How often should I audit dependencies?

At minimum, run automated tools (Dependabot, Renovate, npm audit) on every PR and a manual review quarterly. For security-critical projects handling PII or payments, monthly manual reviews are advisable.

What should I do with transitive (indirect) vulnerabilities?

For npm: check if the vulnerable version is resolvable with npm overrides. For pip: add the fixed version as a direct dependency. For both: open an issue with the direct dependency author if there is no fix available.

How do I evaluate whether a replacement package is trustworthy?

Check: GitHub stars trend (not just total), contributor count (bus factor), recent commit activity, npm weekly downloads trend, and whether large projects use it. A package with 1M downloads/week and active maintenance is lower risk than one with 10M downloads that has been unmaintained for a year.

How often should I audit dependencies?

At minimum, run automated tools (Dependabot, Renovate, npm audit) on every PR and a manual review quarterly. For security-critical projects handling PII or payments, monthly manual reviews are advisable.

What should I do with transitive (indirect) vulnerabilities?

For npm: check if the vulnerable version is resolvable with npm overrides. For pip: add the fixed version as a direct dependency. For both: open an issue with the direct dependency author if there is no fix available.

How do I evaluate whether a replacement package is trustworthy?

Check: GitHub stars trend (not just total), contributor count (bus factor), recent commit activity, npm weekly downloads trend, and whether large projects use it. A package with 1M downloads/week and active maintenance is lower risk than one with 10M downloads that has been unmaintained for a year.

securityClaude

Dependency Audit Prompt (Claude)

Dependency audits done quarterly catch security issues before they become incidents. This prompt goes beyond vulnerability scanning to include abandoned packages (no maintainer = no future patches), license compliance (legal risk), and functional duplication (maintenance burden). The prioritised upgrade plan makes the audit immediately actionable. This variant is formatted for Claude: Optimised for Claude 3.5 Sonnet and Claude 3 Opus. Uses XML tags for structured input and output.

Prompt Template

<role>You are an expert AI assistant with deep knowledge in this domain.</role>

<task>
You are a security engineer specialising in software supply chain security.

Perform a comprehensive dependency audit for the following project:

Package manager: {{package_manager}}
Language/Runtime: {{runtime}}
Project type: {{project_type}}

Dependency list:
{{dependencies}}

Audit for:
1. **Known CVEs** — list packages with known vulnerabilities, CVE IDs, and severity
2. **Outdated packages** — packages where major or minor updates are available
3. **Abandoned packages** — packages with no releases in 2+ years or archived repos
4. **Over-privileged packages** — packages requesting more system access than expected
5. **License compliance** — flag any GPL or restrictive licenses in a commercial project
6. **Duplicate functionality** — packages that duplicate built-in language features

Output format:
- Severity table (critical/high/medium/low) with CVE links
- Prioritised upgrade plan: critical security fixes first, then high, then maintenance
- Packages safe to remove entirely
- Recommended replacements for abandoned packages
</task>

<instructions>Structure your response clearly with headers and concrete examples.</instructions>

Variables

{{package_manager}}npm, pip, Maven, Cargo, Go modules, Composer, etc.

{{runtime}}Language and version, e.g., "Node.js 20", "Python 3.12"

{{project_type}}Type of project, e.g., "public-facing web app", "internal CLI", "npm library"

{{dependencies}}Full dependency list with versions from package.json, requirements.txt, go.mod, etc.

Example

Input

package_manager: npm
runtime: Node.js 20
project_type: public-facing web app
dependencies:
"lodash": "4.17.15",
"axios": "0.21.1",
"express": "4.18.2",
"jsonwebtoken": "8.5.1",
"bcrypt": "5.1.0",
"moment": "2.29.4"

Output

**Critical**
- [email protected] — CVE-2022-23529 (RCE via key injection). Fix: upgrade to 9.0.0

**High**
- [email protected] — CVE-2021-3749 (SSRF via redirect). Fix: upgrade to 1.x

**Maintenance**
- [email protected] — Project is in maintenance-only mode. Replacement: date-fns or Day.js (smaller bundle, actively maintained)
- [email protected] — Most usage can be replaced with native ES2023 methods (Array.at, Object.fromEntries)

**Upgrade Plan:**
1. Week 1: jsonwebtoken 9.0.0 (breaking: update algorithm config)
2. Week 1: axios 1.6.x
3. Week 2: Replace moment with date-fns

FAQ

How often should I audit dependencies?: At minimum, run automated tools (Dependabot, Renovate, npm audit) on every PR and a manual review quarterly. For security-critical projects handling PII or payments, monthly manual reviews are advisable.
What should I do with transitive (indirect) vulnerabilities?: For npm: check if the vulnerable version is resolvable with npm overrides. For pip: add the fixed version as a direct dependency. For both: open an issue with the direct dependency author if there is no fix available.
How do I evaluate whether a replacement package is trustworthy?: Check: GitHub stars trend (not just total), contributor count (bus factor), recent commit activity, npm weekly downloads trend, and whether large projects use it. A package with 1M downloads/week and active maintenance is lower risk than one with 10M downloads that has been unmaintained for a year.

Related Prompts

Dependency Audit Prompt

Dependency audits done quarterly catch security issues before they become incidents. This ...

Dependency Audit Prompt (ChatGPT)

Dependency audits done quarterly catch security issues before they become incidents. This ...

Dependency Audit Prompt (Gemini)

Dependency audits done quarterly catch security issues before they become incidents. This ...

Dependency Audit Prompt (LLaMA / Ollama)

Dependency audits done quarterly catch security issues before they become incidents. This ...

Dependency Vulnerability Check Prompt

Dependency audits are most valuable when they prioritise by actual impact rather than just...

Security Code Audit Prompt

Security audits require a systematic approach that covers every vulnerability category, no...

Dependency Audit Prompt (Claude)

Variables

Example

Related Tools

FAQ

Related Prompts