audit-dependencies

The audit-dependencies skill is a specialized engineering agent designed to maintain the security posture of Payload CMS repositories. It automates the remediation of vulnerabilities flagged by the .github/workflows/audit-dependencies.sh CI script by analyzing dependency chains and applying targeted fixes. It is intended for software engineers and maintainers responsible for keeping the codebase free of known security risks while minimizing the likelihood of introducing breaking changes.

• Automatically runs pnpm audit to identify actionable vulnerabilities with available patches.

• Recursively traces complex dependency chains to distinguish between direct and transitive dependencies.

• Implements a hierarchical fix strategy: prefers direct dependency bumps, followed by lockfile synchronization, and resorts to pnpm overrides only when necessary.

• Performs risk assessment for breaking changes by checking changelogs, release notes, and version ranges.

• Provides a structured plan to the user before applying modifications, requiring manual confirmation to ensure safety.

• Generates well-formed commit messages and facilitates PR creation for verified security updates.

• Requires the existence of a standard pnpm workspace configuration; overrides are applied specifically to the root package.json.

• When using pnpm overrides, the agent strictly follows rules for caret (^) ranges and prevents the use of version selectors in keys.

• Users should provide the severity level (critical, high, moderate, low) as an argument to focus the audit scope.

• The tool expects the user to verify architectural impact, especially when opting for major version bumps or overrides.

• Parallelizes research tasks when dealing with multiple vulnerabilities to improve efficiency during large-scale security maintenance.