beecb1cb31
pm-engineering grows from 14 to 35 skills (v4.0.0), completing the full 25-skill promise made at the 500-star milestone. The library grows from 114 to 135 total skills. New skills added (21): - security-threat-model: STRIDE-based threat model with trust boundaries, per-component threat enumeration, risk scores, and mitigations - performance-budget: Performance budgets for Core Web Vitals and backend latency SLOs with CI enforcement - database-schema-design: Schema documentation with ER diagram, DDL definitions, index strategy, and access pattern analysis - database-migration-plan: Zero-downtime expand-contract migration plan with per-step rollback and data validation queries - technical-debt-register: Debt inventory with impact scoring, effort estimates, and quarterly resolution roadmap - rfc-writer: Engineering RFC covering problem, proposed solution, alternatives-with-rejection-reasons, and rollout plan - capacity-planning: Traffic forecasts, resource requirements by tier, scaling strategy, and infrastructure roadmap - load-testing-plan: Load test plan with baseline/stress/spike/soak scenarios, k6/Locust skeleton, and CI gates - disaster-recovery-plan: DR plan with RPO/RTO targets, per-scenario runbooks, game day testing, and communication templates - feature-flag-guide: Feature flag lifecycle — taxonomy, rollout strategy, monitoring requirements, cleanup policy, governance - dependency-audit: CVE vulnerabilities, license compliance, outdated packages, and 30-day remediation plan - service-catalog-entry: Microservice catalog entry with SLAs, API contract, data classification, and runbook links - monitoring-setup-guide: Four golden signals, alert rules spec, log schema, tracing setup, dashboard layout spec - local-dev-setup: Local development guide — prerequisites, env vars, Docker deps, test commands, 5 failure fixes - api-versioning-strategy: Versioning scheme, lifecycle policy, breaking change classification table, deprecation process - infra-as-code-review: IaC review for Terraform/CloudFormation/Pulumi with severity-classified findings - engineering-weekly-report: Consistent weekly status — shipped/blocked, metrics, decisions, risks, next week - tech-radar: ThoughtWorks-format radar with Adopt/Trial/Assess/Hold, blip rationales, maintenance process - sprint-velocity-analysis: Velocity trends, completion patterns, improvement recommendations, capacity forecast - microservices-decomposition: Domain-driven service boundaries, communication patterns, data ownership, migration plan - engineering-hiring-rubric: Technical interview rubric with level expectations, coding/system design scorecards, debrief guide Also: - plugin.json bumped to v4.0.0 with all 35 skills listed - marketplace.json updated to v11.0.0, library count 135 - README updated: skill count, all section numbers, engineering table expanded, star milestone marked complete https://claude.ai/code/session_01C3HwChrccJd145vJ6Z7ajF
333 lines
14 KiB
Markdown
333 lines
14 KiB
Markdown
---
|
||
name: dependency-audit
|
||
description: "Conduct a dependency audit for a project — checking for security vulnerabilities, license compliance issues, outdated packages, and transitive dependency risk. Use when asked to audit dependencies, review package security, check license compliance, assess dependency health, or produce a vulnerability report. Produces a vulnerability findings table, license compliance matrix, update priority matrix, dependency health score, and 30-day remediation plan."
|
||
---
|
||
|
||
# Dependency Audit Skill
|
||
|
||
Produce a complete dependency audit report for a project — covering security vulnerabilities (with CVE references), license compliance against policy, outdated packages prioritised by risk, transitive dependency risk analysis, and a concrete remediation plan with timeline. A good dependency audit gives the team a clear, prioritised action list — not a raw dump of audit output that no one acts on.
|
||
|
||
## Required Inputs
|
||
|
||
Ask for these if not already provided:
|
||
- **Project language and ecosystem** — npm, pip/PyPI, Maven/Gradle, Go modules, Cargo, RubyGems, NuGet, or mixed
|
||
- **Dependency list or package manifest** — paste the contents of `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, etc., or provide the audit tool output
|
||
- **License policy** — which licenses are allowed, which are restricted (e.g. "GPL is prohibited", "MIT/Apache/BSD only", or "no policy yet — recommend one")
|
||
- **Current security tooling** — Dependabot, Snyk, OWASP Dependency-Check, npm audit, pip-audit, or none
|
||
|
||
## Output Format
|
||
|
||
---
|
||
|
||
# Dependency Audit Report: [Project Name]
|
||
|
||
**Ecosystem:** [npm / pip / Maven / Go / etc.]
|
||
**Audit date:** [Date]
|
||
**Auditor:** [Name]
|
||
**Total direct dependencies:** [N]
|
||
**Total transitive dependencies:** [N]
|
||
**Audit tool(s) used:** [npm audit / pip-audit / Snyk / OWASP Dependency-Check / etc.]
|
||
|
||
---
|
||
|
||
## Executive Summary
|
||
|
||
| Category | Finding | Risk level |
|
||
|---|---|---|
|
||
| Critical vulnerabilities | [N] CVEs requiring immediate action | [Critical / High / Low] |
|
||
| High vulnerabilities | [N] CVEs — fix within 7 days | [High / Medium] |
|
||
| License violations | [N] packages with non-compliant licenses | [High / Low] |
|
||
| Severely outdated packages | [N] packages > 2 major versions behind | [Medium] |
|
||
| Packages with no active maintenance | [N] packages — no commits in 12+ months | [Medium] |
|
||
| **Overall dependency health score** | **[Score]/100** | **[Red / Amber / Green]** |
|
||
|
||
**Scoring methodology:** Critical CVEs: −20 each. High CVEs: −10 each. License violations: −15 each. Abandoned packages: −5 each. Maximum deduction: 100. Score ≥80 = Green, 60–79 = Amber, <60 = Red.
|
||
|
||
**Immediate actions required:**
|
||
1. [Most critical action — e.g. "Upgrade lodash from 4.17.11 to 4.17.21 to fix CVE-2021-23337 (Critical — prototype pollution)"]
|
||
2. [Second action]
|
||
3. [Third action]
|
||
|
||
---
|
||
|
||
## 1. Security Vulnerability Findings
|
||
|
||
### Critical and High Severity (Act within 24–72 hours)
|
||
|
||
| Package | Installed version | Fix version | CVE | Severity | CVSS score | Description | Exploitability |
|
||
|---|---|---|---|---|---|---|---|
|
||
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Critical | [9.x] | [e.g. Prototype pollution via `merge` function — remote code execution possible] | [Known exploit / PoC available / No known exploit] |
|
||
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | High | [7.x] | [e.g. Path traversal in file serving utility] | [PoC available] |
|
||
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | High | [7.x] | [e.g. Regular expression denial of service (ReDoS)] | [No known exploit] |
|
||
|
||
### Medium Severity (Fix within 30 days)
|
||
|
||
| Package | Installed version | Fix version | CVE | Severity | CVSS score | Description |
|
||
|---|---|---|---|---|---|---|
|
||
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Medium | [5.x] | [Description] |
|
||
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Medium | [4.x] | [Description] |
|
||
|
||
### Low Severity (Fix within 90 days or accept risk)
|
||
|
||
| Package | Installed version | Fix version | CVE | Severity | Description |
|
||
|---|---|---|---|---|---|
|
||
| [package-name] | [X.Y.Z] | [A.B.C] | Low | [Description] |
|
||
|
||
### Vulnerabilities With No Fix Available
|
||
|
||
| Package | CVE | Severity | Recommended mitigation |
|
||
|---|---|---|---|
|
||
| [package-name] | [CVE-YYYY-NNNNN] | [High] | [e.g. "Remove this package — alternative: [replacement]"] |
|
||
| [package-name] | [CVE-YYYY-NNNNN] | [Medium] | [e.g. "Vendor has a fix in progress — track issue [URL]. Mitigate by [X]"] |
|
||
|
||
---
|
||
|
||
## 2. License Compliance Matrix
|
||
|
||
### License Policy Reference
|
||
|
||
| License | Category | Policy | Notes |
|
||
|---|---|---|---|
|
||
| MIT | Permissive | Allowed | Attribution required in distributed products |
|
||
| Apache 2.0 | Permissive | Allowed | Attribution + NOTICE file required |
|
||
| BSD 2-Clause / 3-Clause | Permissive | Allowed | Attribution required |
|
||
| ISC | Permissive | Allowed | |
|
||
| MPL 2.0 | Weak copyleft | Allowed with review | Source disclosure required for modified MPL files only |
|
||
| LGPL v2 / v3 | Weak copyleft | Allowed with review | Dynamic linking permitted; static linking may require disclosure |
|
||
| GPL v2 / v3 | Strong copyleft | **Restricted** | May require open-sourcing the entire codebase — legal review required |
|
||
| AGPL v3 | Strong copyleft | **Restricted** | Network use triggers copyleft — especially risky for SaaS |
|
||
| SSPL | Source available | **Prohibited** | Not OSI-approved — treat as proprietary |
|
||
| Proprietary / Commercial | Commercial | **Requires contract** | Verify license covers current use case and scale |
|
||
| Unknown / Unlicensed | — | **Prohibited** | No license = all rights reserved — cannot use legally |
|
||
|
||
### Findings: Packages With Compliance Issues
|
||
|
||
| Package | License | Issue | Recommendation | Risk if unaddressed |
|
||
|---|---|---|---|---|
|
||
| [package-name] | GPL v3 | Copyleft — may require open-sourcing this project | Replace with [alternative] or get legal sign-off | Legal / IP risk |
|
||
| [package-name] | AGPL v3 | Network copyleft — SaaS use triggers disclosure | Replace with [alternative] | Legal / IP risk |
|
||
| [package-name] | Proprietary | License may not cover current usage tier | Verify license scope with vendor | Contract breach |
|
||
| [package-name] | Unknown | No license declared in package metadata | Contact maintainer or replace | Cannot use legally |
|
||
|
||
### All Licenses in Use (Full Inventory)
|
||
|
||
| License | Package count | Compliance status |
|
||
|---|---|---|
|
||
| MIT | [N] | Compliant |
|
||
| Apache 2.0 | [N] | Compliant |
|
||
| BSD-3-Clause | [N] | Compliant |
|
||
| ISC | [N] | Compliant |
|
||
| MPL 2.0 | [N] | Review required |
|
||
| GPL v3 | [N] | **Non-compliant** |
|
||
| Unknown | [N] | **Non-compliant** |
|
||
|
||
---
|
||
|
||
## 3. Outdated Package Analysis
|
||
|
||
### Severely Outdated (2+ major versions behind — high upgrade effort)
|
||
|
||
| Package | Installed | Latest stable | Versions behind | Last updated | Breaking changes summary |
|
||
|---|---|---|---|---|---|
|
||
| [package-name] | [1.x.x] | [3.x.x] | 2 major | [Date] | [e.g. "API redesign in v2; async support added in v3"] |
|
||
| [package-name] | [0.x.x] | [2.x.x] | 2 major | [Date] | [Summary] |
|
||
|
||
### Moderately Outdated (1 major version behind)
|
||
|
||
| Package | Installed | Latest stable | Versions behind | Security fix in newer version? |
|
||
|---|---|---|---|---|
|
||
| [package-name] | [2.x.x] | [3.x.x] | 1 major | [Yes — CVE-YYYY-NNNNN / No] |
|
||
| [package-name] | [4.x.x] | [5.x.x] | 1 major | [No] |
|
||
|
||
### Minor/Patch Updates Available (Low risk to update)
|
||
|
||
| Package | Installed | Latest | Contains security fix? |
|
||
|---|---|---|---|
|
||
| [package-name] | [2.3.1] | [2.3.9] | [Yes / No] |
|
||
| [package-name] | [1.0.0] | [1.2.1] | [No] |
|
||
|
||
---
|
||
|
||
## 4. Dependency Graph Risk Analysis
|
||
|
||
### Transitive Dependency Risk
|
||
|
||
Transitive (indirect) dependencies carry risk because they are not explicitly managed. These are the highest-risk transitive dependencies in this project:
|
||
|
||
| Vulnerable transitive dep | Pulled in by | Installed version | Fix available | Action |
|
||
|---|---|---|---|---|
|
||
| [transitive-package] | [direct-parent] | [X.Y.Z] | [Yes — upgrade [parent] to [version]] | Upgrade direct dependency [parent] |
|
||
| [transitive-package] | [direct-parent] | [X.Y.Z] | [No] | Remove [parent] or use [alternative] |
|
||
|
||
### Dependency Concentration Risk
|
||
|
||
These packages are depended on by many other packages in the project — a vulnerability or deprecation would have cascading effects:
|
||
|
||
| Package | Depended on by (N packages) | Actively maintained? | Risk level |
|
||
|---|---|---|---|
|
||
| [package-name] | [N] | [Yes / No — last commit: date] | [High / Medium] |
|
||
| [package-name] | [N] | [Yes] | [Medium] |
|
||
|
||
### Abandoned / Unmaintained Packages
|
||
|
||
| Package | Last release | Last commit | Weekly downloads | Recommended alternative |
|
||
|---|---|---|---|---|
|
||
| [package-name] | [Date] | [Date] | [N] | [alternative-package] |
|
||
| [package-name] | [Date] | [Date] | [N] | [Maintained fork: URL] |
|
||
|
||
---
|
||
|
||
## 5. Remediation Plan
|
||
|
||
### 30-Day Plan
|
||
|
||
**Week 1 — Critical vulnerabilities (Days 1–7)**
|
||
|
||
| Action | Owner | Package | Effort | Notes |
|
||
|---|---|---|---|---|
|
||
| Upgrade [package] [old] → [new] | [Name] | [package-name] | [30 min] | [No API changes / check breaking changes guide: URL] |
|
||
| Replace [package] with [alternative] | [Name] | [package-name] | [2 hours] | [No fix available — must replace] |
|
||
| Patch override for [transitive-dep] | [Name] | [transitive-dep] | [15 min] | [Add resolutions/overrides entry in manifest] |
|
||
|
||
```bash
|
||
# Commands for Week 1 upgrades:
|
||
|
||
# npm
|
||
npm install [package]@[target-version]
|
||
npm audit fix --force # use with caution — may introduce breaking changes
|
||
|
||
# pip
|
||
pip install --upgrade [package]==[target-version]
|
||
pip-audit --fix # if using pip-audit
|
||
|
||
# Go
|
||
go get [module]@[version]
|
||
go mod tidy
|
||
|
||
# Maven
|
||
# Update pom.xml version property, then:
|
||
mvn versions:use-latest-releases -DallowMajorUpdates=false
|
||
mvn dependency:resolve
|
||
```
|
||
|
||
**Week 2 — High vulnerabilities and license violations (Days 8–14)**
|
||
|
||
| Action | Owner | Package | Effort | Notes |
|
||
|---|---|---|---|---|
|
||
| Upgrade [package] | [Name] | [package-name] | [1 hour] | |
|
||
| Replace GPL-licensed [package] | [Name] | [package-name] | [4 hours] | [Alternative: [package]] |
|
||
| Legal review for [package] license | Legal team | [package-name] | [Legal team SLA] | [Submit via [process]] |
|
||
|
||
**Week 3 — Medium vulnerabilities and abandoned packages (Days 15–21)**
|
||
|
||
| Action | Owner | Package | Effort | Notes |
|
||
|---|---|---|---|---|
|
||
| Upgrade [package] | [Name] | [package-name] | [30 min] | |
|
||
| Replace abandoned [package] | [Name] | [package-name] | [2 hours] | [Maintained fork or alternative: [URL]] |
|
||
|
||
**Week 4 — Process improvements (Days 22–30)**
|
||
|
||
| Action | Owner | Effort | Notes |
|
||
|---|---|---|---|
|
||
| Enable Dependabot / Renovate for automated PRs | [Name] | [2 hours] | [Config in Section 6] |
|
||
| Add `npm audit` / `pip-audit` to CI — fail on Critical/High | [Name] | [1 hour] | [Config in Section 6] |
|
||
| Document license policy in CONTRIBUTING.md | [Name] | [1 hour] | [Based on policy in Section 2] |
|
||
| Schedule next quarterly audit | [Name] | [15 min] | [Add to team calendar] |
|
||
|
||
---
|
||
|
||
## 6. Policy Recommendations
|
||
|
||
### Automated Vulnerability Scanning in CI
|
||
|
||
Add the following to your CI pipeline to catch vulnerabilities before they merge:
|
||
|
||
```yaml
|
||
# GitHub Actions — adapt for your CI platform
|
||
dependency-audit:
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
- uses: actions/checkout@v3
|
||
|
||
# npm
|
||
- name: npm audit
|
||
run: npm audit --audit-level=high
|
||
# Fails build on High or Critical vulnerabilities
|
||
|
||
# pip
|
||
- name: pip-audit
|
||
run: |
|
||
pip install pip-audit
|
||
pip-audit --requirement requirements.txt --severity high
|
||
|
||
# Go
|
||
- name: govulncheck
|
||
run: |
|
||
go install golang.org/x/vuln/cmd/govulncheck@latest
|
||
govulncheck ./...
|
||
```
|
||
|
||
### Dependabot / Renovate Configuration
|
||
|
||
```yaml
|
||
# .github/dependabot.yml — automated dependency update PRs
|
||
version: 2
|
||
updates:
|
||
- package-ecosystem: "[npm / pip / gomod / maven]"
|
||
directory: "/"
|
||
schedule:
|
||
interval: "weekly"
|
||
day: "monday"
|
||
open-pull-requests-limit: 10
|
||
labels:
|
||
- "dependencies"
|
||
- "automated"
|
||
ignore:
|
||
# Ignore major version bumps — review these manually
|
||
- dependency-name: "*"
|
||
update-types: ["version-update:semver-major"]
|
||
```
|
||
|
||
### License Scanning
|
||
|
||
```bash
|
||
# npm — license checker
|
||
npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC' \
|
||
--failOn 'GPL;AGPL;LGPL'
|
||
|
||
# Python — pip-licenses
|
||
pip install pip-licenses
|
||
pip-licenses --allow-only="MIT;Apache Software License;BSD License;ISC License" \
|
||
--fail-on="GNU General Public License"
|
||
|
||
# Go — go-licenses
|
||
go install github.com/google/go-licenses@latest
|
||
go-licenses check ./... --allowed_licenses=MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause
|
||
```
|
||
|
||
---
|
||
|
||
## 7. Dependency Health Score Detail
|
||
|
||
| Category | Max points | Score | Notes |
|
||
|---|---|---|---|
|
||
| No critical vulnerabilities | 30 | [N]/30 | −20 per critical CVE |
|
||
| No high vulnerabilities | 20 | [N]/20 | −10 per high CVE |
|
||
| License compliance | 20 | [N]/20 | −15 per violation |
|
||
| No abandoned packages | 15 | [N]/15 | −5 per abandoned package |
|
||
| Up-to-date major versions | 10 | [N]/10 | −2 per major version behind |
|
||
| Automated scanning enabled | 5 | [N]/5 | All-or-nothing |
|
||
| **Total** | **100** | **[Score]/100** | **[Red / Amber / Green]** |
|
||
|
||
---
|
||
|
||
## Quality Checks
|
||
|
||
- [ ] Every Critical and High CVE has a named owner and a resolution date in the 30-day plan
|
||
- [ ] License findings have been reviewed by legal or a named engineer with authority to accept the risk
|
||
- [ ] Transitive dependency vulnerabilities are included — not just direct dependencies
|
||
- [ ] Abandoned packages have a concrete replacement recommendation, not just "consider replacing"
|
||
- [ ] CI pipeline change is included — the audit findings should be the last time these are caught manually
|
||
- [ ] The dependency health score is calculated from actual findings, not estimated
|
||
- [ ] Remediation plan actions are specific commands or steps, not "upgrade package X" without version targets
|