Run any Skill in Manus with one click

ring-auditing-dependency-security

Stars198

Forks23

UpdatedJune 6, 2026 at 22:57

Auditing a dependency for supply-chain risk before install (pip/npm/go/cargo): checks typosquatting, maintainer/age risk, vulnerability DBs (OSV, GHSA, Socket), and lockfile hash pinning, then emits a risk score and approve/conditional/escalate/block decision. Use when adding or updating a dependency, reviewing a dependency PR, or investigating a compromise. Skip when no new dependency is involved or it is already vetted.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

Run Skill in Manus

Source

LerianStudio

LerianStudio/ring

View GitHub Repository View Creator Repositories

Download

Run Skill in Manus

Related occupationsSOC

Based on SOC occupation classification

Information Security AnalystsComputer and Mathematical Occupations·SOC 15-1212

SKILL.md

readonly

name

ring:auditing-dependency-security

description

Dependency Security Check

When to use

Adding a new dependency to any project
Running pip install, npm install, go get, or equivalent
Auditing existing dependencies for supply-chain risk
Reviewing a PR that adds or updates dependencies
Investigating a potential supply-chain compromise

Skip when

No dependencies are being added, updated, or audited
Task involves only internal code changes with no new imports
Dependency is already vetted and pinned in lockfile

Complementary: ring:hardening-dockerfiles, ring:implementing-tasks

Supply-chain gate for every install command in a Lerian codebase.

Pre-Install Checks

1. Package Identity Verification

For every package, verify:
├── Typosquatting: compare against known popular packages
│   e.g., "requets" vs "requests", "rnodule" vs "module"
├── Homoglyph attacks: look-alike Unicode characters
├── Maintainer risk:
│   - Single maintainer = higher risk
│   - Account age < 6 months = flag
│   - Recent ownership transfer = CRITICAL flag
└── Package age: < 30 days = flag

2. Vulnerability Database Check

Source	Ecosystem	What It Covers
OSV.dev	All	Google aggregated CVEs
GitHub Advisory Database	All	GHSA linked to CVEs
Socket.dev	npm, pip	Supply-chain: install scripts, network access
PyPI JSON API	pip	Metadata, maintainers, release history
npm registry API	npm	Metadata, maintainers, install scripts
Go vulnerability DB (vuln.go.dev)	Go	Official Go CVE database

3. Behavioral Signals

Signal	Risk Level	Description
Install scripts	HIGH	`postinstall` (npm), `setup.py` subprocess
Network access at import	CRITICAL	Package phones home on import
File system access outside project	HIGH	Reads `~/.ssh`, `~/.aws`, env vars
Obfuscated code	CRITICAL	Base64 payloads, eval(), exec()
Native binary bundled	HIGH	Pre-compiled binaries without source

4. Lockfile Integrity

Ecosystem	Lockfile	Hash Requirement
Go	go.sum	SHA-256 native — Go handles automatically
npm	package-lock.json	`integrity` field (SHA-512) must be present for ALL deps
pip	requirements.txt	`--require-hashes` MUST be enforced
Cargo	Cargo.lock	`checksum` field verification

Risk Scoring

risk_score = weighted_sum(
  typosquatting_similarity * 25,
  maintainer_risk          * 20,
  package_age_risk         * 15,
  vulnerability_count      * 20,  # weighted by severity
  behavioral_flags         * 15,
  lockfile_integrity       * 5
)

Score thresholds:

0-25: LOW — proceed
26-50: MEDIUM — proceed with documentation
51-75: HIGH — escalate to Fred before installing
76-100: CRITICAL — block installation

Decision Matrix

Risk Level	Action
LOW (0-25)	✅ Approve — document in PR
MEDIUM (26-50)	⚠️ Conditional — mitigations required
HIGH (51-75)	🚨 Escalate to Fred before installing
CRITICAL (76-100)	❌ Block — do not install

Report Template

## Dependency Security Report

Package: {name} @ {version}
Ecosystem: {go|npm|pip}
Risk Score: {score}/100 — {LOW|MEDIUM|HIGH|CRITICAL}

### Verification Results

| Check | Status | Details |
|-------|--------|---------|
| Typosquatting check | PASS/FLAG | {comparison} |
| Maintainer verification | PASS/FLAG | {maintainer count, age} |
| Vulnerability scan | PASS/FLAG | {CVE count, severity} |
| Behavioral analysis | PASS/FLAG | {signals found} |
| Lockfile integrity | PASS/FAIL | {hash present/missing} |

### Decision
{APPROVED|CONDITIONAL|ESCALATE|BLOCKED}

### Required Actions (if not APPROVED)
1. {specific mitigations or alternatives}

Mitigations for MEDIUM Risk

Pin exact version in lockfile
Vendor the dependency (copy source into repo)
Document why this specific package was chosen over alternatives
Add to security monitoring (e.g., GitHub Dependabot alerts)

More from this repository

same repository

ring-executing-plans

LerianStudio/ring

Executing a phased plan from ring:writing-plans in rolling waves: the main agent supervises, dispatching one workflow per wave-unit (phase or epic — user's choice) that implements its tasks with TDD and signed commits via ring:committing-changes, reviews the returned work, checkpoints with the user, then elaborates the next phase against the real landed code. Use when a phased plan exists and you want session-supervised execution with a human reviewing each wave. Skip when no plan exists (use ring:writing-plans) or the full gated specialist + reviewer pool is wanted (use ring:running-dev-cycle).

2026-06-21198

ring-writing-plans

LerianStudio/ring

Writing a rolling-wave phased implementation plan from a spec before coding: a phase-epic-task hierarchy where Phase 1 is detailed into dispatch-ready tasks and later phases stay epic-level for elaboration during execution. Use when a multi-file feature needs decomposition; runs after ring:exploring-codebases or pre-dev gates, hands off to ring:executing-plans or ring:running-dev-cycle. Skip for single-file changes or spikes.

2026-06-21198

ring-managing-dev-cycle

LerianStudio/ring

Managing an in-progress development cycle without driving it: status reports phase, epic/gate progress, assertiveness, and elapsed time from current-cycle.json; cancel confirms, marks the cycle cancelled, and writes a partial feedback report. Use when checking the status of, or cancelling, a running dev cycle. Skip when no cycle is active or the question is general project status, not cycle-specific.

2026-06-20198

ring-running-dev-cycle

LerianStudio/ring

Running the backend dev cycle: implements every task in a rolling-wave plan.md (ring:writing-plans format) for a Go/TS service, driving specialist agents through Gate 0 implementation/TDD, Gate 8 parallel review, and Gate 9 validation per epic, elaborating later phases at each phase boundary. Use when starting or resuming a gated backend dev cycle with a plan.md (legacy tasks.md only for cycles already in flight; new cycles need the canonical plan format). Skip for frontend (use ring:running-dev-cycle-frontend) or docs-only work.

2026-06-20198

ring-using-lib-observability

LerianStudio/ring

Using lib-observability v1.1.0, Lerian's OpenTelemetry foundation (lib-commons, lib-systemplane, lib-streaming depend on it), in two modes. Sweep Mode detects DIY zap/slog logging, raw OTel metrics, hand-rolled redaction, and hard-coded attribute strings. Reference Mode catalogs the log, metrics, zap, redaction, and constants packages. Go-only. Skip for non-Go or assert/runtime/tracing.

2026-06-16198

ring-using-lib-systemplane

LerianStudio/ring

Using lib-systemplane, the hot-reload runtime-config plane (Postgres LISTEN/NOTIFY or MongoDB change streams), in two modes. Sweep Mode detects DIY config reload (SIGHUP, fsnotify, viper, pgx LISTEN), manual tenant-scoping, hand-built admin CRUD, and v4 residue. Reference Mode catalogs client lifecycle and migration-only provisioning. Go-only. Gated migration goes to ring:migrating-to-lib-systemplane. Skip for non-Go.

2026-06-16198

name

ring:auditing-dependency-security

description

Dependency Security Check

When to use

Adding a new dependency to any project
Running pip install, npm install, go get, or equivalent
Auditing existing dependencies for supply-chain risk
Reviewing a PR that adds or updates dependencies
Investigating a potential supply-chain compromise

Skip when

No dependencies are being added, updated, or audited
Task involves only internal code changes with no new imports
Dependency is already vetted and pinned in lockfile

Complementary: ring:hardening-dockerfiles, ring:implementing-tasks

Supply-chain gate for every install command in a Lerian codebase.

Pre-Install Checks

1. Package Identity Verification

For every package, verify:
├── Typosquatting: compare against known popular packages
│   e.g., "requets" vs "requests", "rnodule" vs "module"
├── Homoglyph attacks: look-alike Unicode characters
├── Maintainer risk:
│   - Single maintainer = higher risk
│   - Account age < 6 months = flag
│   - Recent ownership transfer = CRITICAL flag
└── Package age: < 30 days = flag

2. Vulnerability Database Check

Source	Ecosystem	What It Covers
OSV.dev	All	Google aggregated CVEs
GitHub Advisory Database	All	GHSA linked to CVEs
Socket.dev	npm, pip	Supply-chain: install scripts, network access
PyPI JSON API	pip	Metadata, maintainers, release history
npm registry API	npm	Metadata, maintainers, install scripts
Go vulnerability DB (vuln.go.dev)	Go	Official Go CVE database

3. Behavioral Signals

Signal	Risk Level	Description
Install scripts	HIGH	`postinstall` (npm), `setup.py` subprocess
Network access at import	CRITICAL	Package phones home on import
File system access outside project	HIGH	Reads `~/.ssh`, `~/.aws`, env vars
Obfuscated code	CRITICAL	Base64 payloads, eval(), exec()
Native binary bundled	HIGH	Pre-compiled binaries without source

4. Lockfile Integrity

Ecosystem	Lockfile	Hash Requirement
Go	go.sum	SHA-256 native — Go handles automatically
npm	package-lock.json	`integrity` field (SHA-512) must be present for ALL deps
pip	requirements.txt	`--require-hashes` MUST be enforced
Cargo	Cargo.lock	`checksum` field verification

Risk Scoring

risk_score = weighted_sum(
  typosquatting_similarity * 25,
  maintainer_risk          * 20,
  package_age_risk         * 15,
  vulnerability_count      * 20,  # weighted by severity
  behavioral_flags         * 15,
  lockfile_integrity       * 5
)

Score thresholds:

0-25: LOW — proceed
26-50: MEDIUM — proceed with documentation
51-75: HIGH — escalate to Fred before installing
76-100: CRITICAL — block installation

Decision Matrix

Risk Level	Action
LOW (0-25)	✅ Approve — document in PR
MEDIUM (26-50)	⚠️ Conditional — mitigations required
HIGH (51-75)	🚨 Escalate to Fred before installing
CRITICAL (76-100)	❌ Block — do not install

Report Template

## Dependency Security Report

Package: {name} @ {version}
Ecosystem: {go|npm|pip}
Risk Score: {score}/100 — {LOW|MEDIUM|HIGH|CRITICAL}

### Verification Results

| Check | Status | Details |
|-------|--------|---------|
| Typosquatting check | PASS/FLAG | {comparison} |
| Maintainer verification | PASS/FLAG | {maintainer count, age} |
| Vulnerability scan | PASS/FLAG | {CVE count, severity} |
| Behavioral analysis | PASS/FLAG | {signals found} |
| Lockfile integrity | PASS/FAIL | {hash present/missing} |

### Decision
{APPROVED|CONDITIONAL|ESCALATE|BLOCKED}

### Required Actions (if not APPROVED)
1. {specific mitigations or alternatives}

Mitigations for MEDIUM Risk

Pin exact version in lockfile
Vendor the dependency (copy source into repo)
Document why this specific package was chosen over alternatives
Add to security monitoring (e.g., GitHub Dependabot alerts)