Dependency Auditor

156 installs168 stars

Summary

This walks you through the full dependency maintenance workflow: running npm audit for vulnerabilities, finding outdated packages with npm-check-updates, detecting unused deps with depcheck, and analyzing bundle size impact. It's got good defensive advice too, like which packages depcheck wrongly flags as unused (TypeScript types, ESLint plugins, config-referenced tools). The conservative versus aggressive update strategies are practical, and the lock file reminders are the kind of thing everyone forgets until CI breaks. If you maintain any JavaScript project and currently just run npm install when things break, this gives you a proper checklist to stay ahead of security issues and bloat.

Install to Claude Code

npx -y skills add onewave-ai/claude-skills --skill dependency-auditor --agent claude-code

Installs into .claude/skills of the current project.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Files

SKILL.mdView on GitHub

Dependency Auditor

Instructions

When auditing dependencies:

Run security audit
Check for outdated packages
Find unused dependencies
Analyze bundle size impact
Review and update

Security Audit

# NPM audit
npm audit

# Get JSON output for processing
npm audit --json

# Fix automatically (safe fixes only)
npm audit fix

# Force fix (may have breaking changes)
npm audit fix --force

# PNPM
pnpm audit

# Yarn
yarn audit

Check Outdated Packages

# NPM
npm outdated

# Interactive update
npx npm-check-updates -i

# Update all to latest
npx npm-check-updates -u
npm install

# Check specific package
npm view <package> versions

Find Unused Dependencies

# Using depcheck
npx depcheck

# With details
npx depcheck --detailed

# Ignore patterns
npx depcheck --ignores="@types/*,eslint-*"

Common False Positives

Depcheck may flag these as unused when they're actually needed:

@types/* packages (used by TypeScript)
ESLint/Prettier plugins (referenced in config)
PostCSS plugins (referenced in config)
Next.js plugins
Babel presets

Analyze Bundle Size

# For Next.js
npx @next/bundle-analyzer

# General purpose
npx source-map-explorer dist/**/*.js

# Check package size before installing
npx package-phobia <package-name>

# Compare alternatives
npx bundlephobia-cli compare lodash ramda

Dependency Review Checklist

Security

No critical/high vulnerabilities
Dependencies actively maintained
No known malicious packages
Lock file committed

Freshness

No major version behind (unless intentional)
Security patches applied
Deprecated packages replaced

Cleanliness

No unused dependencies
No duplicate packages (check lock file)
devDependencies vs dependencies correct

Update Strategies

Conservative (Recommended)

# Update patch versions only
npm update

# Update specific package
npm install package@latest

Aggressive

# Update everything
npx npm-check-updates -u
npm install
npm test

Interactive

npx npm-check-updates -i

# Options:
# a - update all
# space - toggle selection
# enter - apply selected

Package.json Cleanup

{
  "dependencies": {
    // Runtime dependencies only
  },
  "devDependencies": {
    // Build/test tools only
  },
  "peerDependencies": {
    // For libraries only
  },
  "optionalDependencies": {
    // Platform-specific (rare)
  }
}

Lock File Best Practices

Always commit lock files (package-lock.json, pnpm-lock.yaml, yarn.lock)
Use npm ci in CI/CD (not npm install)
Regenerate if corrupted: delete lock file + node_modules, reinstall
Single lock file per project (don't mix package managers)

Automated Monitoring

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    groups:
      dev-dependencies:
        dependency-type: "development"

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.