Loading...
Loading...
Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
npx skill4agent add ovachiever/droid-tings dependency-auditor# You run: npm install lodash
# I automatically audit:
🚨 HIGH: Prototype Pollution in lodash
📍 Package: lodash@4.17.15
📦 Vulnerable versions: < 4.17.21
🔧 Fix: npm update lodash
📖 CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
Recommendation: Update to lodash@4.17.21 or higher# You modify requirements.txt: django==2.2.0
# I alert:
🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0
📍 Package: Django@2.2.0
📦 Vulnerable versions: < 2.2.28
🔧 Fix: Update requirements.txt to Django==2.2.28
📖 CVEs: CVE-2021-33203, CVE-2021-33571
Affected: SQL injection, XSS vulnerabilities
Recommendation: Update immediately to Django@2.2.28+# After npm install:
🚨 Dependency audit found 8 vulnerabilities:
- 3 CRITICAL
- 2 HIGH
- 2 MEDIUM
- 1 LOW
Critical issues:
1. axios@0.21.0 - SSRF vulnerability
Fix: npm install axios@latest
2. ajv@6.10.0 - Prototype pollution
Fix: npm install ajv@^8.0.0
3. node-fetch@2.6.0 - Information disclosure
Fix: npm install node-fetch@^2.6.7
Run 'npm audit fix' to automatically fix 6/8 issues1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes# Node.js
npm audit
npm audit --json # Structured output
# Python
pip-audit
safety check
# Ruby
bundle audit
# Java (Maven)
mvn dependency-check:check# Safe automatic fixes
npm audit fix
# May include breaking changes
npm audit fix --force# Check what will change
npm outdated
# Update specific package
npm update lodash
# Major version update
npm install lodash@latestVulnerable: request@2.88.0 (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]# .github/workflows/security.yml
- name: Dependency audit
run: |
npm audit --audit-level=high
# Fails if HIGH or CRITICAL found# Weekly dependency check
on:
schedule:
- cron: '0 0 * * 0'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: npm audit{
"network": {
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"rubygems.org",
"repo.maven.apache.org"
]
}
}⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: some-gpl-package@1.0.0
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative