STAND WITH UKRAINE
security

Dependency Audit Prompt

Dependency audits done quarterly catch security issues before they become incidents. This prompt goes beyond vulnerability scanning to include abandoned packages (no maintainer = no future patches), license compliance (legal risk), and functional duplication (maintenance burden). The prioritised upgrade plan makes the audit immediately actionable.

Prompt Template
You are a security engineer specialising in software supply chain security.

Perform a comprehensive dependency audit for the following project:

Package manager: {{package_manager}}
Language/Runtime: {{runtime}}
Project type: {{project_type}}

Dependency list:
{{dependencies}}

Audit for:
1. **Known CVEs** — list packages with known vulnerabilities, CVE IDs, and severity
2. **Outdated packages** — packages where major or minor updates are available
3. **Abandoned packages** — packages with no releases in 2+ years or archived repos
4. **Over-privileged packages** — packages requesting more system access than expected
5. **License compliance** — flag any GPL or restrictive licenses in a commercial project
6. **Duplicate functionality** — packages that duplicate built-in language features

Output format:
- Severity table (critical/high/medium/low) with CVE links
- Prioritised upgrade plan: critical security fixes first, then high, then maintenance
- Packages safe to remove entirely
- Recommended replacements for abandoned packages

Variables

{{package_manager}}npm, pip, Maven, Cargo, Go modules, Composer, etc.
{{runtime}}Language and version, e.g., "Node.js 20", "Python 3.12"
{{project_type}}Type of project, e.g., "public-facing web app", "internal CLI", "npm library"
{{dependencies}}Full dependency list with versions from package.json, requirements.txt, go.mod, etc.

Example

Input
package_manager: npm
runtime: Node.js 20
project_type: public-facing web app
dependencies:
"lodash": "4.17.15",
"axios": "0.21.1",
"express": "4.18.2",
"jsonwebtoken": "8.5.1",
"bcrypt": "5.1.0",
"moment": "2.29.4"
Output
**Critical**
- [email protected] — CVE-2022-23529 (RCE via key injection). Fix: upgrade to 9.0.0

**High**
- [email protected] — CVE-2021-3749 (SSRF via redirect). Fix: upgrade to 1.x

**Maintenance**
- [email protected] — Project is in maintenance-only mode. Replacement: date-fns or Day.js (smaller bundle, actively maintained)
- [email protected] — Most usage can be replaced with native ES2023 methods (Array.at, Object.fromEntries)

**Upgrade Plan:**
1. Week 1: jsonwebtoken 9.0.0 (breaking: update algorithm config)
2. Week 1: axios 1.6.x
3. Week 2: Replace moment with date-fns

Related Tools

AI Prompt Injection CheckerAI PII DetectorAI Prompt Builder

FAQ

How often should I audit dependencies?
At minimum, run automated tools (Dependabot, Renovate, npm audit) on every PR and a manual review quarterly. For security-critical projects handling PII or payments, monthly manual reviews are advisable.
What should I do with transitive (indirect) vulnerabilities?
For npm: check if the vulnerable version is resolvable with npm overrides. For pip: add the fixed version as a direct dependency. For both: open an issue with the direct dependency author if there is no fix available.
How do I evaluate whether a replacement package is trustworthy?
Check: GitHub stars trend (not just total), contributor count (bus factor), recent commit activity, npm weekly downloads trend, and whether large projects use it. A package with 1M downloads/week and active maintenance is lower risk than one with 10M downloads that has been unmaintained for a year.

Related Prompts

Dependency Vulnerability Check Prompt

Dependency audits are most valuable when they prioritise by actual impact rather than just...

Security Code Audit Prompt

Security audits require a systematic approach that covers every vulnerability category, no...

GitHub Actions Workflow Prompt

GitHub Actions workflows are deceptively easy to write insecurely. This prompt enforces pi...