feat(development-productivity): add audit-dependencies skill#459
feat(development-productivity): add audit-dependencies skill#459
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🤖 Claude Code Review
Re-Review: Add
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
📋 Review verdict: REQUEST_CHANGES
👆 The main review comment above is the source of truth for this PR review. It is automatically updated on each review cycle, so always refer to it for the most current feedback.
This formal review submission is for the verdict only.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 827cb4ccd3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # npm — also update within semver range | ||
| npm update 2>/dev/null |
There was a problem hiding this comment.
The --fix option is documented as patch-only unless --minor is set, but Step 5 unconditionally includes npm update. npm's own update behavior is to install the highest version that satisfies the declared semver range (for example, caret ranges can move to newer minor releases), so this workflow can apply minor upgrades even when --minor was not requested. That breaks the promised safety boundary and can introduce unintended runtime changes during a supposedly patch-only remediation.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Fixed. Step 5 now distinguishes between patch-only and minor modes. When --fix is used without --minor, only npm audit fix is run (which is restricted to patch-level fixes by npm). npm update is now gated behind the --minor flag, with an explicit warning in the code comment explaining that npm update can advance caret ranges to newer minor releases.
There was a problem hiding this comment.
Confirmed fixed. Step 5 now properly gates npm update behind the --minor flag and documents the distinction between patch-only and minor update modes. The warning comment about caret range behavior is a nice touch.
| | Lockfile | Package Manager | Audit Command | Outdated Command | | ||
| | ----------------- | --------------- | -------------------------- | ------------------------- | | ||
| | `package-lock.json` | npm | `npm audit --json` | `npm outdated --json` | | ||
| | `yarn.lock` | yarn | `yarn audit --json` | `yarn outdated --json` | |
There was a problem hiding this comment.
Step 1 maps any yarn.lock project to yarn audit --json, but Yarn 2+ (Berry) uses yarn npm audit instead (also acknowledged in the Notes section). Without a version check, Berry repositories will follow this table and invoke the wrong command, which prevents the skill from producing the expected audit report in a common Yarn setup.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Fixed. The skill now detects the Yarn version via yarn --version before choosing the audit command: Classic v1 uses yarn audit --json, while Berry v2+ uses yarn npm audit --json. The detection step is documented in the updated Step 1 table.
There was a problem hiding this comment.
Confirmed fixed. Step 1 now includes yarn --version detection and the table has separate rows for Classic v1 and Berry v2+ with the correct audit commands.
📚 Documentation Check ✅Verdict: Passed All required documentation is present: plugin version bumped (2.3.0 → 2.4.0), CLAUDE.md updated, README.md updated, and new SKILL.md created. PR #459 Documentation ReviewThis PR adds the
Minor observation: The root No blocking issues found. ✨ No Documentation Updates NeededAll documentation appears to be up to date with the code changes. 🤖 Generated by Claude Documentation Validator | Mode: |
- Bump development-productivity plugin version from 2.3.0 to 2.4.0 - Update CLAUDE.md version table to reflect 2.4.0 - Fix Yarn Berry detection: check yarn --version before picking audit command (yarn audit --json for v1, yarn npm audit --json for v2+) - Fix patch-only mode: do not run npm update unconditionally; gate it behind --minor flag to prevent unintended minor version upgrades Resolved comments from: github-actions[bot] PR: #459
github-actions
bot
dismissed
their stale review
Superseded by new review after PR update
There was a problem hiding this comment.
📋 Review verdict: APPROVE
👆 The main review comment above is the source of truth for this PR review. It is automatically updated on each review cycle, so always refer to it for the most current feedback.
This formal review submission is for the verdict only.
1 participant
What gap this fills
The
development-productivityplugin had no dependency health tooling. Developers had to manually remember to runnpm auditbefore releases, and there was no structured workflow for assessing outdated packages. This skill fills that gap.How it was identified
During gap analysis of the plugin ecosystem, the dependency lifecycle phase was absent — no tooling for auditing CVEs, identifying stale packages, or applying safe updates in a structured way.
Example usage scenarios
"audit my dependencies"— full audit, report only"run npm audit and fix what's safe"— audit + auto-apply safe patches"check for vulnerable packages --scope security"— CVEs only"dependency health check --fix --minor"— audit + update to latest minor"show me what would change --dry"— dry-run view of planned updatesChanges
packages/plugins/development-productivity/skills/audit-dependencies/SKILL.mdplugin.json(version2.2.0→2.3.0, skill registered)CLAUDE.mdandREADME.mdwith new skill documentationTest plan
--fixapplies only patch updates--fix --minoralso applies minor updates--scope securityomits outdated-only output--dryshows planned changes without applying themnode scripts/validate-plugin.cjs packages/plugins/development-productivitynpm exec markdownlint-cli2 -- "packages/plugins/development-productivity/**/*.md"AI-Generated Description
Summary
audit-dependenciesskill to the development-productivity plugin for auditing project dependencies for security vulnerabilities and outdated packagesChanges
packages/plugins/development-productivity/skills/audit-dependencies/SKILL.md--fix,--minor,--scope,--dry), and structured report formatpackages/plugins/development-productivity/.claude-plugin/plugin.jsonaudit-dependenciesin skills array; bump version 2.3.0 → 2.4.0packages/plugins/development-productivity/CLAUDE.mdpackages/plugins/development-productivity/README.mdCLAUDE.md(root)Context
The development-productivity plugin had no dependency health tooling. This skill fills the dependency lifecycle gap by providing a structured workflow for auditing CVEs, identifying stale packages, and applying safe updates — without requiring developers to manually remember audit commands or parse raw JSON output.
Test plan
--fixapplies only patch-level updates by default--fix --minoralso applies minor version updates--scope securitylimits output to CVEs only--dryshows planned changes without applying themnode scripts/validate-plugin.cjs packages/plugins/development-productivity