dependency-auditor

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Dependency Auditor Skill

依赖项审计Skill

Automatic dependency vulnerability checking.

自动检查依赖项漏洞。

When I Activate

触发场景

✅ package.json modified
✅ requirements.txt changed
✅ Gemfile or pom.xml modified
✅ User mentions dependencies or vulnerabilities
✅ Before deployments
✅ yarn.lock or package-lock.json changes

✅ package.json 被修改
✅ requirements.txt 发生变更
✅ Gemfile 或 pom.xml 被修改
✅ 用户提及依赖项或漏洞
✅ 部署之前
✅ yarn.lock 或 package-lock.json 发生变更

What I Check

检查内容

Dependency Vulnerabilities

依赖项漏洞

Known CVEs in packages
Outdated dependencies with security fixes
Malicious packages
License compatibility issues
Deprecated packages

包中的已知CVE
存在安全修复的过时依赖项
恶意包
许可证兼容性问题
已弃用的包

Package Managers Supported

支持的包管理器

Node.js: npm, yarn, pnpm
Python: pip, pipenv, poetry
Ruby: bundler
Java: Maven, Gradle
Go: go modules
PHP: composer

Node.js: npm, yarn, pnpm
Python: pip, pipenv, poetry
Ruby: bundler
Java: Maven, Gradle
Go: go modules
PHP: composer

Example Alerts

示例警报

NPM Vulnerability

NPM漏洞

bash

undefined

bash

undefined

You run: npm install lodash

你执行：npm install lodash

I automatically audit:

我自动执行审计：

🚨 HIGH: Prototype Pollution in lodash 📍 Package: lodash@4.17.15 📦 Vulnerable versions: < 4.17.21 🔧 Fix: npm update lodash 📖 CVE-2020-8203 https://nvd.nist.gov/vuln/detail/CVE-2020-8203

Recommendation: Update to lodash@4.17.21 or higher

undefined

🚨 高危：lodash中的原型污染 📍 包：lodash@4.17.15 📦 受影响版本：< 4.17.21 🔧 修复方案：npm update lodash 📖 CVE-2020-8203 https://nvd.nist.gov/vuln/detail/CVE-2020-8203

建议：升级到lodash@4.17.21或更高版本

undefined

Python Vulnerability

Python漏洞

bash

undefined

bash

undefined

You modify requirements.txt: django==2.2.0

你修改了requirements.txt: django==2.2.0

I alert:

我发出警报：

🚨 CRITICAL: Multiple vulnerabilities in Django 2.2.0 📍 Package: Django@2.2.0 📦 Vulnerable versions: < 2.2.28 🔧 Fix: Update requirements.txt to Django==2.2.28 📖 CVEs: CVE-2021-33203, CVE-2021-33571

Affected: SQL injection, XSS vulnerabilities Recommendation: Update immediately to Django@2.2.28+

undefined

🚨 严重：Django 2.2.0存在多个漏洞 📍 包：Django@2.2.0 📦 受影响版本：< 2.2.28 🔧 修复方案：将requirements.txt更新为Django==2.2.28 📖 CVEs: CVE-2021-33203, CVE-2021-33571

影响：SQL注入、XSS漏洞建议：立即升级到Django@2.2.28+

undefined

Multiple Vulnerabilities

多漏洞示例

bash

undefined

bash

undefined

After npm install:

npm install之后：

🚨 Dependency audit found 8 vulnerabilities:

3 CRITICAL
2 HIGH
2 MEDIUM
1 LOW

Critical issues:

axios@0.21.0 - SSRF vulnerability Fix: npm install axios@latest
ajv@6.10.0 - Prototype pollution Fix: npm install ajv@^8.0.0
node-fetch@2.6.0 - Information disclosure Fix: npm install node-fetch@^2.6.7

Run 'npm audit fix' to automatically fix 6/8 issues

undefined

🚨 依赖项审计发现8个漏洞：

3个严重
2个高危
2个中危
1个低危

严重问题：

axios@0.21.0 - SSRF漏洞修复方案：npm install axios@latest
ajv@6.10.0 - 原型污染修复方案：npm install ajv@^8.0.0
node-fetch@2.6.0 - 信息泄露修复方案：npm install node-fetch@^2.6.7

执行'npm audit fix'可自动修复8个中的6个问题

undefined

Automatic Actions

自动操作

On Dependency Changes

依赖项变更时

yaml

1. Detect package manager (npm, pip, etc.)
2. Run security audit command
3. Parse vulnerability results
4. Categorize by severity
5. Suggest fixes
6. Flag breaking changes

yaml

1. 检测包管理器（npm、pip等）
2. 运行安全审计命令
3. 解析漏洞结果
4. 按严重程度分类
5. 建议修复方案
6. 标记破坏性变更

Audit Commands

审计命令

bash

undefined

bash

undefined

Node.js

npm audit npm audit --json # Structured output

npm audit npm audit --json # 结构化输出

Python

pip-audit safety check

Ruby

bundle audit

Java (Maven)

mvn dependency-check:check

undefined

mvn dependency-check:check

undefined

Severity Classification

严重程度分类

CRITICAL 🚨

严重 🚨

Remote code execution
SQL injection
Authentication bypass
Publicly exploitable

远程代码执行
SQL注入
身份验证绕过
可公开利用

HIGH ⚠️

高危 ⚠️

Cross-site scripting
Denial of service
Information disclosure
Wide attack surface

跨站脚本攻击
拒绝服务
信息泄露
攻击面广泛

MEDIUM 📋

中危 📋

Limited impact vulnerabilities
Requires specific conditions
Difficult to exploit

影响有限的漏洞
需要特定触发条件
难以利用

LOW 💡

低危 💡

Minor security improvements
Best practice violations
Minimal risk

次要安全改进
违反最佳实践
风险极小

Fix Strategies

修复策略

Automatic Updates

自动更新

bash

undefined

bash

undefined

Safe automatic fixes

安全自动修复

npm audit fix

May include breaking changes

可能包含破坏性变更

npm audit fix --force

undefined

npm audit fix --force

undefined

Manual Updates

手动更新

bash

undefined

bash

undefined

Check what will change

查看将发生的变更

npm outdated

Update specific package

更新特定包

npm update lodash

Major version update

大版本更新

npm install lodash@latest

undefined

npm install lodash@latest

undefined

Alternative Packages

替代包

Vulnerable: request@2.88.0 (deprecated)
Alternative: axios or node-fetch
Migration guide: [link]

存在漏洞：request@2.88.0（已弃用）
替代方案：axios 或 node-fetch
迁移指南：[链接]

Integration with CI/CD

与CI/CD集成

Block Deployments

阻止部署

yaml

undefined

yaml

undefined

.github/workflows/security.yml

name: Dependency audit run: | npm audit --audit-level=high
Fails if HIGH or CRITICAL found

undefined

name: 依赖项审计 run: | npm audit --audit-level=high
若发现高危或严重漏洞则失败

undefined

Scheduled Audits

定期审计

yaml

undefined

yaml

undefined

Weekly dependency check

每周依赖项检查

on: schedule: - cron: '0 0 * * 0' jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - run: npm audit

undefined

on: schedule: - cron: '0 0 * * 0' jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - run: npm audit

undefined

Sandboxing Compatibility

沙箱兼容性

Works without sandboxing: ✅ Yes Works with sandboxing: ⚙️ Needs npm/pip registry access

Sandbox config:

json

{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "rubygems.org",
      "repo.maven.apache.org"
    ]
  }
}

无需沙箱即可运行： ✅ 是 沙箱环境下运行： ⚙️ 需要访问npm/pip注册表

沙箱配置：

json

{
  "network": {
    "allowedDomains": [
      "registry.npmjs.org",
      "pypi.org",
      "rubygems.org",
      "repo.maven.apache.org"
    ]
  }
}

License Checking

许可证检查

I also check license compatibility:

⚠️ License issue: GPL-3.0 package in commercial project
📦 Package: some-gpl-package@1.0.0
📖 GPL-3.0 requires source code disclosure
🔧 Consider: Find MIT/Apache-2.0 alternative

我还会检查许可证兼容性：

⚠️ 许可证问题：商业项目中使用GPL-3.0协议的包
📦 包：some-gpl-package@1.0.0
📖 GPL-3.0要求公开源代码
🔧 建议：寻找MIT/Apache-2.0协议的替代包

Best Practices

最佳实践

Regular audits: Run weekly or on every dependency change
Update frequently: Keep dependencies current
Review breaking changes: Test before major updates
Pin versions: Use exact versions in production
Audit lock files: Commit and audit lock files

定期审计：每周运行一次，或在每次依赖项变更时运行
频繁更新：保持依赖项为最新版本
审查破坏性变更：大版本更新前进行测试
固定版本：生产环境使用精确版本
审计锁文件：提交并审计锁文件

dependency-auditor

Original

Translation

Dependency Auditor Skill

依赖项审计Skill

When I Activate

触发场景

What I Check

检查内容

Dependency Vulnerabilities

依赖项漏洞

Package Managers Supported

支持的包管理器

Example Alerts

示例警报

NPM Vulnerability

NPM漏洞

You run: npm install lodash

你执行：npm install lodash

I automatically audit:

我自动执行审计：

Python Vulnerability

Python漏洞

You modify requirements.txt: django==2.2.0

你修改了requirements.txt: django==2.2.0

I alert:

我发出警报：

Multiple Vulnerabilities

多漏洞示例

After npm install:

npm install之后：

Automatic Actions

自动操作

On Dependency Changes

依赖项变更时

Audit Commands

审计命令

Node.js

Node.js

Python

Python

Ruby

Ruby

Java (Maven)

Java (Maven)

Severity Classification

严重程度分类

CRITICAL 🚨

严重 🚨

HIGH ⚠️

高危 ⚠️

MEDIUM 📋

中危 📋

LOW 💡

低危 💡

Fix Strategies

修复策略

Automatic Updates

自动更新

Safe automatic fixes

安全自动修复

May include breaking changes

可能包含破坏性变更

Manual Updates

手动更新

Check what will change

查看将发生的变更

Update specific package

更新特定包

Major version update

大版本更新

Alternative Packages

替代包

Integration with CI/CD

与CI/CD集成

Block Deployments

阻止部署

.github/workflows/security.yml

.github/workflows/security.yml

Fails if HIGH or CRITICAL found