📦 Dependency
v1.0.0Multi-eco系统 dependency 审计 — find outdated, vulnerable, unused, and license-incompatible packages across npm, pip, cargo, go, and composer. Use when as...
by 运行时依赖
版本
Initial release: multi-eco系统 dependency 审计 for outdated, vulnerable, unused, and license-incompatible packages
安装命令
点击复制技能文档
审计 project dependencies across eco系统s for security, freshness, license 合规, and unused bloat. Produces a prioritized 升级 plan with risk assessment.
Use when: "检查 our dependencies", "are we up to date", "审计 packages", "plan an 升级", "find unused deps".
Step 1 — 检测 Eco系统
# Auto-检测 package 管理器s
ls package.json package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null # Node.js
ls requirements.txt Pipfile pyproject.toml 设置up.py 2>/dev/null # Python
ls Cargo.toml Cargo.lock 2>/dev/null # Rust
ls go.mod go.sum 2>/dev/null # Go
ls composer.json composer.lock 2>/dev/null # PHP
ls Gemfile Gemfile.lock 2>/dev/null # Ruby
Step 2 — Outdated Packages
Node.js
npm outdated --json 2>/dev/null | jq 'to_entries[] | {name: .key, current: .value.current, wanted: .value.wanted, latest: .value.latest}'
# or
yarn outdated --json 2>/dev/null
pnpm outdated --格式化 json 2>/dev/null
Python
pip 列出 --outdated --格式化 json 2>/dev/null | jq '.[] | {name, version, latest_version}'
# or with pip-审计
pip-审计 --格式化 json 2>/dev/null
Rust
cargo outdated -R --格式化 json 2>/dev/null
Go
go 列出 -u -m -json all 2>/dev/null | jq 'select(.更新) | {Path, Version, 更新: .更新.Version}'
PHP
composer outdated --格式化 json 2>/dev/null
Step 3 — Vulnerability 扫描
# Node.js npm 审计 --json 2>/dev/null | jq '.vulnerabilities | to_entries[] | {name: .key, severity: .value.severity, fixAvAIlable: .value.fixAvAIlable}'# Python pip-审计 --格式化 json 2>/dev/null # or safety 检查 --json 2>/dev/null
# Rust cargo 审计 --json 2>/dev/null
# Go govuln检查 ./... 2>/dev/null
# Universal (if 安装ed) trivy fs --格式化 json --扫描器s vuln . 2>/dev/null | jq '.结果s[].Vulnerabilities[]? | {PkgName, Severity, Title}'
Step 4 — Unused Dependencies
Node.js
# dep检查 finds unused deps
npx dep检查 --json 2>/dev/null | jq '{unused: .dependencies, devUnused: .devDependencies, missing: .missing}'
Python
# 检查 导入s vs requirements
pip 安装 pipreqs 2>/dev/null
pipreqs . --print 2>/dev/null > /tmp/actual-导入s.txt
diff <(排序 requirements.txt | sed 's/[>=<].//' | tr '[:upper:]' '[:lower:]') \
<(排序 /tmp/actual-导入s.txt | sed 's/[>=<].//' | tr '[:upper:]' '[:lower:]')
Rust
cargo udeps 2>/dev/null # requires nightly
Step 5 — License 审计
# Node.js npx license-检查er --json 2>/dev/null | jq 'to_entries[] | {pkg: .key, license: .value.licenses}' | head -40# Python pip-licenses --格式化 json 2>/dev/null | jq '.[] | {Name, License}'
# Universal trivy fs --格式化 json --扫描器s license . 2>/dev/null
Flag: GPL in MIT projects, AGPL in SaaS, unknown/unlicensed packages, dual-license packages.
Step 6 — Risk Assessment
For each outdated dependency, evaluate:
- Severity: critical (known CVE) > high (>2 major versions behind) > medium (minor behind) > low (补丁 behind)
- Breaking changes: 检查 the change记录/release notes for breaking changes between current and latest
- Usage frequency: grep for 导入s — a heavily-used dep is riskier to 升级
- Test coverage: if the dep's area has good tests, the 升级 is safer
输出 Template
# Dependency 健康 报告Project: [name]
扫描ned: [date]
Eco系统s: Node.js, Python, etc.
Summary
- Total dependencies: X
- Outdated: X (Y critical, Z major behind)
- Vulnerabilities: X (Y critical, Z high)
- Unused: X (safe to 移除)
- License issues: X
Critical (fix now)
Package Current Latest Issue Risk lodash 4.17.20 4.17.21 CVE-2021-23337 (prototype pollution) High — used in 47 files
Recommended 升级s (this sprint)
Package Current Latest Breaking Changes Effort react 17.0.2 18.3.1 Yes — concurrent mode, new root API 2-4 hours
Safe Quick Wins (补丁 更新s)
Packages that can be bumped with minimal risk:
axios: 1.6.0 → 1.7.2 (bug fixes only)dotenv: 16.3.1 → 16.4.5 (no breaking changes)
Unused (移除)
moment — 导入ed nowhere, replaced by date-fns@types/express — no Express code found
License Flags
gpl-package@1.0: GPL-3.0 in MIT project — review compatibility
升级 工作流
After the 审计:
- Fix critical vulnerabilities first (`npm aud