一键导入
dependency-audit
Audit dependencies for vulnerabilities and plan upgrades
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Audit dependencies for vulnerabilities and plan upgrades
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Create Architecture Decision Record
Design API contracts with OpenAPI specifications
Assess architecture decisions tradeoffs and edge cases
Design database schemas with migrations and repository interfaces
Break requests into parallel tasks for team execution
Structured incident investigation and resolution
| name | dependency-audit |
| description | Audit dependencies for vulnerabilities and plan upgrades |
| allowed-tools | Read, Write, Bash, Glob, Grep |
Structured workflow for scanning dependencies, checking for CVEs, assessing upgrade difficulty, generating upgrade task files with compatibility testing plans, and tracking deprecation timelines.
Scan the project for all dependency manifests:
| File | Ecosystem | Scan Command |
|---|---|---|
go.mod / go.sum | Go | go list -m all |
package.json / package-lock.json | Node.js | npm ls --all |
yarn.lock | Node.js (Yarn) | yarn list |
pnpm-lock.yaml | Node.js (pnpm) | pnpm ls --depth Infinity |
requirements.txt / pyproject.toml | Python | pip list |
Cargo.toml / Cargo.lock | Rust | cargo tree |
Dockerfile | Container base images | Parse FROM lines |
docker-compose.yml | Service images | Parse image fields |
.github/workflows/*.yml | GitHub Actions | Parse uses fields |
For each dependency, record:
Output: Dependency inventory table sorted by version gap (largest first).
Run vulnerability scanners for each ecosystem:
Go:
# Built-in vulnerability database
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Module verification
go mod verify
Node.js:
# npm audit with JSON output for parsing
npm audit --json
# Or with yarn
yarn audit --json
# Or with Snyk (if available)
snyk test --json
Container Images:
# Trivy for container scanning (if available)
trivy image {image-name}
# Or grype
grype {image-name}
GitHub Actions:
# Check for pinned versions vs floating tags
# Grep for uses: without @sha
For each vulnerability found, record:
| Field | Description |
|---|---|
| CVE ID | CVE-YYYY-NNNNN |
| Severity | Critical / High / Medium / Low |
| Affected package | Package name and vulnerable version range |
| Fixed version | Minimum version that fixes the vulnerability |
| CVSS Score | Numeric severity score |
| Exploitability | Is there a known exploit? Is it remotely exploitable? |
| Impact | What can an attacker do? (RCE, data leak, DoS) |
| Affected code paths | Does our code actually call the vulnerable function? |
Output: Vulnerability report sorted by severity, with affected code path analysis.
For each dependency that needs upgrading, assess the effort:
| Factor | Low Effort | Medium Effort | High Effort |
|---|---|---|---|
| Version jump | Patch (1.2.3 -> 1.2.4) | Minor (1.2 -> 1.3) | Major (1.x -> 2.x) |
| Breaking changes | None | Deprecations to address | API changes, removed features |
| Usage scope | Used in 1-2 files | Used across a package | Used everywhere |
| Test coverage | >80% on affected code | 50-80% | <50% |
| Changelog quality | Clear migration guide | Release notes only | Minimal docs |
Categorize each upgrade:
Upgrade Assessment:
| Package | Current | Target | Difficulty | Breaking Changes | Effort |
|---------|---------|--------|-----------|-----------------|--------|
| chi | v5.0.0 | v5.1.0 | Low | None | 1 hour |
| gorm | v1.25 | v2.0 | High | Major API change | 2 days |
Assign priority based on risk and effort:
| Priority | Criteria | Action |
|---|---|---|
| P0 - Immediate | Critical/High CVE with known exploit, or CVE in code path we use | Upgrade now, create hotfix task |
| P1 - This Sprint | High CVE without known exploit, or medium CVE in critical path | Create task for current sprint |
| P2 - Next Sprint | Medium CVE, or major version behind with useful features | Schedule for next sprint |
| P3 - Backlog | Low CVE, or minor version behind with no security impact | Add to backlog, batch with other upgrades |
| P4 - Monitor | No CVE, but approaching end-of-life or deprecation | Track timeline, plan before EOL |
For each P0-P2 upgrade, create a task file in docs/spec/.llm/tasks/backlog/:
# Task: Upgrade {package} from {current} to {target}
## Priority: {P0/P1/P2}
## Reason: {CVE-YYYY-NNNNN / End-of-life / Feature needed}
## Estimated Effort: {hours/days}
## Context
- Current version: {current}
- Target version: {target}
- Breaking changes: {list or "None"}
- Changelog: {URL}
- Migration guide: {URL or "Not available"}
## Steps
1. Read the changelog and migration guide
2. Update version in {manifest file}
3. Address breaking changes:
- {specific change 1}
- {specific change 2}
4. Run build to identify compile errors
5. Fix compile errors
6. Run tests to identify behavioral changes
7. Fix test failures
8. Run linter to catch deprecation warnings
9. Address deprecation warnings
10. Run full quality gates
## Compatibility Testing Plan
- [ ] Build succeeds with no new warnings
- [ ] All existing tests pass
- [ ] No new deprecation warnings
- [ ] Integration tests pass (if applicable)
- [ ] Performance benchmark shows no regression (if applicable)
## Rollback
Revert the version change in {manifest file} and re-run dependency install.
Set ## Dependencies: headers to enforce upgrade ordering (e.g., upgrade shared libraries before dependent packages).
Create a deprecation tracking document:
## Deprecation Timeline
| Package | Current | EOL Date | Replacement | Upgrade Deadline | Status |
|---------|---------|----------|-------------|-----------------|--------|
| Node 18 | 18.x | 2025-04 | Node 22 | 2025-02 | TODO |
| Go 1.21 | 1.21 | 2025-08 | Go 1.23 | 2025-06 | TODO |
| React 17| 17.x | N/A | React 19 | When convenient | Watch |
Write to: docs/spec/.llm/completed/dependency-audit-YYYY-MM-DD.md
Produce a summary report:
## Dependency Audit Report -- {Date}
### Summary
- Total dependencies: {N}
- Direct dependencies: {N}
- Vulnerabilities found: {N critical, N high, N medium, N low}
- Upgrades needed: {N}
- License issues: {N}
### Critical Actions Required
1. {P0 item}
2. {P1 item}
### Upgrade Plan
| Priority | Count | Estimated Total Effort |
|----------|-------|----------------------|
| P0 | {N} | {hours} |
| P1 | {N} | {hours} |
| P2 | {N} | {hours} |
| P3 | {N} | {hours} |
### License Compliance
| License | Count | Status |
|---------|-------|--------|
| MIT | {N} | OK |
| Apache-2.0 | {N} | OK |
| GPL-3.0 | {N} | REVIEW -- may conflict with proprietary code |
### Next Audit
Schedule next audit for: {Date + 30 days}
Present the report to the user and create task files for all P0-P2 items.
$ARGUMENTS