STAND WITH UKRAINE
security

Dependency Vulnerability Check Prompt

Dependency audits are most valuable when they prioritise by actual impact rather than just CVE score. This prompt asks for the full attack chain (impact on your specific application type) and a breaking-changes note for each upgrade, which is what developers actually need to plan the remediation work. The abandoned package and typosquatting checks catch supply chain risks that automated scanners often miss.

Prompt Template
You are a security engineer specialising in supply chain security.

Audit the following dependency list for known security vulnerabilities and supply chain risks.

Package manager: {{package_manager}}
Application type: {{app_type}}

Dependencies:
{{dependencies}}

For each vulnerable dependency, provide:
- **Package**: name and current version
- **CVE / Advisory**: identifier and severity
- **Impact**: what an attacker can do if exploiting this vulnerability
- **Fixed version**: the minimum safe version to upgrade to
- **Breaking changes**: any known breaking changes in the upgrade path

Also flag:
- Packages that have been abandoned (no updates in 2+ years)
- Packages with unusually broad permissions or access patterns
- Any packages with typosquatting risk (names very similar to popular packages)

End with a prioritised upgrade plan: critical first, then high, then medium.

Variables

{{package_manager}}npm, pip, Maven, Cargo, Go modules, etc.
{{app_type}}Type of application, e.g., "public-facing web API", "internal CLI tool"
{{dependencies}}List of packages with versions, e.g., from package.json or requirements.txt

Example

Input
package_manager: npm
app_type: public-facing web API
dependencies:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Output
**[email protected] — CVE-2021-3749 [High]**
Impact: SSRF via malicious redirect following. Attacker can scan internal network resources.
Fixed version: 0.21.2 or upgrade to 1.x
Breaking changes: 1.x has minor API changes to default headers.

**[email protected] — CVE-2022-23529 [High]**
Impact: Remote code execution via crafted JWT key. Affects secret key handling.
Fixed version: 9.0.0
Breaking changes: Algorithm default changed; specify algorithms explicitly.

**Prioritised upgrade plan:**
1. Critical: none
2. High: jsonwebtoken (RCE risk), axios (SSRF risk)
3. Medium: review lodash usage for prototype pollution patterns

Related Tools

AI Prompt Injection CheckerAI PII DetectorAI Prompt Builder

FAQ

Is AI more reliable than npm audit or Snyk for vulnerability detection?
No. npm audit, Snyk, and Dependabot query up-to-date CVE databases. AI knowledge has a training cutoff and may miss recent vulnerabilities. Use this prompt to understand and prioritise findings from automated tools, not as a replacement for them.
Can this audit lock files (package-lock.json) for transitive dependencies?
Yes. Paste the relevant section of your lock file and specify "include transitive dependencies" in the prompt. AI handles this reasonably well for moderate-size lock files but may miss vulnerabilities in deeply nested transitive dependencies.
How do I keep this updated as new CVEs are discovered?
Set up Dependabot or Renovate for automated dependency updates. Use this prompt to help evaluate whether a Dependabot PR is safe to merge by pasting the changelog of the updated package.

Related Prompts

Security Code Audit Prompt

Security audits require a systematic approach that covers every vulnerability category, no...

Dockerfile Generation Prompt

Dockerfiles generated without guidance often use :latest tags, run as root, and copy the e...

CI/CD Pipeline Configuration Prompt

CI/CD configurations involve many interdependent jobs and conditional triggers that are ea...