Files
pm-claude-skills/plugins/pm-engineering/skills/dependency-audit/SKILL.md
T
Claude beecb1cb31 Add 21 engineering skills — complete the 500-star milestone
pm-engineering grows from 14 to 35 skills (v4.0.0), completing the full
25-skill promise made at the 500-star milestone. The library grows from
114 to 135 total skills.

New skills added (21):
- security-threat-model: STRIDE-based threat model with trust boundaries, per-component threat enumeration, risk scores, and mitigations
- performance-budget: Performance budgets for Core Web Vitals and backend latency SLOs with CI enforcement
- database-schema-design: Schema documentation with ER diagram, DDL definitions, index strategy, and access pattern analysis
- database-migration-plan: Zero-downtime expand-contract migration plan with per-step rollback and data validation queries
- technical-debt-register: Debt inventory with impact scoring, effort estimates, and quarterly resolution roadmap
- rfc-writer: Engineering RFC covering problem, proposed solution, alternatives-with-rejection-reasons, and rollout plan
- capacity-planning: Traffic forecasts, resource requirements by tier, scaling strategy, and infrastructure roadmap
- load-testing-plan: Load test plan with baseline/stress/spike/soak scenarios, k6/Locust skeleton, and CI gates
- disaster-recovery-plan: DR plan with RPO/RTO targets, per-scenario runbooks, game day testing, and communication templates
- feature-flag-guide: Feature flag lifecycle — taxonomy, rollout strategy, monitoring requirements, cleanup policy, governance
- dependency-audit: CVE vulnerabilities, license compliance, outdated packages, and 30-day remediation plan
- service-catalog-entry: Microservice catalog entry with SLAs, API contract, data classification, and runbook links
- monitoring-setup-guide: Four golden signals, alert rules spec, log schema, tracing setup, dashboard layout spec
- local-dev-setup: Local development guide — prerequisites, env vars, Docker deps, test commands, 5 failure fixes
- api-versioning-strategy: Versioning scheme, lifecycle policy, breaking change classification table, deprecation process
- infra-as-code-review: IaC review for Terraform/CloudFormation/Pulumi with severity-classified findings
- engineering-weekly-report: Consistent weekly status — shipped/blocked, metrics, decisions, risks, next week
- tech-radar: ThoughtWorks-format radar with Adopt/Trial/Assess/Hold, blip rationales, maintenance process
- sprint-velocity-analysis: Velocity trends, completion patterns, improvement recommendations, capacity forecast
- microservices-decomposition: Domain-driven service boundaries, communication patterns, data ownership, migration plan
- engineering-hiring-rubric: Technical interview rubric with level expectations, coding/system design scorecards, debrief guide

Also:
- plugin.json bumped to v4.0.0 with all 35 skills listed
- marketplace.json updated to v11.0.0, library count 135
- README updated: skill count, all section numbers, engineering table expanded, star milestone marked complete

https://claude.ai/code/session_01C3HwChrccJd145vJ6Z7ajF
2026-05-20 07:28:51 +00:00

333 lines
14 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
name: dependency-audit
description: "Conduct a dependency audit for a project — checking for security vulnerabilities, license compliance issues, outdated packages, and transitive dependency risk. Use when asked to audit dependencies, review package security, check license compliance, assess dependency health, or produce a vulnerability report. Produces a vulnerability findings table, license compliance matrix, update priority matrix, dependency health score, and 30-day remediation plan."
---
# Dependency Audit Skill
Produce a complete dependency audit report for a project — covering security vulnerabilities (with CVE references), license compliance against policy, outdated packages prioritised by risk, transitive dependency risk analysis, and a concrete remediation plan with timeline. A good dependency audit gives the team a clear, prioritised action list — not a raw dump of audit output that no one acts on.
## Required Inputs
Ask for these if not already provided:
- **Project language and ecosystem** — npm, pip/PyPI, Maven/Gradle, Go modules, Cargo, RubyGems, NuGet, or mixed
- **Dependency list or package manifest** — paste the contents of `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, etc., or provide the audit tool output
- **License policy** — which licenses are allowed, which are restricted (e.g. "GPL is prohibited", "MIT/Apache/BSD only", or "no policy yet — recommend one")
- **Current security tooling** — Dependabot, Snyk, OWASP Dependency-Check, npm audit, pip-audit, or none
## Output Format
---
# Dependency Audit Report: [Project Name]
**Ecosystem:** [npm / pip / Maven / Go / etc.]
**Audit date:** [Date]
**Auditor:** [Name]
**Total direct dependencies:** [N]
**Total transitive dependencies:** [N]
**Audit tool(s) used:** [npm audit / pip-audit / Snyk / OWASP Dependency-Check / etc.]
---
## Executive Summary
| Category | Finding | Risk level |
|---|---|---|
| Critical vulnerabilities | [N] CVEs requiring immediate action | [Critical / High / Low] |
| High vulnerabilities | [N] CVEs — fix within 7 days | [High / Medium] |
| License violations | [N] packages with non-compliant licenses | [High / Low] |
| Severely outdated packages | [N] packages > 2 major versions behind | [Medium] |
| Packages with no active maintenance | [N] packages — no commits in 12+ months | [Medium] |
| **Overall dependency health score** | **[Score]/100** | **[Red / Amber / Green]** |
**Scoring methodology:** Critical CVEs: 20 each. High CVEs: 10 each. License violations: 15 each. Abandoned packages: 5 each. Maximum deduction: 100. Score ≥80 = Green, 6079 = Amber, <60 = Red.
**Immediate actions required:**
1. [Most critical action — e.g. "Upgrade lodash from 4.17.11 to 4.17.21 to fix CVE-2021-23337 (Critical — prototype pollution)"]
2. [Second action]
3. [Third action]
---
## 1. Security Vulnerability Findings
### Critical and High Severity (Act within 2472 hours)
| Package | Installed version | Fix version | CVE | Severity | CVSS score | Description | Exploitability |
|---|---|---|---|---|---|---|---|
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Critical | [9.x] | [e.g. Prototype pollution via `merge` function — remote code execution possible] | [Known exploit / PoC available / No known exploit] |
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | High | [7.x] | [e.g. Path traversal in file serving utility] | [PoC available] |
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | High | [7.x] | [e.g. Regular expression denial of service (ReDoS)] | [No known exploit] |
### Medium Severity (Fix within 30 days)
| Package | Installed version | Fix version | CVE | Severity | CVSS score | Description |
|---|---|---|---|---|---|---|
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Medium | [5.x] | [Description] |
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Medium | [4.x] | [Description] |
### Low Severity (Fix within 90 days or accept risk)
| Package | Installed version | Fix version | CVE | Severity | Description |
|---|---|---|---|---|---|
| [package-name] | [X.Y.Z] | [A.B.C] | Low | [Description] |
### Vulnerabilities With No Fix Available
| Package | CVE | Severity | Recommended mitigation |
|---|---|---|---|
| [package-name] | [CVE-YYYY-NNNNN] | [High] | [e.g. "Remove this package — alternative: [replacement]"] |
| [package-name] | [CVE-YYYY-NNNNN] | [Medium] | [e.g. "Vendor has a fix in progress — track issue [URL]. Mitigate by [X]"] |
---
## 2. License Compliance Matrix
### License Policy Reference
| License | Category | Policy | Notes |
|---|---|---|---|
| MIT | Permissive | Allowed | Attribution required in distributed products |
| Apache 2.0 | Permissive | Allowed | Attribution + NOTICE file required |
| BSD 2-Clause / 3-Clause | Permissive | Allowed | Attribution required |
| ISC | Permissive | Allowed | |
| MPL 2.0 | Weak copyleft | Allowed with review | Source disclosure required for modified MPL files only |
| LGPL v2 / v3 | Weak copyleft | Allowed with review | Dynamic linking permitted; static linking may require disclosure |
| GPL v2 / v3 | Strong copyleft | **Restricted** | May require open-sourcing the entire codebase — legal review required |
| AGPL v3 | Strong copyleft | **Restricted** | Network use triggers copyleft — especially risky for SaaS |
| SSPL | Source available | **Prohibited** | Not OSI-approved — treat as proprietary |
| Proprietary / Commercial | Commercial | **Requires contract** | Verify license covers current use case and scale |
| Unknown / Unlicensed | — | **Prohibited** | No license = all rights reserved — cannot use legally |
### Findings: Packages With Compliance Issues
| Package | License | Issue | Recommendation | Risk if unaddressed |
|---|---|---|---|---|
| [package-name] | GPL v3 | Copyleft — may require open-sourcing this project | Replace with [alternative] or get legal sign-off | Legal / IP risk |
| [package-name] | AGPL v3 | Network copyleft — SaaS use triggers disclosure | Replace with [alternative] | Legal / IP risk |
| [package-name] | Proprietary | License may not cover current usage tier | Verify license scope with vendor | Contract breach |
| [package-name] | Unknown | No license declared in package metadata | Contact maintainer or replace | Cannot use legally |
### All Licenses in Use (Full Inventory)
| License | Package count | Compliance status |
|---|---|---|
| MIT | [N] | Compliant |
| Apache 2.0 | [N] | Compliant |
| BSD-3-Clause | [N] | Compliant |
| ISC | [N] | Compliant |
| MPL 2.0 | [N] | Review required |
| GPL v3 | [N] | **Non-compliant** |
| Unknown | [N] | **Non-compliant** |
---
## 3. Outdated Package Analysis
### Severely Outdated (2+ major versions behind — high upgrade effort)
| Package | Installed | Latest stable | Versions behind | Last updated | Breaking changes summary |
|---|---|---|---|---|---|
| [package-name] | [1.x.x] | [3.x.x] | 2 major | [Date] | [e.g. "API redesign in v2; async support added in v3"] |
| [package-name] | [0.x.x] | [2.x.x] | 2 major | [Date] | [Summary] |
### Moderately Outdated (1 major version behind)
| Package | Installed | Latest stable | Versions behind | Security fix in newer version? |
|---|---|---|---|---|
| [package-name] | [2.x.x] | [3.x.x] | 1 major | [Yes — CVE-YYYY-NNNNN / No] |
| [package-name] | [4.x.x] | [5.x.x] | 1 major | [No] |
### Minor/Patch Updates Available (Low risk to update)
| Package | Installed | Latest | Contains security fix? |
|---|---|---|---|
| [package-name] | [2.3.1] | [2.3.9] | [Yes / No] |
| [package-name] | [1.0.0] | [1.2.1] | [No] |
---
## 4. Dependency Graph Risk Analysis
### Transitive Dependency Risk
Transitive (indirect) dependencies carry risk because they are not explicitly managed. These are the highest-risk transitive dependencies in this project:
| Vulnerable transitive dep | Pulled in by | Installed version | Fix available | Action |
|---|---|---|---|---|
| [transitive-package] | [direct-parent] | [X.Y.Z] | [Yes — upgrade [parent] to [version]] | Upgrade direct dependency [parent] |
| [transitive-package] | [direct-parent] | [X.Y.Z] | [No] | Remove [parent] or use [alternative] |
### Dependency Concentration Risk
These packages are depended on by many other packages in the project — a vulnerability or deprecation would have cascading effects:
| Package | Depended on by (N packages) | Actively maintained? | Risk level |
|---|---|---|---|
| [package-name] | [N] | [Yes / No — last commit: date] | [High / Medium] |
| [package-name] | [N] | [Yes] | [Medium] |
### Abandoned / Unmaintained Packages
| Package | Last release | Last commit | Weekly downloads | Recommended alternative |
|---|---|---|---|---|
| [package-name] | [Date] | [Date] | [N] | [alternative-package] |
| [package-name] | [Date] | [Date] | [N] | [Maintained fork: URL] |
---
## 5. Remediation Plan
### 30-Day Plan
**Week 1 — Critical vulnerabilities (Days 17)**
| Action | Owner | Package | Effort | Notes |
|---|---|---|---|---|
| Upgrade [package] [old] → [new] | [Name] | [package-name] | [30 min] | [No API changes / check breaking changes guide: URL] |
| Replace [package] with [alternative] | [Name] | [package-name] | [2 hours] | [No fix available — must replace] |
| Patch override for [transitive-dep] | [Name] | [transitive-dep] | [15 min] | [Add resolutions/overrides entry in manifest] |
```bash
# Commands for Week 1 upgrades:
# npm
npm install [package]@[target-version]
npm audit fix --force # use with caution — may introduce breaking changes
# pip
pip install --upgrade [package]==[target-version]
pip-audit --fix # if using pip-audit
# Go
go get [module]@[version]
go mod tidy
# Maven
# Update pom.xml version property, then:
mvn versions:use-latest-releases -DallowMajorUpdates=false
mvn dependency:resolve
```
**Week 2 — High vulnerabilities and license violations (Days 814)**
| Action | Owner | Package | Effort | Notes |
|---|---|---|---|---|
| Upgrade [package] | [Name] | [package-name] | [1 hour] | |
| Replace GPL-licensed [package] | [Name] | [package-name] | [4 hours] | [Alternative: [package]] |
| Legal review for [package] license | Legal team | [package-name] | [Legal team SLA] | [Submit via [process]] |
**Week 3 — Medium vulnerabilities and abandoned packages (Days 1521)**
| Action | Owner | Package | Effort | Notes |
|---|---|---|---|---|
| Upgrade [package] | [Name] | [package-name] | [30 min] | |
| Replace abandoned [package] | [Name] | [package-name] | [2 hours] | [Maintained fork or alternative: [URL]] |
**Week 4 — Process improvements (Days 2230)**
| Action | Owner | Effort | Notes |
|---|---|---|---|
| Enable Dependabot / Renovate for automated PRs | [Name] | [2 hours] | [Config in Section 6] |
| Add `npm audit` / `pip-audit` to CI — fail on Critical/High | [Name] | [1 hour] | [Config in Section 6] |
| Document license policy in CONTRIBUTING.md | [Name] | [1 hour] | [Based on policy in Section 2] |
| Schedule next quarterly audit | [Name] | [15 min] | [Add to team calendar] |
---
## 6. Policy Recommendations
### Automated Vulnerability Scanning in CI
Add the following to your CI pipeline to catch vulnerabilities before they merge:
```yaml
# GitHub Actions — adapt for your CI platform
dependency-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# npm
- name: npm audit
run: npm audit --audit-level=high
# Fails build on High or Critical vulnerabilities
# pip
- name: pip-audit
run: |
pip install pip-audit
pip-audit --requirement requirements.txt --severity high
# Go
- name: govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
```
### Dependabot / Renovate Configuration
```yaml
# .github/dependabot.yml — automated dependency update PRs
version: 2
updates:
- package-ecosystem: "[npm / pip / gomod / maven]"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "automated"
ignore:
# Ignore major version bumps — review these manually
- dependency-name: "*"
update-types: ["version-update:semver-major"]
```
### License Scanning
```bash
# npm — license checker
npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC' \
--failOn 'GPL;AGPL;LGPL'
# Python — pip-licenses
pip install pip-licenses
pip-licenses --allow-only="MIT;Apache Software License;BSD License;ISC License" \
--fail-on="GNU General Public License"
# Go — go-licenses
go install github.com/google/go-licenses@latest
go-licenses check ./... --allowed_licenses=MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause
```
---
## 7. Dependency Health Score Detail
| Category | Max points | Score | Notes |
|---|---|---|---|
| No critical vulnerabilities | 30 | [N]/30 | 20 per critical CVE |
| No high vulnerabilities | 20 | [N]/20 | 10 per high CVE |
| License compliance | 20 | [N]/20 | 15 per violation |
| No abandoned packages | 15 | [N]/15 | 5 per abandoned package |
| Up-to-date major versions | 10 | [N]/10 | 2 per major version behind |
| Automated scanning enabled | 5 | [N]/5 | All-or-nothing |
| **Total** | **100** | **[Score]/100** | **[Red / Amber / Green]** |
---
## Quality Checks
- [ ] Every Critical and High CVE has a named owner and a resolution date in the 30-day plan
- [ ] License findings have been reviewed by legal or a named engineer with authority to accept the risk
- [ ] Transitive dependency vulnerabilities are included — not just direct dependencies
- [ ] Abandoned packages have a concrete replacement recommendation, not just "consider replacing"
- [ ] CI pipeline change is included — the audit findings should be the last time these are caught manually
- [ ] The dependency health score is calculated from actual findings, not estimated
- [ ] Remediation plan actions are specific commands or steps, not "upgrade package X" without version targets