dependency-auditor

Original：🇺🇸 English

Translated

Audit npm dependencies for security vulnerabilities, outdated packages, and unused dependencies. Use when checking for security issues, updating packages, or cleaning up dependencies.

2installs

Sourceonewave-ai/claude-skills

Added on2026-05-11

NPX Install

npx skill4agent add onewave-ai/claude-skills dependency-auditor

SKILL.md Content

View Translation Comparison →

Dependency Auditor

Instructions

When auditing dependencies:

Run security audit
Check for outdated packages
Find unused dependencies
Analyze bundle size impact
Review and update

Security Audit

bash

# NPM audit
npm audit

# Get JSON output for processing
npm audit --json

# Fix automatically (safe fixes only)
npm audit fix

# Force fix (may have breaking changes)
npm audit fix --force

# PNPM
pnpm audit

# Yarn
yarn audit

Check Outdated Packages

bash

# NPM
npm outdated

# Interactive update
npx npm-check-updates -i

# Update all to latest
npx npm-check-updates -u
npm install

# Check specific package
npm view <package> versions

Find Unused Dependencies

bash

# Using depcheck
npx depcheck

# With details
npx depcheck --detailed

# Ignore patterns
npx depcheck --ignores="@types/*,eslint-*"

Common False Positives

Depcheck may flag these as unused when they're actually needed:

```
@types/*
```
packages (used by TypeScript)
ESLint/Prettier plugins (referenced in config)
PostCSS plugins (referenced in config)
Next.js plugins
Babel presets

Analyze Bundle Size

bash

# For Next.js
npx @next/bundle-analyzer

# General purpose
npx source-map-explorer dist/**/*.js

# Check package size before installing
npx package-phobia <package-name>

# Compare alternatives
npx bundlephobia-cli compare lodash ramda

Dependency Review Checklist

Security

No critical/high vulnerabilities
Dependencies actively maintained
No known malicious packages
Lock file committed

Freshness

No major version behind (unless intentional)
Security patches applied
Deprecated packages replaced

Cleanliness

No unused dependencies
No duplicate packages (check lock file)
devDependencies vs dependencies correct

Update Strategies

Conservative (Recommended)

bash

# Update patch versions only
npm update

# Update specific package
npm install package@latest

Aggressive

bash

# Update everything
npx npm-check-updates -u
npm install
npm test

Interactive

bash

npx npm-check-updates -i

# Options:
# a - update all
# space - toggle selection
# enter - apply selected

Package.json Cleanup

json

{
  "dependencies": {
    // Runtime dependencies only
  },
  "devDependencies": {
    // Build/test tools only
  },
  "peerDependencies": {
    // For libraries only
  },
  "optionalDependencies": {
    // Platform-specific (rare)
  }
}

Lock File Best Practices

Always commit lock files (package-lock.json, pnpm-lock.yaml, yarn.lock)
Use
npm ci
in CI/CD (not
```
npm install
```
)
Regenerate if corrupted: delete lock file + node_modules, reinstall
Single lock file per project (don't mix package managers)

Automated Monitoring

yaml

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    groups:
      dev-dependencies:
        dependency-type: "development"

dependency-auditor

NPX Install

Tags

SKILL.md Content

Dependency Auditor

Instructions

Security Audit

Check Outdated Packages

Find Unused Dependencies

Common False Positives

Analyze Bundle Size

Dependency Review Checklist

Security

Freshness

Cleanliness

Update Strategies

Conservative (Recommended)

Aggressive

Interactive

Package.json Cleanup

Lock File Best Practices

Automated Monitoring