Smithery Logo
MCPsSkillsDocsPricing
Login
NewFlame, an assistant that learns and improves. Available onTelegramSlack
    alirezarezvani

    dependency-auditor

    alirezarezvani/dependency-auditor
    Security
    489

    About

    SKILL.md

    Install

    • Telegram
      Telegram
    • Slack
      Slack
    • Claude Code
      Claude Code
    • Codex
      Codex
    • OpenClaw
      OpenClaw
    • Cursor
      Cursor
    • Amp
      Amp
    • GitHub Copilot
      GitHub Copilot
    • Gemini CLI
      Gemini CLI
    • Kilo Code
      Kilo Code
    • Junie
      Junie
    • Replit
      Replit
    • Windsurf
      Windsurf
    • Cline
      Cline
    • Continue
      Continue
    • OpenCode
      OpenCode
    • OpenHands
      OpenHands
    • Roo Code
      Roo Code
    • Augment
      Augment
    • Goose
      Goose
    • Trae
      Trae
    • Zencoder
      Zencoder
    • Antigravity
      Antigravity
    • Download skill
    ├─
    ├─
    └─
    Smithery Logo

    Give agents more agency

    Resources

    DocumentationPrivacy PolicySystem Status

    Company

    PricingAboutBlog

    Connect

    © 2026 Smithery. All rights reserved.

    About

    Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies...

    SKILL.md

    Dependency Auditor Skill

    Automatic dependency vulnerability checking.

    When I Activate

    • ✅ package.json modified
    • ✅ requirements.txt changed
    • ✅ Gemfile or pom.xml modified
    • ✅ User mentions dependencies or vulnerabilities
    • ✅ Before deployments
    • ✅ yarn.lock or package-lock.json changes

    What I Check

    Dependency Vulnerabilities

    • Known CVEs in packages
    • Outdated dependencies with security fixes
    • Malicious packages
    • License compatibility issues
    • Deprecated packages

    Package Managers Supported

    • Node.js: npm, yarn, pnpm
    • Python: pip, pipenv, poetry
    • Ruby: bundler
    • Java: Maven, Gradle
    • Go: go modules
    • PHP: composer

    Example Alerts

    NPM Vulnerability

    # You run: npm install lodash
    
    # I automatically audit:
    🚨 HIGH: Prototype Pollution in lodash
    📍 Package: lodash@4.17.15
    📦 Vulnerable versions: < 4.17.21
    🔧 Fix: npm update lodash
    📖 CVE-2020-8203
       https://nvd.nist.gov/vuln/detail/CVE-2020-8203
    
    Recommendation: Update to lodash@4.17.21 or higher
    

    Python Vulnerability

    # You modify requirements.txt: django==2.2.0
    
    # I alert:
    🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
    📍 Package: Django@2.2.0
    📦 Vulnerable versions: < 2.2.28
    🔧 Fix: Update requirements.txt to Django==2.2.28
    📖 CVEs: CVE-2021-33203, CVE-2021-33571
    
    Affected: SQL injection, XSS vulnerabilities
    Recommendation: Update immediately to Django@2.2.28+
    

    Multiple Vulnerabilities

    # After npm install:
    🚨 Dependency audit found 8 vulnerabilities:
      - 3 CRITICAL
      - 2 HIGH
      - 2 MEDIUM
      - 1 LOW
    
    Critical issues:
      1. axios@0.21.0 - SSRF vulnerability
         Fix: npm install axios@latest
    
      2. ajv@6.10.0 - Prototype pollution
         Fix: npm install ajv@^8.0.0
    
      3. node-fetch@2.6.0 - Information disclosure
         Fix: npm install node-fetch@^2.6.7
    
    Run 'npm audit fix' to automatically fix 6/8 issues
    

    Automatic Actions

    On Dependency Changes

    1. Detect package manager (npm, pip, etc.)
    2. Run security audit command
    3. Parse vulnerability results
    4. Categorize by severity
    5. Suggest fixes
    6. Flag breaking changes
    

    Audit Commands

    # Node.js
    npm audit
    npm audit --json  # Structured output
    
    # Python
    pip-audit
    safety check
    
    # Ruby
    bundle audit
    
    # Java (Maven)
    mvn dependency-check:check
    

    Severity Classification

    CRITICAL 🚨

    • Remote code execution
    • SQL injection
    • Authentication bypass
    • Publicly exploitable

    HIGH ⚠️

    • Cross-site scripting
    • Denial of service
    • Information disclosure
    • Wide attack surface

    MEDIUM 📋

    • Limited impact vulnerabilities
    • Requires specific conditions
    • Difficult to exploit

    LOW 💡

    • Minor security improvements
    • Best practice violations
    • Minimal risk

    Fix Strategies

    Automatic Updates

    # Safe automatic fixes
    npm audit fix
    
    # May include breaking changes
    npm audit fix --force
    

    Manual Updates

    # Check what will change
    npm outdated
    
    # Update specific package
    npm update lodash
    
    # Major version update
    npm install lodash@latest
    

    Alternative Packages

    Vulnerable: request@2.88.0 (deprecated)
    Alternative: axios or node-fetch
    Migration guide: [link]
    

    Integration with CI/CD

    Block Deployments

    # .github/workflows/security.yml
    - name: Dependency audit
      run: |
        npm audit --audit-level=high
        # Fails if HIGH or CRITICAL found
    

    Scheduled Audits

    # Weekly dependency check
    on:
      schedule:
        - cron: '0 0 * * 0'
    jobs:
      audit:
        runs-on: ubuntu-latest
        steps:
          - uses: actions/checkout@v2
          - run: npm audit
    

    Sandboxing Compatibility

    Works without sandboxing: ✅ Yes Works with sandboxing: ⚙️ Needs npm/pip registry access

    Sandbox config:

    {
      "network": {
        "allowedDomains": [
          "registry.npmjs.org",
          "pypi.org",
          "rubygems.org",
          "repo.maven.apache.org"
        ]
      }
    }
    

    License Checking

    I also check license compatibility:

    ⚠️ License issue: GPL-3.0 package in commercial project
    📦 Package: some-gpl-package@1.0.0
    📖 GPL-3.0 requires source code disclosure
    🔧 Consider: Find MIT/Apache-2.0 alternative
    

    Best Practices

    1. Regular audits: Run weekly or on every dependency change
    2. Update frequently: Keep dependencies current
    3. Review breaking changes: Test before major updates
    4. Pin versions: Use exact versions in production
    5. Audit lock files: Commit and audit lock files

    Related Tools

    • security-auditor skill: Code vulnerability detection
    • @architect sub-agent: Dependency strategy
    • /review command: Pre-deployment security check
    Recommended Servers
    VERITY — Real-Time Fact-Checking Agent
    VERITY — Real-Time Fact-Checking Agent
    OpenZeppelin
    OpenZeppelin
    AurelianFlo
    AurelianFlo
    Repository
    alirezarezvani/claude-code-tresor
    Files