mit einem Klick
dep-audit
Audit dependency security risks
Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.
Menü
Audit dependency security risks
Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.
Basierend auf der SOC-Berufsklassifikation
First-principles UI/IA reasoning: turns a `<scenario>` + API field set into JTBD analysis, principle-anchored field-priority decisions, anti-pattern findings, and a bidirectional UI↔API gap report. Trigger: UI、UX、資訊架構、IA、scenario-driven UI、欄位優先級、information hierarchy. Not for: visual/CSS work (use `/frontend-design`), post-build critique (use `/critique`), or simplifying existing layouts (use `/distill`).
Necessity audit for over-designed spec elements. Use when: auditing lifecycle spec (1-requirements / 2-tech-spec / 3-architecture) for YAGNI/KISS violations, challenging necessity of FRs/NFRs/abstractions/configs via Codex adversarial debate. Not for: FP reasoning validity (use /codex-review-spec), completeness check (use /feature-completeness), detail review (use /codex-review-doc), or code-level simplification (use /simplify).
Sequential squash-merge of stacked PR chains into an epic branch. Handles dependency-ordered rebase, collision-safe backup tags, CI monitoring (delegates to /watch-ci), and post-merge verification. Use when: merging a chain of stacked PRs into an epic branch, collapsing a linear PR stack into per-PR squash commits, preparing an epic branch for final review. Triggers on: 'merge PRs into epic', 'squash chain', 'collapse PR stack', 'epic merge', or when user has a linear PR dependency chain (PR A -> B -> C) targeting an epic branch. Not for: single PR merge (use /create-pr + GitHub UI), simple rebase (use /smart-rebase), pre-merge analysis (use /merge-prep). Output: chain analysis table + backup tag manifest + per-iteration AskUserQuestion gate + verification log.
Push to remote and monitor CI. Validates branch safety, executes git push WITH explicit user approval, then monitors CI run status via gh CLI. Use when: user says 'push', 'push and watch CI', 'ship it', 'push-ci'. Not for: committing (use /smart-commit), creating PRs (use /create-pr), merging (use /merge-prep).
Post-development recap wrapper. Use when: AI/Codex just finished implementing a feature and the user wants a guided walkthrough with scope detection + doc generation + follow-up Q&A. Not for: generating only a doc (use /recap-doc), Q&A over an existing recap (use /recap-ask), technical share-out (use /tech-brief), first-principles reasoning of an existing doc (use /fp-brief), general code tracing (use /code-explore). Output: ScopeReport → briefing-recap-<date>.md → interactive Q&A session.
Interactive Q&A over an existing recap document. Use when: user wants to ask follow-up questions about a briefing-recap-<date>.md produced by /recap-doc, with recap-bounded context + out-of-scope redirect + optional promote-to-request. Not for: generating a new recap (use /recap-doc), general project Q&A (use /ask), code tracing (use /code-explore). Output: per-turn answer referencing file:line + end-of-session promote prompt.
| name | dep-audit |
| description | Audit dependency security risks |
| allowed-tools | Bash(yarn audit *), Bash(npm audit *), Bash(pnpm audit *), Bash(npx *), Bash(bash *), Read, Glob |
/codex-security)/codex-review-fast)/codex-security)| Step | Goal | Safety |
|---|---|---|
| audit | Scan dependencies for vulnerabilities | read-only |
Failure behavior: report-all
$ARGUMENTS
--level <severity> — Minimum reporting level (low/moderate/high/critical), default: moderate--fix — Attempt automatic fixUse Glob to check if .claude/scripts/dep-audit.sh exists in the project root.
bash .claude/scripts/dep-audit.sh $ARGUMENTS
Detect the project ecosystem and run the audit manually.
Ecosystem detection (check project root for manifest files):
| Manifest | Ecosystem | Audit Command | Fix Command |
|---|---|---|---|
package.json + pnpm-lock.yaml | Node (pnpm) | pnpm audit --audit-level {LEVEL} | pnpm audit --fix |
package.json + yarn.lock | Node (yarn) | yarn audit --level {LEVEL} | yarn audit --fix or npx yarn-audit-fix |
package.json | Node (npm) | npm audit --audit-level={LEVEL} | npm audit fix |
pyproject.toml | Python | pip-audit or safety check | pip-audit --fix |
Cargo.toml | Rust | cargo audit | cargo audit fix |
go.mod | Go | govulncheck ./... | (manual fix) |
build.gradle | Java | ./gradlew dependencyCheckAnalyze | (manual fix) |
Default {LEVEL} is moderate unless --level argument is provided.
If --fix is specified, run the fix command for the detected ecosystem after audit.
If no recognized manifest file exists, report an error.
## Audit Results
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 0 |
| Moderate | 0 |
| Low | 0 |
## Vulnerability Details
### [severity] Issue Title
- **Package**: package-name
- **Fix**: Available / Not available
## Gate
✅ **PASS** — No moderate or above vulnerabilities
❌ **FAIL** — Found high severity vulnerabilities
/dep-audit
/dep-audit --level high
/dep-audit --fix