dependency-auditor

The Dependency Auditor is an autonomous security skill designed to monitor project dependency files in real-time. It provides continuous vulnerability detection across various ecosystems including Node.js (npm, yarn, pnpm), Python (pip, poetry), Java (Maven, Gradle), Ruby (bundler), Go, and PHP (composer). By intercepting file changes in dependency manifest files, the skill automatically triggers scans to identify known CVEs, outdated packages, malicious dependencies, and potential license compliance conflicts that might impact commercial projects. It classifies findings into CRITICAL, HIGH, MEDIUM, and LOW severity levels, providing actionable remediation paths such as automated fix commands or version update suggestions.

• Real-time monitoring of manifest files like package.json, requirements.txt, Gemfile, and lock files.
• Supports multi-language package manager security scanning through npm audit, pip-audit, safety check, and bundle audit.
• Detailed severity reporting with links to NVD/CVE databases and clear mitigation instructions.
• License compatibility checking to prevent the inclusion of GPL-3.0 or restrictive licenses in commercial applications.
• CI/CD integration support via automated scan commands and deployment-blocking logic.
• Provides fix strategies ranging from safe 'npm audit fix' commands to manual version pin recommendations.

This tool is intended for developers, DevOps engineers, and security teams who want to maintain a secure software supply chain without manual overhead. It integrates seamlessly into the development lifecycle, acting on dependency updates, pre-deployment checks, and user-initiated queries. While the skill operates autonomously, it requires read access to dependency manifest files and specific network access to official package registries (registry.npmjs.org, pypi.org, etc.) when running in sandboxed environments. Users should configure these domains in the sandbox settings to ensure the agent can successfully query vulnerability databases.