audit-dependency-versions
О программе
Этот навык проводит аудит зависимостей проекта на предмет устаревших версий, уязвимостей безопасности и проблем совместимости. Он анализирует lock-файлы, планирует пути обновления и оценивает критические изменения. Используйте его перед выпуском релизов, во время обслуживания или при наследовании проектов для обеспечения работоспособности и безопасности зависимостей.
Быстрая установка
Claude Code
Рекомендуетсяnpx skills add pjt222/agent-almanac -a claude-code/plugin add https://github.com/pjt222/agent-almanacgit clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/audit-dependency-versionsСкопируйте и вставьте эту команду в Claude Code для установки этого навыка
Документация
Abhaengigkeitsversionen pruefen
Audit project Abhaengigkeiten for version staleness, known security Schwachstellen, and compatibility issues. This skill inventories all Abhaengigkeiten from lock files, checks each gegen the latest available version, classifies staleness levels, identifies security concerns, and produces a prioritized upgrade report with recommended actions.
Wann verwenden
- Before a release to ensure Abhaengigkeiten are current and secure
- During periodic maintenance (monthly or quarterly Abhaengigkeit reviews)
- After receiving a security advisory affecting a project Abhaengigkeit
- When upgrading a project to a new language version (e.g., R 4.4 to 4.5)
- Before submitting a package to CRAN, npm, or crates.io
- When inheriting a project and assessing its Abhaengigkeit health
Eingaben
- Erforderlich: Project root directory containing Abhaengigkeit/lock files
- Optional: Ecosystem type if not auto-detectable (R, Node.js, Python, Rust)
- Optional: Security-only mode flag (skip staleness, focus on CVEs)
- Optional: Allowlist of Abhaengigkeiten to skip (known acceptable older versions)
- Optional: Target date for compatibility (e.g., "must work with R 4.4.x")
Vorgehensweise
Schritt 1: Inventory All Dependencies
Lokalisieren and parse Abhaengigkeit files to build a complete inventory.
R packages:
# Direct dependencies from DESCRIPTION
grep -A 100 "^Imports:" DESCRIPTION | grep -B 100 "^[A-Z]" | head -50
grep -A 100 "^Suggests:" DESCRIPTION | grep -B 100 "^[A-Z]" | head -50
# Pinned versions from renv.lock
cat renv.lock | grep -A 3 '"Package"'
Node.js:
# Direct dependencies
cat package.json | grep -A 100 '"dependencies"' | grep -B 100 "}"
cat package.json | grep -A 100 '"devDependencies"' | grep -B 100 "}"
# Pinned versions from lock file
cat package-lock.json | grep '"version"' | head -20
Python:
# From requirements or pyproject
cat requirements.txt
cat pyproject.toml | grep -A 50 "dependencies"
# Pinned versions
cat requirements.lock 2>/dev/null || pip freeze
Rust:
# From Cargo.toml
grep -A 50 "\[dependencies\]" Cargo.toml
# Pinned versions
cat Cargo.lock | grep -A 2 "name ="
Erstellen an inventory table:
| Package | Pinned Version | Type | Ecosystem |
|---|---|---|---|
| dplyr | 1.1.4 | Import | R |
| testthat | 3.2.1 | Suggests | R |
| express | 4.18.2 | dependency | Node.js |
| pytest | 8.0.0 | dev | Python |
Erwartet: Abschliessen inventory of all direct and (optionally) transitive Abhaengigkeiten with pinned versions.
Bei Fehler: If lock files are missing, das Projekt has reproducibility issues. Note this as a finding and inventory from the manifest file (DESCRIPTION, package.json) using declared version constraints stattdessen of pinned versions.
Schritt 2: Check Latest Available Versions
Fuer jede Abhaengigkeit, determine the latest available version.
R:
# Check available versions
available.packages()[c("dplyr", "testthat"), "Version"]
# Or via CLI
Rscript -e 'cat(available.packages()["dplyr", "Version"])'
Node.js:
# Check outdated packages
npm outdated --json
# Or individual package
npm view express version
Python:
# Check outdated
pip list --outdated --format=json
# Or individual
pip index versions requests 2>/dev/null
Rust:
# Check outdated
cargo outdated
# Or individual
cargo search serde --limit 1
Aktualisieren the inventory with latest versions:
| Package | Pinned | Latest | Gap |
|---|---|---|---|
| dplyr | 1.1.4 | 1.1.6 | patch |
| ggplot2 | 3.4.0 | 3.5.1 | minor |
| Rcpp | 1.0.10 | 1.0.14 | patch |
| shiny | 1.7.4 | 1.9.1 | minor |
Erwartet: Latest version identified fuer jede Abhaengigkeit with the gap magnitude (patch/minor/major).
Bei Fehler: If a package registry is unreachable, note the Abhaengigkeit as "unable to check" and proceed with the rest. Do not block the entire audit on one unreachable registry.
Schritt 3: Classify Staleness
Zuweisen a staleness level to each Abhaengigkeit:
| Level | Definition | Action |
|---|---|---|
| Current | At latest version or innerhalb latest patch | No action needed |
| Patch behind | Same major.minor, older patch | Low priority upgrade, normalerweise safe |
| Minor behind | Same major, older minor | Medium priority, review changelog for new features |
| Major behind | Older major version | High priority, likely brechende Aenderungs in upgrade |
| EOL / Archived | Package no longer maintained | Critical: find replacement or fork |
Erzeugen a staleness summary:
### Staleness Summary
- **Current**: 12 packages (48%)
- **Patch behind**: 8 packages (32%)
- **Minor behind**: 3 packages (12%)
- **Major behind**: 1 package (4%)
- **EOL/Archived**: 1 package (4%)
**Overall health**: AMBER (major-behind and EOL packages present)
Color coding:
- GREEN: All packages current or patch-behind
- AMBER: Any minor-behind or one major-behind
- RED: Multiple major-behind or any EOL packages
Erwartet: Every Abhaengigkeit classified by staleness with an overall health rating.
Bei Fehler: If version comparison logic is ambiguous (non-SemVer versions, date-based versions), classify conservatively as "minor behind" and note the non-standard versioning.
Schritt 4: Pruefen auf Security Vulnerabilities
Ausfuehren ecosystem-specific security audit tools:
R:
# No built-in audit tool; check manually
# Cross-reference with https://www.r-project.org/security.html
# Check GitHub advisories for each package
Node.js:
# Built-in audit
npm audit --json
# Severity levels: info, low, moderate, high, critical
npm audit --audit-level=moderate
Python:
# Using pip-audit
pip-audit --format=json
# Or safety
safety check --json
Rust:
# Using cargo-audit
cargo audit --json
Dokumentieren findings:
### Security Findings
| Package | Version | CVE | Severity | Fixed In | Description |
|---|---|---|---|---|---|
| express | 4.18.2 | CVE-2024-XXXX | High | 4.19.0 | Path traversal in static file serving |
| lodash | 4.17.20 | CVE-2021-23337 | Critical | 4.17.21 | Command injection via template |
**Security status**: RED (1 critical, 1 high)
Erwartet: Security Schwachstellen identified with CVE, severity, affected version, and fix version.
Bei Fehler: If no audit tool ist verfuegbar for the ecosystem, search GitHub Security Advisories manuell fuer jede Abhaengigkeit. Beachte, dass the audit is best-effort ohne tooling.
Schritt 5: Planen Upgrade Path
Priorisieren upgrades basierend auf risk and impact:
### Upgrade Plan
#### Priority 1: Security Fixes (do immediately)
| Package | Current | Target | Risk | Notes |
|---|---|---|---|---|
| lodash | 4.17.20 | 4.17.21 | Low (patch) | Fixes CVE-2021-23337 |
| express | 4.18.2 | 4.19.0 | Low (minor) | Fixes CVE-2024-XXXX |
#### Priority 2: EOL Replacements (plan within 1 month)
| Package | Current | Replacement | Migration Effort |
|---|---|---|---|
| request | 2.88.2 | node-fetch 3.x | Medium (API change) |
#### Priority 3: Major Version Upgrades (plan for next release cycle)
| Package | Current | Target | Breaking Changes |
|---|---|---|---|
| webpack | 4.46.0 | 5.90.0 | Config format, plugin API |
#### Priority 4: Minor/Patch Updates (batch in maintenance window)
| Package | Current | Target | Notes |
|---|---|---|---|
| dplyr | 1.1.4 | 1.1.6 | Patch fixes only |
| ggplot2 | 3.4.0 | 3.5.1 | New geom functions added |
Fuer jede major upgrade, note known brechende Aenderungs by checking the Abhaengigkeit's changelog.
Erwartet: Prioritized upgrade plan with security fixes first, then EOL replacements, major upgrades, and minor/patch batches.
Bei Fehler: If a Abhaengigkeit has no clear upgrade path (abandoned with no fork), document the risk and recommend: (1) vendoring the aktuelle Version, (2) finding an alternative package, or (3) accepting the risk with monitoring.
Schritt 6: Dokumentieren Compatibility Risks
Fuer jede planned upgrade, assess compatibility:
### Compatibility Assessment
#### express 4.18.2 -> 4.19.0
- **API changes**: None (patch-level fix)
- **Node.js requirement**: Same (>=14)
- **Test impact**: Run full test suite; expect zero failures
- **Confidence**: HIGH
#### webpack 4.46.0 -> 5.90.0
- **API changes**: Config file format changed, several plugins removed
- **Node.js requirement**: >=10.13 (unchanged)
- **Test impact**: Build configuration must be rewritten; all tests need re-run
- **Confidence**: LOW (requires dedicated migration effort)
- **Migration guide**: https://webpack.js.org/migrate/5/
Schreiben the complete audit report to DEPENDENCY-AUDIT.md or DEPENDENCY-AUDIT-2026-02-17.md.
Erwartet: Compatibility risks documented fuer jede significant upgrade. Abschliessen audit report written.
Bei Fehler: If compatibility cannot be assessed ohne testing, recommend a branch-based upgrade approach: create a branch, apply the upgrade, run tests, and evaluate results vor merging.
Validierung
- All direct Abhaengigkeiten inventoried from lock/manifest files
- Latest available version checked fuer jede Abhaengigkeit
- Staleness level assigned (current / patch / minor / major / EOL)
- Overall health rating calculated (GREEN / AMBER / RED)
- Security audit run with ecosystem-appropriate tooling
- All CVEs documented with severity, affected version, and fix version
- Upgrade plan prioritized: security > EOL > major > minor/patch
- Compatibility risks assessed fuer jede major upgrade
- Audit report written to DEPENDENCY-AUDIT.md
- No Abhaengigkeiten left as "unable to check" ohne documented reason
Haeufige Stolperfallen
-
Ignoring transitive Abhaengigkeiten: A project may have 10 direct Abhaengigkeiten but 200 transitive ones. Security Schwachstellen often hide in transitive Abhaengigkeiten. Use
npm lsorrenv::Abhaengigkeiten()to see the full tree. -
Upgrading everything at once: Batch-upgrading all Abhaengigkeiten in one commit makes it impossible to identify which upgrade caused a regression. Upgrade in logical groups (security first, then majors individually, then minors/patches as a batch).
-
Confusing "outdated" with "insecure": A package one major version behind with no CVEs is lower risk than a current package with a critical Schwachstelle. Always prioritize security over freshness.
-
Not reading changelogs: Blindly upgrading a major version ohne reading the changelog. Breaking changes in the Abhaengigkeit become brechende Aenderungs in your project.
-
Audit fatigue: Running audits but not acting on findings. Set a policy: security findings muss addressed innerhalb 1 sprint, EOL innerhalb 1 quarter.
-
Missing lock files: Projects ohne lock files have non-reproducible builds. If the audit reveals missing lock files, that is itself a critical finding to address vor versioned upgrades.
-
Falsches R-Binary auf Hybrid-Systemen: Unter WSL oder Docker kann
Rscripteinen plattformuebergreifenden Wrapper statt nativem R aufloesen. Mitwhich Rscript && Rscript --versionpruefen. Das native R-Binary bevorzugen (z.B./usr/local/bin/Rscriptunter Linux/WSL) fuer Zuverlaessigkeit. Fuer die R-Pfadkonfiguration siehe Setting Up Your Environment.
Verwandte Skills
apply-semantic-versioning-- Version bumps kann triggered by Abhaengigkeit upgradesmanage-renv-Abhaengigkeiten-- R-specific Abhaengigkeit management with renvsecurity-audit-codebase-- Broader security audit that includes Abhaengigkeit Schwachstellenmanage-changelog-- Dokumentieren Abhaengigkeit upgrades in the changelogplan-release-cycle-- Planen Abhaengigkeit upgrades innerhalb the release timeline
GitHub репозиторий
Похожие навыки
llamaguard
ДругоеLlamaGuard — это модель от Meta с 7–8 миллиардами параметров для модерации входных и выходных данных больших языковых моделей по шести категориям безопасности, таким как насилие и разжигание ненависти. Она обеспечивает точность 94–95% и может быть развернута с помощью vLLM, Hugging Face или Amazon SageMaker. Используйте этот навык, чтобы легко интегрировать фильтрацию контента и защитные механизмы в ваши ИИ-приложения.
cost-optimization
ДругоеЭтот навык Claude помогает разработчикам оптимизировать облачные расходы за счет правильного подбора ресурсов, стратегий тегирования и анализа затрат. Он предоставляет framework для сокращения облачных расходов и внедрения управления затратами в AWS, Azure и GCP. Используйте его, когда вам нужно проанализировать расходы на инфраструктуру, оптимизировать ресурсы или уложиться в бюджетные ограничения.
quantizing-models-bitsandbytes
ДругоеЭтот навык выполняет квантизацию LLM до 8-битной или 4-битной точности с использованием библиотеки bitsandbytes, обеспечивая сокращение использования памяти на 50-75% при минимальной потере точности. Он идеально подходит для запуска больших моделей при ограниченной памяти GPU или для ускорения вывода, поддерживая форматы INT8, NF4 и FP4. Навык интегрируется с HuggingFace Transformers и позволяет использовать обучение QLoRA и 8-битные оптимизаторы.
dispatching-parallel-agents
ДругоеЭтот навык Claude распределяет нескольких агентов для исследования и устранения трёх и более независимых проблем параллельно. Он предназначен для сценариев с несвязанными сбоями, которые можно устранить без общего состояния или зависимостей. Ключевая возможность — параллельное решение проблем, где за каждую независимую предметную область назначается отдельный агент для максимальной эффективности.