .claude/validation/outdated-output.json 2>/dev/null || echo "0")
echo " $MAJOR_UPDATES packages have major version updates"
# Critical/High vulnerabilities block by default
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
CAN_PROCEED="false"
STATUS="error"
DETAILS="$CRITICAL critical and $HIGH high severity vulnerabilities must be addressed"
elif [ "$MODERATE" -gt 0 ] || [ "$LOW" -gt 0 ]; then
CAN_PROCEED="true"
STATUS="warning"
DETAILS="$MODERATE moderate and $LOW low severity vulnerabilities - review recommended"
else
CAN_PROCEED="true"
STATUS="success"
DETAILS="No security vulnerabilities found"
fi
{
"status": "$STATUS",
"audit": {
"status": "$AUDIT_STATUS",
"vulnerabilities": {
"critical": $CRITICAL,
"high": $HIGH,
"moderate": $MODERATE,
"low": $LOW,
"total": $TOTAL
},
"affectedPackages": $TOP_VULNS
},
"outdated": {
"status": "$OUTDATED_STATUS",
"count": $OUTDATED_COUNT,
"majorUpdates": $MAJOR_UPDATES
},
"canProceed": $CAN_PROCEED,
"details": "$DETAILS"
}
{
"status": "success",
"audit": {
"status": "clean",
"vulnerabilities": {
"critical": 0,
"high": 0,
"moderate": 0,
"low": 0,
"total": 0
},
"affectedPackages": []
},
"outdated": {
"status": "all-current",
"count": 0,
"majorUpdates": 0
},
"canProceed": true,
"details": "No security vulnerabilities found"
}
{
"status": "error",
"audit": {
"status": "vulnerabilities",
"vulnerabilities": {
"critical": 2,
"high": 5,
"moderate": 8,
"low": 3,
"total": 18
},
"affectedPackages": [
{
"name": "axios",
"severity": "critical",
"via": "Server-Side Request Forgery in axios"
},
{
"name": "lodash",
"severity": "high",
"via": "Prototype Pollution in lodash"
}
]
},
"outdated": {
"status": "updates-available",
"count": 12,
"majorUpdates": 3
},
"canProceed": false,
"details": "2 critical and 5 high severity vulnerabilities must be addressed"
}
Used in conductor Phase 6 (Final Report):
### Final Security Check
Use `audit-dependencies` skill:
Expected result:
- No critical/high vulnerabilities
- Moderate/low acceptable (document)
If critical/high found:
⚠️ WARNING - Security issues detected
→ Document in PR description
→ Create security follow-up issue
→ May block merge (policy-dependent)
If clean or low-severity only:
✅ Security check passed
Action: Update immediately or find alternative
Action: Schedule update within days
Action: Schedule update within weeks
Action: Include in next maintenance cycle
# Let npm attempt auto-fix
npm audit fix
# For breaking changes
npm audit fix --force # Use with caution!
# Update specific package
npm update package-name
# Check what would change
npm outdated
# Update all (review changes)
npm update
security-pentest - Uses this for security validationaudit - Comprehensive project audit including dependencies{
"status": "error",
"error": "npm not available",
"suggestion": "Ensure npm is installed and package.json exists"
}
# Audit requires network access to vulnerability database
if grep -q 'ENOTFOUND\|ETIMEDOUT' .claude/validation/audit-output.json; then
echo "⚠️ Network error - cannot reach npm registry"
fi
.claude/validation/audit-output.json