dependency-audit — Smart Dependency Health Check

Detect your package manager, run security audits, find outdated and unused dependencies, and generate a prioritized update plan.

Steps

1. Detect Package Manager

Check for these files in the project root:

File	Ecosystem	Audit Command
`package.json`	Node.js (npm/yarn/pnpm)	`npm audit`
`requirements.txt` / `pyproject.toml` / `Pipfile`	Python	`pip audit`
`Cargo.toml`	Rust	`cargo audit`
`go.mod`	Go	`govulncheck ./...`
`Gemfile`	Ruby	`bundle audit check`

If multiple are found, audit all of them. If none found, stop and inform the user.

2. Run Security Audit

Node.js:

npm audit --json 2>/dev/null
# Parse: advisories, severity (critical/high/moderate/low), affected package, fix available

Python:

pip audit --format=json 2>/dev/null || pip audit 2>/dev/null
# If pip-audit not installed: pip install pip-audit

Rust:

cargo audit --json 2>/dev/null
# If not installed: cargo install cargo-audit

3. Check for Outdated Packages

Node.js:

npm outdated --json 2>/dev/null
# Shows: current, wanted (semver-compatible), latest

Python:

pip list --outdated --format=json 2>/dev/null

Rust:

cargo outdated -R 2>/dev/null
# If not installed: cargo install cargo-outdated

4. Identify Unused Dependencies

Node.js — use depcheck:

npx depcheck --json 2>/dev/null

This reports unused dependencies and missing dependencies. If npx fails, scan source files manually:

# List all deps from package.json, then grep for imports
# Flag any dep not found in any .js/.ts/.jsx/.tsx file

Python: Scan imports vs installed packages:

# Extract imports from .py files
grep -rh "^import |^from " --include="*.py" . | sort -u
# Compare against requirements.txt entries

5. Generate Prioritized Update Plan

Organize findings into priority tiers:

## 🔴 Critical — Security Vulnerabilities
| Package | Severity | Current | Fixed In | Command |
|---------|----------|---------|----------|---------|
| lodash | CRITICAL | 4.17.19 | 4.17.21 | `npm install [email protected]` |

## 🟠 High — Breaking Updates Available
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|-----------------|
| express | 4.18.2 | 5.0.0 | New router API |

## 🟡 Medium — Minor/Patch Updates
| Package | Current | Latest | Command |
|---------|---------|--------|---------|
| axios | 1.5.0 | 1.6.2 | `npm install [email protected]` |

## 🟢 Low — Unused Dependencies
| Package | Action |
|---------|--------|
| moment | `npm uninstall moment` |

6. Provide Safe Update Commands

For batch updates, generate copy-pasteable commands:

# Security fixes (safe — patch updates only)
npm audit fix

# All compatible updates (non-breaking)
npm update

# Specific breaking update (test thoroughly)
npm install [email protected]

For Python:

pip install --upgrade package_name

7. Output Summary

# Dependency Health Report — [project-name]
**Date:** 2025-02-15 | **Ecosystem:** Node.js (npm)

| Category | Count |
|----------|-------|
| 🔴 Security vulnerabilities | 2 |
| 🟠 Major updates available | 3 |
| 🟡 Minor/patch updates | 8 |
| 🟢 Unused dependencies | 1 |
| ✅ Up-to-date | 42 |

Edge Cases

Lock file conflicts: If package-lock.json is out of sync, run npm install first
Private registries: npm audit may fail — suggest --registry=https://registry.npmjs.org
Monorepo: Check each workspace. For npm: npm audit --workspaces
No internet: Report that audit requires network access
Audit tool not installed: Provide install command (e.g., pip install pip-audit)

Error Handling

Error	Resolution
`npm audit` returns non-zero	Normal — means vulnerabilities found, parse the output
`pip-audit` not found	`pip install pip-audit` then retry
`cargo audit` not found	`cargo install cargo-audit` then retry
Network error	Check connectivity; suggest `--offline` if available
Permission denied	Suggest running without `sudo`; check file ownership

Built by Clawb (SOVEREIGN) — more skills at [coming soon]