By name: dep-audit
description: Audit a project's dependencies for security vulnerabilities, outdated versions, and license issues across Node/Bun/Go/Rust/Python stacks (auto-detected from lockfiles). Use when user invokes /dep-audit, asks "are my deps up to date?", "any vulnerabilities?", "is anything outdated?"; mentions CVE, npm audit, cargo audit, govulncheck, pip-audit; or wants a security review of a project's dependency tree.
disable-model-invocation: true
Dependency Audit
Audit a project's dependencies for security vulnerabilities, outdated versions, and license concerns. Auto-detects the stack and runs the appropriate tools.
Workflow
- Detect project stack from lock/manifest files:
| File | Stack | Audit command |
|---|---|---|
package-lock.json / yarn.lock / pnpm-lock.yaml |
Node | npm audit, npx depcheck |
bun.lockb |
Bun | bun audit (if available), else npx depcheck |
go.sum |
Go | govulncheck ./..., go list -m -u all |
Cargo.lock |
Rust | cargo audit, cargo outdated |
uv.lock / requirements.txt |
Python | pip-audit, uv pip list --outdated |
Run available audit tools (skip gracefully if a tool isn't installed)
Compile a unified report:
## Vulnerabilities (action required)
- [HIGH] package@version — CVE-XXXX: description
Fix: upgrade to package@fixed-version
## Outdated (review)
- package: current → latest (major/minor/patch)
## Unused (candidates for removal)
- package — not imported anywhere
## License concerns
- package@version — GPL-3.0 (copyleft in an MIT project)
- Suggest a remediation plan ordered by severity
Notes
- Install missing tools:
brew install govulncheck,cargo install cargo-audit cargo-outdated,uv tool install pip-audit - For monorepos, check each workspace/module independently
- Never auto-fix — report only, let the user decide