Dependency Audit Skill: Unused, Stale, Vulnerable
The standard "npm audit" output is 200 lines of "this CVE is in a dev dep that runs at build time only" noise. Useful, eventually, after an hour of reading. This skill collapses the noise into three actionable lists with a recommended action per entry.
An installable dependency-audit skill. Three lists from one pass — unused (grep every import), stale (run the project's outdated tool), and vulnerable (the project's audit tool) — each with a concrete next action.
What It Does
- Unused — greps every import for every declared dep, flags zero-hit packages
- Stale — runs the project's outdated tool, separates safe minor bumps from major-version review-needed
- Vulnerable — runs the project's audit tool, only flags when the affected API is actually reachable
- Multi-language — Node, Python, Rust, Go all handled
Install in 30 Seconds
Pick your tool above and download:
- Claude Code:
~/.claude/skills/dependency-audit/SKILL.md - OpenAI Codex CLI: append to
AGENTS.md - Cursor: append to
.cursorrules
Run quarterly, or after a security advisory lands.
Why Action Lists Beat Audit Walls
A long unfiltered audit output is read once, ignored, and added to the "I'll get to it" pile. An action list — "remove these 4 unused, bump these 6 patches safely, review this one major bump before upgrading" — gets done in a single afternoon. This skill is the differential between those two outcomes.
Install once, keep your deps lean and current.