DevOps & Security
Dependency CVE Auditor
Audits project dependencies against NVD and GitHub Advisory Database, producing a CVE report ranked by CVSS score with patch guidance. Useful for catching known vulnerabilities before they reach production. Backend and full-stack engineers responsible for their own dependency health, security engineers preparing for SOC 2 or enterprise vendor reviews, and indie builders who cannot staff a dedicated AppSec role. from npm supply-chain incidents to Python package typosquatting to the widespread Log4Shell fallout. New advisories land weekly. Manually auditing dependencies is tedious and inconsistent, and tools like `npm audit` or `pip-audit` produce raw output that is hard to triage without context. Teams miss upgrades because the prioritization story is flat: a medium CVE in a critical package often matters more than a critical CVE in a dev dependency, but raw audit output does not communicate that.
One-Time Purchase
$19.99
Dependency CVE Audit — package.json (Node 20)
Manifest: package.json · Lockfile: package-lock.json v3 · Packages scanned: 214 (38 direct, 176 transitive)
Verdict
Three criticals — two on the CISA Known Exploited Vulnerabilities list. next and fastify (via transitive find-my-way) both have actively exploited advisories with patches available today. cross-spawn adds a third critical but is dev-only. Five production-affecting fixes can ship as one PR; two findings have no upstream patch and need application-side mitigation.
CVE severity breakdown
CVE Table
| CVE | Package | CVSS | KEV | Installed | Fixed in | Direct? | Env |
|---|---|---|---|---|---|---|---|
| CVE-2025-29927 | next | 9.1 | Yes | 14.2.10 | 14.2.25 | direct | prod |
| CVE-2024-45813 | find-my-way | 9.0 | Yes | 8.1.0 | 8.2.2 (via fastify 4.28.1) | transitive | prod |
| CVE-2024-21538 | cross-spawn | 9.8 | No | 7.0.3 | 7.0.5 (override) | transitive | dev |
| CVE-2025-27789 | axios | 7.3 | No | 1.6.8 | 1.7.9 | direct | prod |
| CVE-2024-55565 | nanoid | 7.5 | No | 3.3.6 | 3.3.8 (override) | transitive | dev |
| CVE-2024-52798 | path-to-regexp | 5.3 | No | 0.1.10 | None for 0.1.x | transitive | prod |
| CVE-2025-30208 | vite | 4.3 | No | 5.4.2 | 6.2.4 (major bump) | direct | dev |
Upgrade Path
Patchable in one PR
// package.json — additions
"overrides": {
"cross-spawn": "^7.0.5",
"nanoid": "^3.3.8"
}
Blocking Deps — No Patch Available
path-to-regexp 0.1.x — no patch
CVE-2024-52798 / CVSS 5.3. ReDoS via backtracking on named-parameter patterns. The 0.1.x line is end-of-life; Express 4.x is pinned to it. Mitigation: validate and length-cap incoming route strings at the application boundary, rate-limit route-heavy endpoints, and watch for an Express 4.x patch release. Do not force-override to path-to-regexp@6.x — the API is incompatible with Express internals.
vite 5.x — patch only on 6.x
CVE-2025-30208 / CVSS 4.3. Arbitrary file read via /@fs/ URL. Only reachable when the dev server is exposed to untrusted networks. Mitigation: confirm server.host: false in vite.config.ts (binds to localhost), and do not forward the Vite dev port in CI or shared staging. A Vite 6 upgrade is a separate workstream — handle outside this security patch cycle.
Ready-to-Submit PR Body
## chore(deps): patch critical and high CVEs
### Changes
- next 14.2.10 -> 14.2.25 (CVE-2025-29927, CVSS 9.1, CISA KEV)
- fastify 4.27.0 -> 4.28.1 (CVE-2024-45813, CVSS 9.0, CISA KEV — via find-my-way)
- axios 1.6.8 -> 1.7.9 (CVE-2025-27789, CVSS 7.3)
- overrides.cross-spawn ^7.0.5 (CVE-2024-21538, CVSS 9.8 — dev-only)
- overrides.nanoid ^3.3.8 (CVE-2024-55565, CVSS 7.5 — dev-only)
### Verify
- [ ] npm ls find-my-way resolves 8.2.2
- [ ] npm ls cross-spawn resolves 7.0.5
- [ ] unit + e2e green
- [ ] no reply.sent deprecation regressions in fastify tests
Before / After Summary
| Area | Before | After |
|---|---|---|
| CISA KEV exposures | 2 in production | 0 |
| Critical CVEs (prod) | 2 | 0 |
| High CVEs (prod) | 1 (axios) | 0 |
| No-patch CVEs | 2 | 2 (app-side mitigation) |
| Calendar effort | — | ~1 day incl. test pass |
Audit reflects the manifest and lockfile snapshot only. Re-run after any npm install that changes the lockfile, and again the next time the advisory feeds refresh.
This sample illustrates the skill's output format. Names, metrics, and operational details are illustrative unless the artifact explicitly analyzes public information.
View full sample →
All sales final. No refunds on digital products.
Includes support for Claude Code, Codex, OpenClaw, and Google Antigravity in the same license.
Also in Security Scanning
Bundle price: $55. Compare this skill with the full workflow bundle or Pro access.
Best for
Engineers responsible for their own dependency health on Node, Python, Ruby, or Go projects with 50–500 direct dependencies, and security leads preparing CVE evidence for SOC 2 or enterprise vendor reviews. Most useful when the team will actually act on the prioritized findings — patch the critical CVE in the runtime dependency before the medium CVE in the dev tool.
Not ideal for
Compiled vendored binaries or proprietary internal libraries with no public advisory database to check against. Also a poor fit as a substitute for a proper supply-chain security program at scale (SBOMs, signed releases, build provenance) when the company is past 50 engineers.
Included in this purchase
- Claude Code, Codex, OpenClaw, and Google Antigravity skill files.
- Setup guidance for the right adapter in your workspace.
- One-time license for the purchased skill version.
Setup
Plan for a short setup in the repository or workspace where the skill will run. Some coding familiarity helps for implementation-heavy outputs.
Related Skills
$19.99
One-time license
$19.99
One-time license
$19.99
One-time license
Future Updates
This purchase includes the current version of the skill. If you want future adapter updates — meaning compatibility and packaging updates as supported platforms evolve — plus new catalog additions included automatically, upgrade to Pro.