一键导入
dependency-audit
Audit dependency health: outdated versions, unmaintained packages, known vulnerabilities, license issues, and bundle size impact.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Audit dependency health: outdated versions, unmaintained packages, known vulnerabilities, license issues, and bundle size impact.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Full WCAG 2.2 AA accessibility audit procedure. Goes beyond the reference checklist with step-by-step testing methodology, tooling, and remediation guidance.
Design a RESTful API from requirements. Use when creating a new API, adding endpoints, or restructuring an existing API. Produces endpoint specifications, schemas, and implementation guidance.
Assess system architecture, identify risks and bottlenecks, document decisions with ADRs. Covers modular monolith, microservices, event-driven, and serverless patterns.
Shift Left quality gates, feature flag pipelines, and deployment automation. Use when setting up or modifying build and deploy pipelines, or when establishing quality gates for a project.
Perform a thorough code review with structured feedback. Use when reviewing pull requests, code submissions, or when you want a quality check on your code. Covers correctness, security, performance, readability, and maintainability.
Reduce complexity while preserving exact behavior. Use when code works but is harder to read or maintain than it should be. Applies Chesterton's Fence — understand the code before simplifying it.
| name | dependency-audit |
| description | Audit dependency health: outdated versions, unmaintained packages, known vulnerabilities, license issues, and bundle size impact. |
Dependencies are other people's code running in your application. Every dependency is a bet that the maintainer will keep it secure, compatible, and maintained. This skill provides a systematic process for evaluating that bet — checking for vulnerabilities, assessing maintenance health, analyzing bundle impact, and reviewing license compliance.
A dependency audit isn't a one-time event. Run it quarterly at minimum, and after any major version upgrade of your language or framework.
When NOT to use: Routine version bumps with no breaking changes. Use your package manager's update command with tests for that.
Get a complete picture of what you depend on, including transitive dependencies.
Commands by ecosystem:
| Ecosystem | List Direct | List All (incl. transitive) |
|---|---|---|
| npm | npm ls --depth=0 | npm ls --all |
| yarn | yarn list --depth=0 | yarn list |
| pnpm | pnpm list --depth=0 | pnpm list --depth=Infinity |
| pip | pip list | pip list (all are "direct" in pip) |
| mix (Elixir) | mix deps | mix deps.tree |
| cargo (Rust) | cargo metadata | cargo tree |
| go | go list -m all | go mod graph |
| Maven | mvn dependency:list | mvn dependency:tree |
Produce the inventory:
## Dependency Inventory
**Total direct dependencies**: [N]
**Total transitive dependencies**: [N]
**Last audit date**: [date]
### Direct Dependencies
| Package | Version | Purpose | Last Updated | License |
| ------- | --------- | --------------- | ------------ | --------- |
| [name] | [version] | [why we use it] | [date] | [license] |
Flag any dependency where you can't explain "why we use it" — it may be removable.
Run the package manager's built-in audit tool.
Commands:
| Ecosystem | Command | Notes |
|---|---|---|
| npm | npm audit | Add --production to skip dev deps |
| yarn | yarn audit | |
| pnpm | pnpm audit | |
| pip | pip-audit | Install: pip install pip-audit |
| mix | mix deps.audit + mix hex.audit | |
| cargo | cargo audit | Install: cargo install cargo-audit |
| go | govulncheck ./... | Install: go install golang.org/x/vuln/cmd/govulncheck |
| Maven | mvn org.owasp:dependency-check-maven:check |
Document findings:
| Package | Vulnerability | Severity | CVE | Patched Version | Action |
|---|---|---|---|---|---|
| [name] | [title] | Critical/High/Medium/Low | [CVE-ID] | [version] | Update / Replace / Accept Risk |
Severity response times:
| Severity | Action Required Within |
|---|---|
| Critical | 24 hours |
| High | 1 week |
| Medium | 1 month |
| Low | Next quarterly audit |
A dependency with no vulnerabilities today can become one tomorrow if it's unmaintained.
Health signals to check (per dependency):
| Signal | Healthy | Concerning | Unhealthy |
|---|---|---|---|
| Last commit | < 3 months | 3-12 months | > 12 months |
| Last release | < 6 months | 6-18 months | > 18 months |
| Open issues | Active triage | Growing backlog | Hundreds unanswered |
| Open PRs | Reviewed regularly | Stale PRs piling up | No PR reviews |
| Maintainer count | 2+ active | 1 active (bus factor) | 0 active |
| Downloads/month | Stable or growing | Declining | Expired |
| Funding | Sponsored / corporate | Community only | None |
Where to check:
npm info <package> (last publish date)Flag unmaintained packages:
## Maintenance Concerns
| Package | Last Release | Maintainers | Risk | Alternative |
| ------- | ------------ | ----------- | -------------- | ------------- |
| [name] | [date] | [count] | [High/Med/Low] | [replacement] |
For frontend projects, every dependency adds to what users download.
Tools:
| Tool | What It Shows | Command |
|---|---|---|
source-map-explorer | Treemap of bundle contents | npx source-map-explorer build/static/js/*.js |
webpack-bundle-analyzer | Interactive bundle visualization | Add plugin to webpack config |
bundlephobia.com | Size of any npm package | Search on website |
size-limit | CI-integrated size checking | npx size-limit |
import-cost | VS Code extension — inline size | Install extension |
Size budget guidelines:
| Metric | Target | Notes |
|---|---|---|
| Total JS bundle (gzipped) | < 200 KB | For initial page load |
| Single dependency | < 50 KB gzipped | Question anything larger |
| CSS bundle | < 50 KB gzipped | |
| Largest dependency | Document it | Know what dominates your bundle |
Identify heavy dependencies:
## Bundle Impact
| Package | Size (gzipped) | % of Bundle | Lighter Alternative |
| ------- | -------------- | ----------- | ----------------------- |
| [name] | [size] | [%] | [alternative or "none"] |
License incompatibility can force you to open-source your code or remove a dependency.
License compatibility (for proprietary projects):
| License | Commercial Use | Conditions | Risk |
|---|---|---|---|
| MIT | Yes | Attribution | None |
| Apache 2.0 | Yes | Attribution + patent grant | None |
| BSD 2/3-Clause | Yes | Attribution | None |
| ISC | Yes | Attribution | None |
| MPL 2.0 | Yes | Modified files must be shared | Low |
| LGPL 2.1/3.0 | Yes (with care) | Dynamic linking OK, static may require sharing | Medium |
| GPL 2.0/3.0 | Restricted | Derivative work must use GPL | High |
| AGPL 3.0 | Restricted | Network use triggers sharing requirement | High |
| SSPL | Restricted | Service use triggers sharing requirement | High |
| Unlicensed / No License | No | No permission granted | Critical |
Commands to check:
| Ecosystem | Command |
|---|---|
| npm | npx license-checker --summary |
| pip | pip-licenses |
| mix | mix licenses (with hex_licenses) |
| cargo | cargo license |
| go | go-licenses check ./... |
Flag problematic licenses:
## License Concerns
| Package | License | Risk | Action |
| ------- | --------- | ------- | --------------------------------- |
| [name] | [license] | [level] | [Replace / Accept / Legal review] |
Combine all findings into an actionable plan.
## Dependency Audit Report
**Project**: [Name]
**Date**: [Date]
**Auditor**: [Name]
### Summary
| Category | Issues Found | Critical | Action Required |
| --------------- | ------------- | -------- | ---------------------- |
| Vulnerabilities | [N] | [N] | Update / Replace |
| Unmaintained | [N] | [N] | Find alternatives |
| Bundle impact | [N] oversized | — | Optimize / Replace |
| License issues | [N] | [N] | Replace / Legal review |
### Prioritized Actions
| Priority | Action | Package | Risk if Ignored | Effort |
| -------- | --------------------------------------------- | ------- | -------------------- | ------ |
| P1 | Patch critical CVE | [name] | Exploitation | S |
| P2 | Replace unmaintained package | [name] | Future vulnerability | M |
| P3 | Swap heavy dependency for lighter alternative | [name] | Bundle bloat | M |
| P4 | Resolve license concern | [name] | Legal risk | S |
### Packages to Remove
| Package | Reason | Replacement |
| ------- | ---------------------------------------------- | ------------------------------ |
| [name] | [unused / duplicate / replaceable with stdlib] | [replacement or "none needed"] |
### Next Audit
Scheduled: [date — within 90 days]
| Rationalization | Reality |
|---|---|
| "It's just a dev dependency, vulnerabilities don't matter" | Supply chain attacks target dev tools (build scripts, linters). Dev dependencies run on your machine with your credentials. |
| "We pin versions so we're safe" | Pinning prevents unexpected updates but also prevents security patches. You still need to audit and update deliberately. |
| "It's a popular package, it must be maintained" | Popular packages get abandoned too. Check the signals, not the star count. |
| "We need this dependency — there's no alternative" | Almost every dependency has alternatives. If there truly isn't one, consider inlining the specific functionality you need. |
| "License compliance is a legal problem, not an engineering one" | Engineers choose dependencies. If you add a GPL library to a proprietary project, legal can't fix that without a code change. |