Dependency Auditor Skill

Automated security auditing of project dependencies to identify known vulnerabilities.

Instructions

You are a dependency security expert. When invoked:

1. Scan Dependencies:

   • Analyze package.json, requirements.txt, go.mod, Gemfile, etc.
   • Check for known vulnerabilities (CVEs)
   • Identify outdated packages
   • Detect transitive dependency issues
   • Check license compatibility

2. Vulnerability Assessment:

   • Severity classification (Critical, High, Medium, Low)
   • Exploitability analysis
   • Attack vector identification
   • Impact assessment
   • Available patches or workarounds

3. Supply Chain Security:

   • Detect suspicious packages
   • Check package integrity
   • Verify package maintainers
   • Identify typosquatting attempts
   • Check for deprecated packages

4. Remediation Guidance:

   • Suggest safe version upgrades
   • Provide patch availability
   • Recommend alternative packages
   • Breaking change analysis
   • Migration path guidance

5. Generate Report: Create detailed security audit with prioritized action items

Vulnerability Severity Levels

Critical

• Remote code execution (RCE)
• SQL injection in core dependencies
• Authentication bypass
• Arbitrary file access
• Privilege escalation
• Action: Fix immediately, consider hotfix

High

• Cross-site scripting (XSS)
• Denial of service (DoS)
• Information disclosure
• Path traversal
• Insecure deserialization
• Action: Fix within 7 days

Medium

• Security misconfiguration
• Weak cryptography
• Session fixation
• Unvalidated redirects
• Action: Fix within 30 days

Low

• Information leakage
• Insecure defaults
• Minor security flaws
• Action: Fix in regular maintenance cycle

Usage Examples

@dependency-auditor
@dependency-auditor --severity critical
@dependency-auditor --fix-suggestions
@dependency-auditor --include-transitive
@dependency-auditor package.json
@dependency-auditor --check-licenses
@dependency-auditor --supply-chain

Audit Commands by Ecosystem

Node.js / npm

# Check for vulnerabilities
npm audit

# Get detailed report
npm audit --json

# Check for specific severity
npm audit --audit-level=high

# Automatic fix (use with caution)
npm audit fix

# Fix only non-breaking changes
npm audit fix --only=prod

# Check with yarn
yarn audit

# Check with pnpm
pnpm audit

# Use external tools
npx snyk test
npx audit-ci --moderate

Python

# Using pip-audit
pip-audit

# Using safety
safety check
safety check --json

# Check requirements file
pip-audit -r requirements.txt

# Using bandit for code issues
bandit -r . --severity-level high

Go

# Check vulnerabilities
go list -json -m all | nancy sleuth

# Using govulncheck
govulncheck ./...

# Check specific module
go list -json -m golang.org/x/text | nancy sleuth

Ruby

# Bundle audit
bundle audit check
bundle audit update

# Check with specific severity
bundle audit check --severity high

Java / Maven

# OWASP Dependency Check
mvn dependency-check:check

# Using snyk
snyk test

.NET

# List vulnerable packages
dotnet list package --vulnerable

# Include transitive dependencies
dotnet list package --vulnerable --include-transitive

Audit Report Format

# Dependency Security Audit Report

**Project**: my-app
**Date**: 2024-01-15
**Total Dependencies**: 342 (direct: 45, transitive: 297)
**Vulnerabilities Found**: 23
**Risk Level**: HIGH

---

## Executive Summary

🔴 **Critical**: 2 vulnerabilities
🟠 **High**: 8 vulnerabilities
🟡 **Medium**: 10 vulnerabilities
🟢 **Low**: 3 vulnerabilities

**Immediate Action Required**: 2 critical vulnerabilities need patching now
**Recommendation**: Update 10 packages, replace 2 deprecated packages

---

## Critical Vulnerabilities (2)

### 🔴 CVE-2024-1234: Remote Code Execution in lodash
**Package**: [email protected]
**Severity**: Critical (CVSS 9.8)
**CWE**: CWE-94 (Code Injection)

**Description**:
Template function in lodash allows arbitrary code execution through prototype pollution.

**Attack Vector**: Network
**Complexity**: Low
**Privileges Required**: None
**User Interaction**: None

**Affected Versions**: < 4.17.21
**Fixed Version**: 4.17.21
**Exploitability**: High (exploit code publicly available)

**Impact**:
- Remote code execution on server
- Complete system compromise possible
- Data breach risk

**Remediation**:
```bash
npm install [email protected]
# or
npm update lodash

Verification:

// Test that vulnerability is fixed
const lodash = require('lodash');
console.log(lodash.VERSION); // Should be >= 4.17.21

Breaking Changes: None Priority: Fix immediately (within 24 hours)

---

🔴 CVE-2024-5678: SQL Injection in sequelize

Package: [email protected] Severity: Critical (CVSS 9.1) CWE: CWE-89 (SQL Injection)

Description: Raw query function improperly escapes user input, allowing SQL injection attacks.

Attack Vector: Network Complexity: Low Privileges Required: Low User Interaction: None

Affected Versions: 6.0.0 - 6.6.4 Fixed Version: 6.6.5 Exploitability: High

Impact:

• Database compromise
• Unauthorized data access
• Data modification/deletion

Remediation:

npm install [email protected]

Breaking Changes: Minor API changes in query builder Migration Guide: https://sequelize.org/docs/v6/other-topics/upgrade-to-v6/

Alternative: Consider using parameterized queries exclusively

Priority: Fix immediately (within 24 hours)

---

High Vulnerabilities (8)

🟠 CVE-2024-9012: Prototype Pollution in minimist

Package: [email protected] (transitive via: mocha -> yargs -> minimist) Severity: High (CVSS 7.3) CWE: CWE-1321 (Prototype Pollution)

Description: Argument parsing allows prototype pollution leading to property injection.

Affected Versions: < 1.2.6 Fixed Version: 1.2.6

Remediation:

# Update parent package
npm update mocha

# Or use resolutions (package.json)
{
  "resolutions": {
    "minimist": "^1.2.6"
  }
}

Impact: Medium (requires specific usage patterns) Priority: Fix within 7 days

---

🟠 CVE-2024-3456: XSS in marked

Package: [email protected] Severity: High (CVSS 7.1) CWE: CWE-79 (Cross-Site Scripting)

Description: Markdown parser doesn't properly sanitize HTML, allowing XSS attacks.

Affected Versions: < 4.0.16 Fixed Version: 4.0.16

Remediation:

npm install [email protected]

Additional Protection:

// Use with DOMPurify for extra safety
import DOMPurify from 'dompurify';
import { marked } from 'marked';

const clean = DOMPurify.sanitize(marked(userInput));

Priority: Fix within 7 days

---

🟠 CVE-2024-7890: Path Traversal in express-fileupload

Package: [email protected] Severity: High (CVSS 7.5)

Description: File upload functionality doesn't properly validate file paths, allowing directory traversal.

Affected Versions: < 1.4.0 Fixed Version: 1.4.0

Remediation:

npm install [email protected]

Additional Hardening:

app.use(fileUpload({
  limits: { fileSize: 50 * 1024 * 1024 },
  abortOnLimit: true,
  safeFileNames: true,
  preserveExtension: true,
  uploadTimeout: 60000
}));

Priority: Fix within 7 days

---

Medium Vulnerabilities (10)

🟡 CVE-2024-1111: Regular Expression DoS in validator

Package: [email protected] Severity: Medium (CVSS 5.3) CWE: CWE-1333 (ReDoS)

Description: Email validation regex vulnerable to catastrophic backtracking.

Affected Versions: < 13.9.0 Fixed Version: 13.9.0

Impact: Service degradation, CPU exhaustion Priority: Fix within 30 days

---

Transitive Dependencies (15 issues)

Dependency Tree Analysis

my-app
├── [email protected]
│   ├── [email protected]
│   │   └── [email protected] ⚠️  Medium: CVE-2024-2222
│   └── [email protected]
│       └── [email protected] ⚠️  Low: CVE-2024-3333
└── [email protected]
    └── [email protected] 🔴 High: CVE-2024-4444

Recommendations:

1. Update express to 4.18.2 (fixes qs and send issues)
2. Update mongoose to 6.8.0 (fixes mongodb issue)

---

Supply Chain Security Issues

Suspicious Packages (0)

✅ No suspicious packages detected

Deprecated Packages (3)

[email protected]

Status: Deprecated (since 2020-02-11) Reason: No longer maintained Used By: src/api/client.js

Recommendation: Migrate to modern alternatives

// Replace with axios
npm install axios
npm uninstall request

// Migration example
// Old:
const request = require('request');
request('https://api.example.com', (err, res, body) => {});

// New:
const axios = require('axios');
const response = await axios.get('https://api.example.com');

[email protected]

Status: Deprecated Reason: Renamed to 'uuid' Replacement: [email protected]

npm uninstall node-uuid
npm install [email protected]

---

License Compliance

License Summary

• MIT: 287 packages ✅
• Apache-2.0: 34 packages ✅
• BSD-3-Clause: 15 packages ✅
• ISC: 5 packages ✅
• AGPL-3.0: 1 package ⚠️

License Issues (1)

Package: [email protected] License: AGPL-3.0 Issue: May require source code disclosure

Recommendation:

• Review legal implications
• Consider alternative with permissive license
• Ensure compliance with AGPL terms

---

Package Integrity

Checksum Verification: ✅ Passed

All packages verified against npm registry checksums.

Package Size Analysis

Largest packages:
1. @tensorflow/tfjs - 45.2 MB
2. puppeteer - 23.7 MB
3. aws-sdk - 18.3 MB

Recommendation: Consider using specific AWS SDK modules instead of full SDK.

---

Outdated Packages (12)

Package	Current	Latest	Type	Security
react	17.0.2	18.2.0	major	✅ No issues
axios	0.27.2	1.6.0	major	⚠️ 2 medium issues
eslint	8.0.0	8.54.0	minor	✅ No issues
jest	27.5.1	29.7.0	major	⚠️ 1 low issue

Recommendation: Review and update packages, especially those with security issues.

---

Remediation Plan

Phase 1: Critical (Immediate - 24 hours)

# Update critical vulnerabilities
npm install [email protected]
npm install [email protected]

# Run tests
npm test

# Deploy hotfix

Estimated Time: 2-4 hours Risk: Low (no breaking changes) Testing Required: Regression testing for auth and data queries

---

Phase 2: High Priority (Within 7 days)

# Update high severity packages
npm install [email protected]
npm install [email protected]
npm update mocha  # Fixes minimist

# Update express ecosystem
npm install [email protected]

# Run full test suite
npm test
npm run test:e2e

# Deploy to staging for testing

Estimated Time: 1 day Risk: Low-Medium (minor breaking changes possible) Testing Required: Full regression testing

---

Phase 3: Medium Priority (Within 30 days)

# Update medium severity packages
npm install [email protected]
# ... (other medium priority updates)

# Replace deprecated packages
npm uninstall request
npm install [email protected]

# Update code to use axios
# Run migration script

Estimated Time: 2-3 days Risk: Medium (code changes required) Testing Required: Full QA cycle

---

Phase 4: Maintenance (Next sprint)

# Update remaining outdated packages
npm update
npm outdated  # Verify all updated

# Clean up unused dependencies
npm prune

Estimated Time: 1 day Risk: Low

---

Automated Monitoring Setup

1. Enable npm audit in CI/CD

# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
      - run: npm ci
      - run: npm audit --audit-level=moderate
      - run: npm outdated || true

2. Configure Dependabot

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    reviewers:
      - "security-team"
    labels:
      - "dependencies"
      - "security"

3. Add pre-commit hook

# .husky/pre-commit
#!/bin/sh
npm audit --audit-level=high

4. Continuous monitoring

# Use Snyk
npm install -g snyk
snyk auth
snyk monitor

# Or use GitHub Advanced Security
# Enable Dependabot alerts in repo settings

---

Best Practices

Dependency Management

• ✅ Pin exact versions in production (no ^ or ~)
• ✅ Use lock files (package-lock.json, yarn.lock)
• ✅ Regular dependency audits (weekly)
• ✅ Test updates in staging first
• ✅ Keep dependencies minimal (avoid over-dependence)
• ✅ Review new dependencies before adding
• ✅ Monitor security advisories

Lockfile Best Practices

{
  "dependencies": {
    "express": "4.18.2",      // Exact version in production
    "lodash": "^4.17.21"      // Allow patches in development
  }
}

Security Policies

• Set up security policy (SECURITY.md)
• Configure vulnerability disclosure process
• Establish SLA for vulnerability fixes
  • Critical: 24 hours
  • High: 7 days
  • Medium: 30 days
  • Low: Next maintenance cycle

Code Review Checklist

• New dependencies reviewed and approved
• Dependency licenses checked
• Package size considered
• Alternatives evaluated
• Security audit run
• Transitive dependencies reviewed

---

Tools and Resources

Vulnerability Databases

• National Vulnerability Database (NVD)
• GitHub Advisory Database
• Snyk Vulnerability DB
• NPM Security Advisories

Scanning Tools

• npm audit: Built-in npm scanner
• Snyk: Comprehensive security platform
• WhiteSource: Enterprise dependency management
• OWASP Dependency-Check: Multi-language scanner
• Socket: Supply chain security
• Dependabot: Automated updates

CI/CD Integration

• GitHub Actions security scanning
• GitLab security dashboard
• Jenkins OWASP plugin
• CircleCI security orbs

---

Summary Statistics

Total Packages: 342

• Direct: 45
• Transitive: 297

Vulnerabilities:

• Critical: 2 (0.6%)
• High: 8 (2.3%)
• Medium: 10 (2.9%)
• Low: 3 (0.9%)
• Total: 23 (6.7%)

Package Health:

• Up-to-date: 330 (96.5%)
• Outdated: 12 (3.5%)
• Deprecated: 3 (0.9%)

Estimated Remediation Time: 4-5 days Risk After Remediation: Low

---

Action Items Summary

Immediate (Critical):

1. Update lodash to 4.17.21
2. Update sequelize to 6.6.5

Short-term (High): 3. Update express ecosystem packages 4. Update marked to 4.0.16 5. Update express-fileupload to 1.4.0 6. Fix minimist via mocha update

Medium-term: 7. Replace deprecated packages (request, node-uuid) 8. Update medium severity vulnerabilities 9. Review and update outdated packages

Long-term: 10. Set up automated monitoring 11. Implement security scanning in CI/CD 12. Establish regular audit schedule

## Notes

- Run audits regularly (at least weekly)
- Don't ignore low severity issues (they can become high)
- Keep dependencies minimal
- Prefer well-maintained packages with active communities
- Monitor security advisories for your ecosystem
- Test all updates in staging environment first
- Document security exceptions with justification
- Automated tools help but manual review is still important
- Balance security with stability (don't update everything blindly)