All skills
Skillintermediate
Dependency Audit
Analyze project dependencies for security, maintenance, and bloat. Output to `.claude/audits/AUDIT_DEPS.md`.
Claude Code Knowledge Pack7/10/2026
Overview
Dependency Audit
Analyze project dependencies for security, maintenance, and bloat. Output to .claude/audits/AUDIT_DEPS.md.
Check
Security
- Known vulnerabilities (CVEs)
- Packages with no maintenance
- Packages with known malicious versions
- Transitive dependency risks
Maintenance
- Outdated packages (major versions behind)
- Deprecated packages
- Packages with no recent updates (>2 years)
- Packages with few maintainers
License Compliance
- Incompatible licenses (GPL in MIT project)
- Missing license declarations
- License changes in updates
Bundle Impact
- Large dependencies (>500KB)
- Duplicate dependencies
- Dependencies with many transitive deps
- Dev dependencies in production bundle
Unused Dependencies
- Installed but never imported
- Only used in dead code
- Redundant (multiple packages doing same thing)
Commands
# Security vulnerabilities
npm audit --json 2>/dev/null | head -100
# Outdated packages
npm outdated --json 2>/dev/null
# Check for unused dependencies (requires depcheck)
npx depcheck --json 2>/dev/null | head -50
# Package sizes
du -sh node_modules/* 2>/dev/null | sort -rh | head -20
# License check
npx license-checker --summary 2>/dev/null || echo "Install license-checker for license audit"
# Find duplicate packages
npm ls --all 2>/dev/null | grep -E "deduped|UNMET" | head -20
Output
# Dependency Audit
## Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Security | X | X | X | X |
| Outdated | X | X | X | X |
| Unused | X | X | X | X |
| License | X | X | X | X |
**Total dependencies:** X direct, Y transitive
**Bundle impact:** ~X MB in node_modules
## Critical Vulnerabilities
### DEP-001: lodash < 4.17.21 - Prototype Pollution
**Severity:** Critical (CVSS 9.1)
**CVE:** CVE-2021-23337
**Current:** 4.17.15
**Fix:** `npm update lodash`
**Impact:** Remote code execution possible
### DEP-002: axios < 1.6.0 - SSRF Vulnerability
**Severity:** High (CVSS 7.5)
**CVE:** CVE-2023-45857
**Current:** 0.21.1
**Fix:** `npm update axios`
## Outdated Packages
### Major Updates Available
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|------------------|
| next | 13.4.0 | 14.0.0 | App router changes |
| react | 17.0.2 | 18.2.0 | Concurrent features |
| typescript | 4.9.0 | 5.3.0 | New syntax features |
### Minor/Patch Updates
| Package | Current | Latest |
|---------|---------|--------|
| @types/node | 18.0.0 | 18.19.0 |
| eslint | 8.40.0 | 8.56.0 |
## Unused Dependencies
### Definitely Unused
- `moment` - Not imported anywhere, use `date-fns` instead
- `lodash` - Only `_.get` used, replace with optional chaining
- `classnames` - Not imported, project uses `clsx`
### Possibly Unused
- `@testing-library/jest-dom` - Check if tests actually use it
**Savings:** Remove unused deps to save ~2MB
## Large Dependencies
| Package | Size | Purpose | Alternative |
|---------|------|---------|-------------|
| moment | 2.5MB | Dates | date-fns (200KB) |
| lodash | 1.4MB | Utils | Native JS + lodash-es |
| @aws-sdk/client-s3 | 3.2MB | S3 | Keep if needed |
## License Issues
### Copyleft Licenses (Review Required)
- `some-gpl-package@1.0.0` - GPL-3.0
- Check if your project can use GPL code
### Missing Licenses
- `unlicensed-package@0.1.0` - No license file
- Contact maintainer or replace
## Recommendations
### Immediate Actions
1. `npm audit fix` - Fix auto-fixable vulnerabilities
2. Remove unused: `npm uninstall moment lodash classnames`
3. Update critical: `npm update axios lodash`
### Planned Updates
1. React 18 migration (requires testing)
2. Next.js 14 migration (review breaking changes)
### Bundle Optimization
1. Replace moment with date-fns
2. Use lodash-es with tree shaking
3. Lazy load heavy dependencies
Focus on actionable findings. Include specific commands to fix issues.