Scan dependencies for vulnerabilities, outdated packages, license conflicts, and supply chain risks. Use when the user says "audit dependencies", "check vulnerabilities", "update packages", "npm audit", "supply chain security", "CVE check", or needs to verify project dependencies are secure before deployment.
Scan and secure project dependencies. Covers vulnerability detection, outdated package identification, license compliance, and supply chain risk assessment.
npm audit or pip-audit reports vulnerabilities| Ecosystem | Audit Command | Output |
|---|---|---|
| Node.js | npm audit --json > npm-audit.json | JSON with CVE details |
| Python | pip-audit -f json -o pip-audit.json | JSON with CVE details |
| Go | govulncheck -json ./... > govulncheck.json | JSON with reachability analysis |
| Rust | cargo audit --json > cargo-audit.json | JSON with advisory details |
| Multi | trivy fs --scanners vuln --format json --output trivy-deps.json . | All ecosystems |
Note: govulncheck performs reachability analysis — it only reports vulnerabilities in code paths that are actually called. This is a strength: a CRITICAL CVE in an unused function is lower risk than a MEDIUM CVE in a hot path.
Not all vulnerabilities are equal. Triage by severity AND reachability:
| CVSS Score | Base Severity | Reachable? | Action |
|---|---|---|---|
| 9.0+ | CRITICAL | Yes | Fix immediately — blocks deployment |
| 9.0+ | CRITICAL | No | Downgrade to HIGH, fix within 1 week |
| 7.0-8.9 | HIGH | Yes | Fix within 1 week |
| 7.0-8.9 | HIGH | No | Downgrade to MEDIUM, fix within 2 weeks |
| 4.0-6.9 | MEDIUM | Yes/No | Fix within 1 month |
| 0.1-3.9 | LOW | Yes/No | Track, fix during next maintenance |
# Go: built-in reachability analysis
govulncheck ./...
# Node.js: check if vulnerable function is imported
grep -r "require.*vulnerable-package" src/
grep -r "from.*vulnerable-package" src/
# Python: check if vulnerable module is used
grep -r "import vulnerable_package" src/
grep -r "from vulnerable_package" src/
# Node.js
npm update affected-package
# If major version: npm install affected-package@latest
# Python
pip install --upgrade affected-package
# Or update requirements.txt/pyproject.toml constraint
# Go
go get affected-package@latest
go mod tidy
// package.json — force a transitive dependency to a fixed version
{
"overrides": {
"vulnerable-transitive-dep": ">=2.1.1"
}
}
# pyproject.toml — constraint on transitive dependency
[tool.pip-audit]
ignore = ["PYSEC-2024-XXX"] # Only if confirmed unreachable
If the package is abandoned or the maintainer won't patch:
npm search, pip search)package-lock.json, yarn.lock, Pipfile.lock, go.sum)"^", "~", "*" ranges in package.json)postinstall/preinstall scripts in dependencies:latest)# Node.js: check all licenses
npx license-checker --summary --production
# Python
pip-licenses --format=table --with-urls
| License | Compatibility | Notes |
|---|---|---|
| MIT, ISC, BSD-2, BSD-3 | Compatible with all | No restrictions |
| Apache-2.0 | Compatible with most | Requires attribution |
| LGPL-2.1, LGPL-3.0 | Use with caution | Dynamic linking OK, static linking requires LGPL |
| GPL-2.0, GPL-3.0 | Restrictive | Viral — your code must also be GPL |
| AGPL-3.0 | Very restrictive | Network use triggers copyleft |
| Unlicensed / No License | Block | No license = no permission to use |
## Dependency Audit Results
| Package | Ecosystem | Current | Vulnerability | CVE | Severity | Fix Version | Reachable? |
|---------|-----------|---------|---------------|-----|----------|-------------|------------|
| express | npm | 4.17.1 | Prototype pollution | CVE-2024-XXXX | HIGH | 4.18.0 | Yes |
| requests | pip | 2.28.0 | SSRF via redirect | CVE-2023-XXXX | MEDIUM | 2.31.0 | Unknown |
### Summary
- **Total vulnerabilities:** 5
- **Critical (reachable):** 0
- **High (reachable):** 1 — blocks deployment
- **Outdated packages:** 12 (3 with security implications)
- **License issues:** 0
- **Supply chain risks:** 1 (missing lockfile for Python service)
npm audit and dismissing all findings without triage; every finding needs a decision (fix, accept risk, or mark unreachable)npm audit fix --force blindly; this can introduce breaking changes from major version bumps^ or ~ ranges means builds are non-deterministic; pin exact versions for productionnpm install or pip install can pull different versions