Files
pm-claude-skills/exports/aider/pm-engineering/dependency-audit/dependency-audit.md
T
mohitagw15856 036511ab3e Windsurf + Aider targets, MCP server, and demo placement (#33)
Broadens both reach (more tools) and content types (an MCP server), continuing
the multi-platform story.

Windsurf + Aider:
- build-exports.mjs gains two platforms: exports/windsurf/*.md (workspace rules,
  trigger: model_decision) and exports/aider/*.md (conventions for `aider --read`).
  Now 5 platforms (ChatGPT, Gemini, Cursor, Windsurf, Aider).
- install.sh + bin/cli.mjs install both (windsurf -> .windsurf/rules, aider ->
  .aider/skills with a --read hint); generated README index is excluded from copies.
- One-line windsurf-install.sh / aider-install.sh wrappers for parity.

MCP server (new content type):
- mcp/server.mjs — zero-dependency stdio MCP server exposing list_skills,
  search_skills, get_skill. Published as a second bin (pm-claude-skills-mcp).
  Logs to stderr; reads bundled skills/ at startup. mcp/README.md documents
  client config.

Also: README hero "See it in action" demo placement (ready to swap in a GIF;
recording guide in web/docs-assets/README.md), Works-With table + exports +
install docs updated, CHANGELOG Unreleased. package.json files/bin updated.


Claude-Session: https://claude.ai/code/session_016JWn5jRD5tcEFKrubjQ6Px

Co-authored-by: Claude <noreply@anthropic.com>
2026-06-17 23:15:38 +01:00

14 KiB
Raw Blame History

Dependency Audit Skill

Produce a complete dependency audit report for a project — covering security vulnerabilities (with CVE references), license compliance against policy, outdated packages prioritised by risk, transitive dependency risk analysis, and a concrete remediation plan with timeline. A good dependency audit gives the team a clear, prioritised action list — not a raw dump of audit output that no one acts on.

Required Inputs

Ask for these if not already provided:

  • Project language and ecosystem — npm, pip/PyPI, Maven/Gradle, Go modules, Cargo, RubyGems, NuGet, or mixed
  • Dependency list or package manifest — paste the contents of package.json, requirements.txt, go.mod, pom.xml, etc., or provide the audit tool output
  • License policy — which licenses are allowed, which are restricted (e.g. "GPL is prohibited", "MIT/Apache/BSD only", or "no policy yet — recommend one")
  • Current security tooling — Dependabot, Snyk, OWASP Dependency-Check, npm audit, pip-audit, or none

Output Format


Dependency Audit Report: [Project Name]

Ecosystem: [npm / pip / Maven / Go / etc.] Audit date: [Date] Auditor: [Name] Total direct dependencies: [N] Total transitive dependencies: [N] Audit tool(s) used: [npm audit / pip-audit / Snyk / OWASP Dependency-Check / etc.]


Executive Summary

Category Finding Risk level
Critical vulnerabilities [N] CVEs requiring immediate action [Critical / High / Low]
High vulnerabilities [N] CVEs — fix within 7 days [High / Medium]
License violations [N] packages with non-compliant licenses [High / Low]
Severely outdated packages [N] packages > 2 major versions behind [Medium]
Packages with no active maintenance [N] packages — no commits in 12+ months [Medium]
Overall dependency health score [Score]/100 [Red / Amber / Green]

Scoring methodology: Critical CVEs: 20 each. High CVEs: 10 each. License violations: 15 each. Abandoned packages: 5 each. Maximum deduction: 100. Score ≥80 = Green, 6079 = Amber, <60 = Red.

Immediate actions required:

  1. [Most critical action — e.g. "Upgrade lodash from 4.17.11 to 4.17.21 to fix CVE-2021-23337 (Critical — prototype pollution)"]
  2. [Second action]
  3. [Third action]

1. Security Vulnerability Findings

Critical and High Severity (Act within 2472 hours)

Package Installed version Fix version CVE Severity CVSS score Description Exploitability
[package-name] [X.Y.Z] [A.B.C] [CVE-YYYY-NNNNN] Critical [9.x] [e.g. Prototype pollution via merge function — remote code execution possible] [Known exploit / PoC available / No known exploit]
[package-name] [X.Y.Z] [A.B.C] [CVE-YYYY-NNNNN] High [7.x] [e.g. Path traversal in file serving utility] [PoC available]
[package-name] [X.Y.Z] [A.B.C] [CVE-YYYY-NNNNN] High [7.x] [e.g. Regular expression denial of service (ReDoS)] [No known exploit]

Medium Severity (Fix within 30 days)

Package Installed version Fix version CVE Severity CVSS score Description
[package-name] [X.Y.Z] [A.B.C] [CVE-YYYY-NNNNN] Medium [5.x] [Description]
[package-name] [X.Y.Z] [A.B.C] [CVE-YYYY-NNNNN] Medium [4.x] [Description]

Low Severity (Fix within 90 days or accept risk)

Package Installed version Fix version CVE Severity Description
[package-name] [X.Y.Z] [A.B.C] Low [Description]

Vulnerabilities With No Fix Available

Package CVE Severity Recommended mitigation
[package-name] [CVE-YYYY-NNNNN] [High] [e.g. "Remove this package — alternative: [replacement]"]
[package-name] [CVE-YYYY-NNNNN] [Medium] [e.g. "Vendor has a fix in progress — track issue [URL]. Mitigate by [X]"]

2. License Compliance Matrix

License Policy Reference

License Category Policy Notes
MIT Permissive Allowed Attribution required in distributed products
Apache 2.0 Permissive Allowed Attribution + NOTICE file required
BSD 2-Clause / 3-Clause Permissive Allowed Attribution required
ISC Permissive Allowed
MPL 2.0 Weak copyleft Allowed with review Source disclosure required for modified MPL files only
LGPL v2 / v3 Weak copyleft Allowed with review Dynamic linking permitted; static linking may require disclosure
GPL v2 / v3 Strong copyleft Restricted May require open-sourcing the entire codebase — legal review required
AGPL v3 Strong copyleft Restricted Network use triggers copyleft — especially risky for SaaS
SSPL Source available Prohibited Not OSI-approved — treat as proprietary
Proprietary / Commercial Commercial Requires contract Verify license covers current use case and scale
Unknown / Unlicensed Prohibited No license = all rights reserved — cannot use legally

Findings: Packages With Compliance Issues

Package License Issue Recommendation Risk if unaddressed
[package-name] GPL v3 Copyleft — may require open-sourcing this project Replace with [alternative] or get legal sign-off Legal / IP risk
[package-name] AGPL v3 Network copyleft — SaaS use triggers disclosure Replace with [alternative] Legal / IP risk
[package-name] Proprietary License may not cover current usage tier Verify license scope with vendor Contract breach
[package-name] Unknown No license declared in package metadata Contact maintainer or replace Cannot use legally

All Licenses in Use (Full Inventory)

License Package count Compliance status
MIT [N] Compliant
Apache 2.0 [N] Compliant
BSD-3-Clause [N] Compliant
ISC [N] Compliant
MPL 2.0 [N] Review required
GPL v3 [N] Non-compliant
Unknown [N] Non-compliant

3. Outdated Package Analysis

Severely Outdated (2+ major versions behind — high upgrade effort)

Package Installed Latest stable Versions behind Last updated Breaking changes summary
[package-name] [1.x.x] [3.x.x] 2 major [Date] [e.g. "API redesign in v2; async support added in v3"]
[package-name] [0.x.x] [2.x.x] 2 major [Date] [Summary]

Moderately Outdated (1 major version behind)

Package Installed Latest stable Versions behind Security fix in newer version?
[package-name] [2.x.x] [3.x.x] 1 major [Yes — CVE-YYYY-NNNNN / No]
[package-name] [4.x.x] [5.x.x] 1 major [No]

Minor/Patch Updates Available (Low risk to update)

Package Installed Latest Contains security fix?
[package-name] [2.3.1] [2.3.9] [Yes / No]
[package-name] [1.0.0] [1.2.1] [No]

4. Dependency Graph Risk Analysis

Transitive Dependency Risk

Transitive (indirect) dependencies carry risk because they are not explicitly managed. These are the highest-risk transitive dependencies in this project:

Vulnerable transitive dep Pulled in by Installed version Fix available Action
[transitive-package] [direct-parent] [X.Y.Z] [Yes — upgrade [parent] to [version]] Upgrade direct dependency [parent]
[transitive-package] [direct-parent] [X.Y.Z] [No] Remove [parent] or use [alternative]

Dependency Concentration Risk

These packages are depended on by many other packages in the project — a vulnerability or deprecation would have cascading effects:

Package Depended on by (N packages) Actively maintained? Risk level
[package-name] [N] [Yes / No — last commit: date] [High / Medium]
[package-name] [N] [Yes] [Medium]

Abandoned / Unmaintained Packages

Package Last release Last commit Weekly downloads Recommended alternative
[package-name] [Date] [Date] [N] [alternative-package]
[package-name] [Date] [Date] [N] [Maintained fork: URL]

5. Remediation Plan

30-Day Plan

Week 1 — Critical vulnerabilities (Days 17)

Action Owner Package Effort Notes
Upgrade [package] [old] → [new] [Name] [package-name] [30 min] [No API changes / check breaking changes guide: URL]
Replace [package] with [alternative] [Name] [package-name] [2 hours] [No fix available — must replace]
Patch override for [transitive-dep] [Name] [transitive-dep] [15 min] [Add resolutions/overrides entry in manifest]
# Commands for Week 1 upgrades:

# npm
npm install [package]@[target-version]
npm audit fix --force  # use with caution — may introduce breaking changes

# pip
pip install --upgrade [package]==[target-version]
pip-audit --fix  # if using pip-audit

# Go
go get [module]@[version]
go mod tidy

# Maven
# Update pom.xml version property, then:
mvn versions:use-latest-releases -DallowMajorUpdates=false
mvn dependency:resolve

Week 2 — High vulnerabilities and license violations (Days 814)

Action Owner Package Effort Notes
Upgrade [package] [Name] [package-name] [1 hour]
Replace GPL-licensed [package] [Name] [package-name] [4 hours] [Alternative: [package]]
Legal review for [package] license Legal team [package-name] [Legal team SLA] [Submit via [process]]

Week 3 — Medium vulnerabilities and abandoned packages (Days 1521)

Action Owner Package Effort Notes
Upgrade [package] [Name] [package-name] [30 min]
Replace abandoned [package] [Name] [package-name] [2 hours] [Maintained fork or alternative: [URL]]

Week 4 — Process improvements (Days 2230)

Action Owner Effort Notes
Enable Dependabot / Renovate for automated PRs [Name] [2 hours] [Config in Section 6]
Add npm audit / pip-audit to CI — fail on Critical/High [Name] [1 hour] [Config in Section 6]
Document license policy in CONTRIBUTING.md [Name] [1 hour] [Based on policy in Section 2]
Schedule next quarterly audit [Name] [15 min] [Add to team calendar]

6. Policy Recommendations

Automated Vulnerability Scanning in CI

Add the following to your CI pipeline to catch vulnerabilities before they merge:

# GitHub Actions — adapt for your CI platform
dependency-audit:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v3

    # npm
    - name: npm audit
      run: npm audit --audit-level=high
      # Fails build on High or Critical vulnerabilities

    # pip
    - name: pip-audit
      run: |
        pip install pip-audit
        pip-audit --requirement requirements.txt --severity high

    # Go
    - name: govulncheck
      run: |
        go install golang.org/x/vuln/cmd/govulncheck@latest
        govulncheck ./...

Dependabot / Renovate Configuration

# .github/dependabot.yml — automated dependency update PRs
version: 2
updates:
  - package-ecosystem: "[npm / pip / gomod / maven]"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 10
    labels:
      - "dependencies"
      - "automated"
    ignore:
      # Ignore major version bumps — review these manually
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]

License Scanning

# npm — license checker
npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC' \
  --failOn 'GPL;AGPL;LGPL'

# Python — pip-licenses
pip install pip-licenses
pip-licenses --allow-only="MIT;Apache Software License;BSD License;ISC License" \
  --fail-on="GNU General Public License"

# Go — go-licenses
go install github.com/google/go-licenses@latest
go-licenses check ./... --allowed_licenses=MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause

7. Dependency Health Score Detail

Category Max points Score Notes
No critical vulnerabilities 30 [N]/30 20 per critical CVE
No high vulnerabilities 20 [N]/20 10 per high CVE
License compliance 20 [N]/20 15 per violation
No abandoned packages 15 [N]/15 5 per abandoned package
Up-to-date major versions 10 [N]/10 2 per major version behind
Automated scanning enabled 5 [N]/5 All-or-nothing
Total 100 [Score]/100 [Red / Amber / Green]

Quality Checks

  • Every Critical and High CVE has a named owner and a resolution date in the 30-day plan
  • License findings have been reviewed by legal or a named engineer with authority to accept the risk
  • Transitive dependency vulnerabilities are included — not just direct dependencies
  • Abandoned packages have a concrete replacement recommendation, not just "consider replacing"
  • CI pipeline change is included — the audit findings should be the last time these are caught manually
  • The dependency health score is calculated from actual findings, not estimated
  • Remediation plan actions are specific commands or steps, not "upgrade package X" without version targets

Anti-Patterns

  • Do not report only direct dependencies — transitive dependency vulnerabilities are often more dangerous and are the most commonly missed
  • Do not present raw audit tool output without interpretation — a table of 200 CVEs with no prioritisation is worse than no audit at all
  • Do not assign all Critical CVEs as "fix immediately" without checking whether an exploitable path exists in your usage context
  • Do not make license compliance decisions without legal input — flagging a GPL dependency without a recommendation is incomplete work
  • Do not complete the audit without including a CI/CD pipeline step — a one-time audit that leaves the door open for new vulnerabilities is not a remediation