一键导入
arib-check-deps
Check | Audit dependencies - vulnerabilities, outdated packages, license compliance, supply chain safety
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Check | Audit dependencies - vulnerabilities, outdated packages, license compliance, supply chain safety
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Memory | Code-graph subsystem — a native lightweight IMPORT graph (which file imports which, god-node candidates) built with ripgrep/grep, so a large monorepo can be navigated by structure instead of re-grepping every session. build/refresh/query. Honest scope: structural import graph, NOT semantic (no call-graph/type resolution); no Graphify dependency. Loads ON DEMAND only (zero always-on tokens). ADR-034.
Dev | Over-engineering review — reads a diff/module and returns a delete-list of bloat (single-use abstractions, premature generalization, speculative config, dead options) WITHOUT stripping legitimate structure. Advisory: returns recommendations, never auto-deletes. The on-demand companion to the ponytail-lite tripwire hook. Authored natively (no Ponytail dependency). ADR-033.
Wave | Pre-wave requirement lock — Act 1 derives the requirements from the codebase + memory (an honest grill, not guesswork), Act 2 hands the locked plan to an independent model (Codex) to tear apart until sign-off. Produces waves/<id>/PLAN.md + PLAN-REVIEW-LOG.md. Auto-chained idempotently from /arib-wave-start. If Act 2 can't run (no Codex), the wave proceeds but HOLDS MERGE for a human. Absorbs grill-me-codex (ADR-032).
Wave | Start a multi-session delivery wave — branch, plan, parallel architect+planner
Engine | Command the engineering team to deliver a known goal — dispatches the engineer-manager to decompose → dispatch specialists (parallel where safe) → integrate → reconcile (verification-agent) → merge gate. Scales its own reach: runs inline for a bounded goal, escalates to a parallel Workflow for a broad one, and paces under /loop for a multi-turn campaign — only when it needs to. Use when a goal needs a coordinated TEAM, not one specialist. Sibling of /arib-engine: the engine DISCOVERS its own backlog; /arib-build EXECUTES a goal you hand it.
Stack | NestJS architecture & patterns reference — modules/providers/DI, DTO+validation, guards/interceptors/pipes/filters, config, async lifecycle, testing, and the security + performance pitfalls that bite at scale. Use when building or reviewing a NestJS backend. Composes with security-auditor (OWASP), database-guardian (TypeORM/Prisma migrations), and performance (N+1). Authored natively (the ECC graft was unsourceable; this is CCM's own, MIT).
| name | arib-check-deps |
| argument-hint | [--fix] |
| description | Check | Audit dependencies - vulnerabilities, outdated packages, license compliance, supply chain safety |
Dependencies are your supply chain - if they're compromised, your application is compromised. This skill audits three critical supply chain risks:
The audit produces a risk report with severity classifications, auto-fixes unsafe updates, and flags dangerous patterns that require manual review.
A single critical CVE like RCE in your web server library can take down your entire application and compromise user data. This audit runs weekly and before every deployment.
Audit all project dependencies for security vulnerabilities (CVEs), outdated packages, license compliance issues, and supply chain risks. Produces a risk report and remediation plan.
User types /arib-check-deps [options]
Examples:
/arib-check-deps - Full dependency audit/arib-check-deps --fix - Audit + auto-fix safe updates/arib-check-deps --licenses - License compliance only/arib-check-deps --critical - Show only critical vulnerabilities| CVSS | Severity | Impact | Action Timeline |
|---|---|---|---|
| 9.0-10.0 | CRITICAL | RCE, auth bypass, data exfiltration | Fix NOW (< 24h) |
| 7.0-8.9 | HIGH | Remote crash, privilege escalation | Fix this week |
| 4.0-6.9 | MODERATE | Local attack, partial data access | Fix this sprint |
| 0.1-3.9 | LOW | Minor info leak, edge case | Fix in next update cycle |
Examples:
| License | Commercial Use | Modification | Distribution | Risk for SaaS | Risk for Closed-Source |
|---|---|---|---|---|---|
| MIT | ✓ | ✓ | ✓ | Safe | Safe |
| Apache-2.0 | ✓ | ✓ | ✓ | Safe (include NOTICE) | Safe |
| BSD-3 | ✓ | ✓ | ✓ | Safe | Safe |
| ISC | ✓ | ✓ | ✓ | Safe | Safe |
| MPL-2.0 | ✓ | ✓ | ✓ | Safe if not modified | Risky - file-level copyleft |
| LGPL-2.1 | ✓ | ⚠ | ⚠ | Safe if dynamic link | Risky if bundled |
| GPL-2.0 | ✓ | ✓ | Viral | Must open-source | Blocks closed-source |
| AGPL-3.0 | ✓ | ✓ | Network-viral | Must open-source entire service | Blocks SaaS |
| SSPL | ⚠ | ⚠ | Custom only | Requires commercial license | Requires commercial license |
| Unlicensed | ? | ? | No permission | BLOCKED | BLOCKED |
GPL Example Problem: If you use GPL-2.0 library, your entire application (even parts not using that library) must be open-sourced or you're legally at risk.
AGPL Example Problem: If you use AGPL-3.0 library in a SaaS product, users can demand the source code of your entire service because they're using it over the network.
Popular package: "lodash" (17M downloads/week)
Attacker publishes: "lodahs", "lodash2", "lo-dash" (similar names)
Risk: Developers mistype, install malicious package
Detection: npm audit signatures, check package repo/homepage
Scenario: Popular package maintainer account hacked
Attacker publishes: "react@17.0.999" with malicious postinstall script
Detection: Monitor version activity, check publish dates, look for unusual changes
# BAD: Package runs arbitrary code on install
"scripts": {
"postinstall": "node download.js" // Downloads and executes external code
}
# Detection: grep -r "postinstall" package.json
# Question: Why does this package need to run code during install?
Scenario: One person maintains 3,000-star package alone
Risk: Account compromise, burnout abandonment, sole point of failure
Detection: npm info [package] - check maintainers, github contributors
Young package with high permissions: "crypto-util@1.0.0" published 2 days ago
Red flag: New packages don't have track record
Detection: npm info [package] | grep time
START: Run npm audit
|
+-- CRITICAL vulnerabilities found?
| +-- YES: BLOCK deployment, show affected packages
| +-- NO: Continue
|
+-- Suggested fix is PATCH version bump? (e.g., 4.5.1 -> 4.5.2)
| +-- YES: Auto-fix safe, run tests
| +-- NO: Continue (MINOR/MAJOR require manual review)
|
+-- Tests pass after patch bump?
| +-- YES: Approve patch, commit separately
| +-- NO: Revert patch, mark as needs manual review
|
+-- Any MAJOR version bumps suggested?
| +-- YES: MANUAL REVIEW - check breaking changes in changelog
| +-- NO: Done
|
+-- License compliance check:
| +-- GPL/AGPL detected? BLOCK - needs legal review
| +-- Unlicensed? BLOCK - no permission to use
| +-- OK: Continue
|
+-- Supply chain check:
| +-- Postinstall script? MANUAL REVIEW
| +-- < 7 days old? MANUAL REVIEW
| +-- Single maintainer? FLAG for monitoring
| +-- OK: Complete
Identify the package manager and ecosystem:
package.json + package-lock.json → npmpackage.json + yarn.lock → Yarnpackage.json + pnpm-lock.yaml → pnpmrequirements.txt / Pipfile → pip / pipenv*.csproj / packages.config → NuGetgo.mod → Go modulesCargo.toml → Cargo (Rust)Gemfile → Bundler (Ruby)Run the appropriate audit command:
# Node.js (npm)
npm audit --json 2>/dev/null
# Node.js (yarn)
yarn audit --json 2>/dev/null
# Node.js (pnpm)
pnpm audit --json 2>/dev/null
# Python
pip-audit --format=json 2>/dev/null || safety check --json 2>/dev/null
# .NET
dotnet list package --vulnerable --format json 2>/dev/null
# Go
govulncheck ./... 2>/dev/null
# Ruby
bundle audit check 2>/dev/null
If the audit tool is not installed, recommend installation:
# For pip-audit
pip install pip-audit --break-system-packages
# For safety
pip install safety --break-system-packages
# For govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest
| Severity | Action Required | Timeline |
|---|---|---|
| CRITICAL | Must fix immediately | Before next deploy |
| HIGH | Fix this sprint | Within 1 week |
| MODERATE | Plan fix | Within 1 month |
| LOW | Track | Next dependency update cycle |
# Node.js
npm outdated --json 2>/dev/null
# Python
pip list --outdated --format=json 2>/dev/null
# .NET
dotnet list package --outdated --format json 2>/dev/null
# Go
go list -m -u all 2>/dev/null
Classify outdated packages:
# Node.js - list all licenses
npx license-checker --summary 2>/dev/null
# Node.js - check for problematic licenses
npx license-checker --failOn "GPL-2.0;GPL-3.0;AGPL-3.0" 2>/dev/null
License risk classification:
| License | Risk for Commercial Projects | Action |
|---|---|---|
| MIT, ISC, BSD-2, BSD-3 | ✅ Safe | No action needed |
| Apache-2.0 | ✅ Safe | Include NOTICE file |
| MPL-2.0 | ⚠️ Moderate | File-level copyleft - OK if not modifying |
| LGPL-2.1, LGPL-3.0 | ⚠️ Moderate | OK if dynamically linked, risky if bundled |
| GPL-2.0, GPL-3.0 | High | Viral copyleft - may require open-sourcing your code |
| AGPL-3.0 | Critical | Network copyleft - affects SaaS/server usage |
| SSPL, BSL | Critical | Non-open-source - check commercial terms |
| Unlicensed / Unknown | Critical | No license = no permission to use |
# Check for typosquatting (packages with suspicious names)
# Check for recently published packages (< 30 days old) with high permissions
# Check for packages with few maintainers and many downloads
# Node.js - check package provenance
npm audit signatures 2>/dev/null
# Check for install scripts that run arbitrary code
grep -r "preinstall\|postinstall\|preuninstall" package.json 2>/dev/null
Supply chain red flags:
postinstall script that downloads external code# Node.js - fix vulnerabilities with safe updates
npm audit fix 2>/dev/null
# Node.js - update to latest minor/patch (safe)
npx npm-check-updates -u --target minor && npm install
# Python
pip install --upgrade [package] --break-system-packages
Rules for auto-fix:
# 🔒 Dependency Audit Report
**Date**: [DATE]
**Package Manager**: npm / pip / etc.
**Total Dependencies**: N (N direct + N transitive)
## Vulnerability Summary
| Severity | Count | Auto-fixable |
|----------|-------|--------------|
| Critical | N | N |
| High | N | N |
| Moderate | N | N |
| Low | N | N |
## Critical Vulnerabilities
### CVE-XXXX-XXXXX: [description]
- **Package**: [name]@[version]
- **Severity**: CRITICAL
- **Fix**: Upgrade to [version]
- **Breaking**: Yes/No
[... more vulnerabilities ...]
## Outdated Packages (Major)
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|-----------------|
| [name] | 3.2.1 | 5.0.0 | Yes - see changelog |
## License Issues
| Package | License | Risk | Action |
|---------|---------|------|--------|
| [name] | GPL-3.0 | HIGH | Replace or get legal approval |
## Supply Chain Warnings
- ⚠️ [package] has postinstall script
- ⚠️ [package] was published 3 days ago
## Remediation Plan
1. `npm audit fix` - fixes N safe vulnerabilities
2. Upgrade [package] to [version] - fixes N more
3. Replace [package] with [alternative] - license issue
4. Review [package] postinstall script - supply chain risk
## Compliance Status
- Vulnerabilities: ⚠️ N unresolved
- Licenses: ✅ All compatible / N incompatible
- Supply Chain: ✅ Clean / ⚠️ N warnings
Purpose: Verify lockfiles match package manifests and are uncorrupted.
# npm: Verify lockfile matches package.json
npm install --dry-run
npm audit # Automatically validates lockfile
# Yarn: Verify and regenerate if needed
yarn install --frozen-lockfile # In CI, ensures no modifications
yarn install --update-lockfile # Regenerate if corrupted
# pnpm: Verify lockfile integrity
pnpm install --frozen-lockfile
pnpm audit
# Check lockfile for suspicious patterns
grep -E "file:|git://|local path" package-lock.json # Should be empty
What to verify:
"file:" dependencies (local paths in prod)"git://" URLs (unreproducible builds)Scenario:
- Your app uses: webpack@5.0.0
- webpack depends on: acorn@7.1.0
- acorn@7.1.0 has: ReDoS (regex DoS) vulnerability
Result: npm audit shows acorn in your dependency tree
Fix: Upgrade webpack to newer version that includes patched acorn
OR: npm audit fix --force (if no upgrade available)
Scenario: Project pins "lodash": "4.17.15" (from 3 years ago)
Result: Automated audit fails on outdated package
Decision: Upgrade to 4.17.21 (latest patch) if no breaking changes
OR: Document why pinned version is required
Scenario: Two dependencies have GPL-2.0 and Apache-2.0
Problem: Incompatible licenses (GPL is more restrictive)
Solution:
1. Check if you can replace GPL-2.0 dependency with compatible alternative
2. Get legal review if must keep both
3. Consider changing business model if GPL-3.0 detected in SaaS
| Mistake | Impact | Fix |
|---|---|---|
| Ignoring CRITICAL CVEs | Hacked service, data loss | Auto-fix or upgrade immediately |
Using npm audit fix --force blindly | Breaking changes in production | Test after any MAJOR bump |
| Not checking lockfile | Unreproducible builds, supply chain risk | Commit lockfile, verify no changes |
| GPL in closed-source app | Legal liability | Replace dependency or open-source |
| Outdated dependencies for years | Accumulation of CVEs | Upgrade PATCH quarterly, MINOR annually |
| Ignoring postinstall scripts | Malicious code execution | Review script, verify source |
| Single source of truth broken | Dependency drift between devs | Lockfile mandatory in version control |
| Skipping tests after update | Broken features in production | Run full test suite after any update |
# Dependency Decisions
## Why We Pin Versions
This file documents non-obvious version pins. Use semantic versioning (^, ~) by default.
### express@4.18.2 (pinned to patch)
- **Reason**: express@4.19.0+ has breaking changes in middleware handling
- **Status**: Waiting for our custom middleware to be updated
- **Action**: Upgrade to 4.19.2 by 2026-06-01
- **Owner**: Backend team
### react-query@3.39.3 (MAJOR version pinned)
- **Reason**: v4 has incompatible API, requires rewrite
- **Status**: Migration planned for Q3
- **Action**: Do not auto-upgrade to v4
- **Owner**: Frontend team
### node@18.17.1 (runtime)
- **Reason**: Node 20 breaks TLS connections to legacy payment provider
- **Status**: Provider upgrade expected Q2 2026
- **Action**: Test Node 20 migration in June
- **Owner**: DevOps
## Monorepo Dependency Strategy
All packages use caret ranges (^) by default to get PATCH/MINOR updates automatically.
MAJOR versions require manual review and testing across all packages.