Agent-Skills.md

Agent Skills: Dependency Auditor

Audit npm dependencies for security vulnerabilities, outdated packages, and unused dependencies. Use when checking for security issues, updating packages, or cleaning up dependencies.

UncategorizedID: onewave-ai/claude-skills/dependency-auditor

Repository

onewave-ai/claude-skills
OneWave-AILicense: MIT
748

Install this agent skill to your local

pnpm dlx add-skill https://github.com/OneWave-AI/claude-skills/tree/HEAD/dependency-auditor

Skill Files

Browse the full folder contents for dependency-auditor.

Download Skill

Loading file tree…

dependency-auditor/SKILL.md

Skill Metadata

Name
dependency-auditor
Description
Audit npm dependencies for security vulnerabilities, outdated packages, and unused dependencies. Use when checking for security issues, updating packages, or cleaning up dependencies.

Dependency Auditor

Instructions

When auditing dependencies:

  1. Run security audit
  2. Check for outdated packages
  3. Find unused dependencies
  4. Analyze bundle size impact
  5. Review and update

Security Audit

# NPM audit
npm audit

# Get JSON output for processing
npm audit --json

# Fix automatically (safe fixes only)
npm audit fix

# Force fix (may have breaking changes)
npm audit fix --force

# PNPM
pnpm audit

# Yarn
yarn audit

Check Outdated Packages

# NPM
npm outdated

# Interactive update
npx npm-check-updates -i

# Update all to latest
npx npm-check-updates -u
npm install

# Check specific package
npm view <package> versions

Find Unused Dependencies

# Using depcheck
npx depcheck

# With details
npx depcheck --detailed

# Ignore patterns
npx depcheck --ignores="@types/*,eslint-*"

Common False Positives

Depcheck may flag these as unused when they're actually needed:

  • @types/* packages (used by TypeScript)
  • ESLint/Prettier plugins (referenced in config)
  • PostCSS plugins (referenced in config)
  • Next.js plugins
  • Babel presets

Analyze Bundle Size

# For Next.js
npx @next/bundle-analyzer

# General purpose
npx source-map-explorer dist/**/*.js

# Check package size before installing
npx package-phobia <package-name>

# Compare alternatives
npx bundlephobia-cli compare lodash ramda

Dependency Review Checklist

Security

  • [ ] No critical/high vulnerabilities
  • [ ] Dependencies actively maintained
  • [ ] No known malicious packages
  • [ ] Lock file committed

Freshness

  • [ ] No major version behind (unless intentional)
  • [ ] Security patches applied
  • [ ] Deprecated packages replaced

Cleanliness

  • [ ] No unused dependencies
  • [ ] No duplicate packages (check lock file)
  • [ ] devDependencies vs dependencies correct

Update Strategies

Conservative (Recommended)

# Update patch versions only
npm update

# Update specific package
npm install package@latest

Aggressive

# Update everything
npx npm-check-updates -u
npm install
npm test

Interactive

npx npm-check-updates -i

# Options:
# a - update all
# space - toggle selection
# enter - apply selected

Package.json Cleanup

{
  "dependencies": {
    // Runtime dependencies only
  },
  "devDependencies": {
    // Build/test tools only
  },
  "peerDependencies": {
    // For libraries only
  },
  "optionalDependencies": {
    // Platform-specific (rare)
  }
}

Lock File Best Practices

  1. Always commit lock files (package-lock.json, pnpm-lock.yaml, yarn.lock)
  2. Use npm ci in CI/CD (not npm install)
  3. Regenerate if corrupted: delete lock file + node_modules, reinstall
  4. Single lock file per project (don't mix package managers)

Automated Monitoring

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    groups:
      dev-dependencies:
        dependency-type: "development"
Dependency Auditor Skill | Agent Skills