| name | dependency-audit |
| description | Dependency security, license, and freshness audit.
Dispatches dependency-auditor agent to scan all package managers.
Triggers: "dependency audit", "check dependencies", "npm audit", "security scan",
"check for vulnerabilities", "outdated packages", "license check".
|
| allowed-tools | ["Bash","Read","Write","Edit","Grep","Glob"] |
| when_to_use | Use when auditing dependencies for security (npm audit), outdated packages, or license compliance. Triggers: "dependency audit", "npm audit", "security scan", "outdated packages", "license check". Complements code-review (which audits application code, not deps).
|
| produces | null |
| consumes | null |
Preamble (Core)
Status protocol — end every session with one of: DONE (evidence provided) · DONE_WITH_CONCERNS (list each) · BLOCKED (state what blocks you) · NEEDS_CONTEXT (state what you need).
Auto-advance — pipeline: THINK → PLAN → REVIEW → BUILD → VERIFY → RELEASE. Only human gate is spec approval at THINK. On DONE at other stages, print [STAGE] DONE -> advancing to [NEXT-STAGE] and invoke the next skill. On any non-DONE status at any stage, STOP.
Output directory — all artifacts go in docs/superomni/<kind>/<kind>-[branch]-[session]-[date].md. See CLAUDE.md for the full directory map.
TACIT-DENSE — before high-tacit decisions, classify D1 (domain expertise) · D2 (user-facing UX) · D3 (team culture) · D4 (novel pattern). On hit, output TACIT-DENSE [D#]: [question] — My default: [recommendation]. See reference for actions.
Anti-sycophancy — take a position on every significant question. Name flaws directly. No filler ("that's interesting", "you might consider", "that could work").
Telemetry (local only) — at session end, log bin/analytics-log. Nothing leaves the machine.
See preamble-ref.md for detailed protocols.
Dependency Audit
Goal: Systematically audit all project dependencies for security vulnerabilities, license compliance, and staleness — then produce an actionable remediation plan.
Iron Law: No P0 CVEs Before Deploy
A dependency with a known critical CVE and an available fix is a P0 blocker. No exceptions. The deployment gate is VERDICT: APPROVED from the dependency-auditor report.
Good Example (Proper Audit Gate)
Production Readiness check includes dependency audit
dependency-auditor finds: express@4.17.1 — CVE-2022-24999 (critical) — fix: express@4.18.2
Action: npm update express@4.18.2 → re-audit → APPROVED
Deploy proceeds
Bad Example (AVOID)
"Audit passed last month, skip for now"
[VIOLATED: CVEs are disclosed daily — audit must happen before every deploy]
Phase 1: Package Manager Discovery
Identify all dependency manifests in the project:
echo "=== npm/node ==="
find . -name "package.json" -not -path "*/node_modules/*" | head -5
echo "=== python ==="
find . \( -name "requirements*.txt" -o -name "Pipfile" -o -name "pyproject.toml" \) \
-not -path "*/.git/*" | head -5
echo "=== go ==="
find . -name "go.mod" -not -path "*/.git/*" | head -3
echo "=== ruby ==="
find . -name "Gemfile" -not -path "*/.git/*" | head -3
echo "=== rust ==="
find . -name "Cargo.toml" -not -path "*/.git/*" | head -3
echo "=== java ==="
find . \( -name "pom.xml" -o -name "build.gradle" \) -not -path "*/.git/*" | head -3
Record what was found:
PACKAGE MANAGERS FOUND
────────────────────────────────────────
npm: [manifest files found | none]
pip: [manifest files found | none]
go: [manifest files found | none]
ruby: [manifest files found | none]
rust: [manifest files found | none]
java: [manifest files found | none]
────────────────────────────────────────
Phase 2: Dispatch planner-reviewer Agent (Security Audit, Dependency Mode)
Dispatch the planner-reviewer agent in security audit mode (dependency sub-mode) with:
- The list of all package manifests found in Phase 1
- Explicit instruction to run Phase 4: Dependency Audit (OWASP A06) and skip code scanning
- The production context (pre-deploy or routine audit?)
The agent will:
- Run CVE scans across all discovered package managers (npm audit, pip-audit, cargo audit, etc.)
- Classify findings by severity (P0/P1/P2/P3)
- Return a SECURITY AUDIT REPORT focused on the
DEPENDENCIES (OWASP A06) section with verdict APPROVED / APPROVED_WITH_NOTES / CHANGES_REQUIRED
Handoff:
APPROVED → proceed to Phase 3 summary
APPROVED_WITH_NOTES → note P1/P2 findings for next sprint backlog
CHANGES_REQUIRED → P0 CVEs found; apply remediation commands before re-auditing
BLOCKED → package manager tools not available; install tools and retry
Phase 3: Triage Findings
For each finding returned by the agent:
Security Triage
| Severity | Action | Timeline |
|---|
| P0 Critical (CVSS ≥ 9.0) | Block deploy; fix immediately | Before any deployment |
| P1 High (CVSS 7-8.9) | Fix before next release | Within current sprint |
| P2 Medium (CVSS 4-6.9) | Fix if easy; backlog if not | Within next 2 sprints |
| P3 Low (CVSS < 4) | Backlog | Opportunistic |
License Triage
| License type | Action |
|---|
| GPL/AGPL in production | Legal review required before deploy |
| Unknown license | Legal review required |
| LGPL (dynamic link only) | Usually OK — confirm with legal |
| MIT/Apache/BSD/ISC | No action needed |
Phase 4: Apply P0 Remediation
For each P0 finding, apply the exact remediation command from the agent's report:
npm audit 2>&1 | grep -E "critical|high" | head -10
After applying remediations, re-run the test suite:
npm test 2>&1 | tail -10
If tests fail after upgrade → the dependency has a breaking change. Escalate to user.
Phase 5: Audit Report
DEPENDENCY AUDIT COMPLETE
════════════════════════════════════════
Scope: [package managers audited]
Date: [YYYY-MM-DD]
Security:
P0 Critical: [N] — [fixed | outstanding]
P1 High: [N]
P2 Medium: [N]
P3 Low: [N]
License:
Copyleft risk: [N packages — names]
Unknown: [N packages — names]
Freshness:
Major versions behind: [N packages]
Verdict: APPROVED | APPROVED_WITH_NOTES | CHANGES_REQUIRED
Remediation applied:
[package@version] — [CVE fixed]
Backlog items (P1/P2):
[package] — [finding] — fix by [sprint/date]
Status: DONE | DONE_WITH_CONCERNS | BLOCKED
════════════════════════════════════════
Save Audit Artifact
mkdir -p docs/superomni/evaluations
_BRANCH=$(git branch --show-current 2>/dev/null | tr '/' '-' || echo "unknown")
_DATE=$(date +%Y%m%d)
_AUDIT_FILE="docs/superomni/evaluations/dependency-audit-${_BRANCH}-${_DATE}.md"
echo "Dependency audit saved to ${_AUDIT_FILE}"
Write the full DEPENDENCY AUDIT COMPLETE report block to $_AUDIT_FILE.