← 返回
未分类 中文

NPM Package Scanner

Scan npm packages used in a repository for risk, maintenance health, and upgrade concerns.
扫描代码仓库中使用的 npm 包,检测风险、维护状况及升级问题。
geoffrey-xiao geoffrey-xiao 来源
未分类 clawhub v1.0.0 1 版本 100000 Key: 无需
★ 0
Stars
📥 461
下载
💾 0
安装
1
版本
#latest

概述

NPM Package Scanner

Use this skill when you need to inspect the npm packages used by a repository and identify security, maintenance, and dependency risks.

Goal

Produce a practical package-risk review for the current repository:

  • what dependencies are installed
  • which ones are direct vs transitive
  • which ones look stale, risky, or unnecessary
  • whether there are known audit issues
  • whether version ranges are too loose or outdated

Scope

Focus on:

  • package.json
  • lockfiles such as package-lock.json, bun.lock, pnpm-lock.yaml, or yarn.lock
  • workspace package manifests
  • scripts that introduce package/tooling risk
  • duplicated or overlapping dependencies

Use the reference notes in references/checklist.md and references/commands.md when useful.

Workflow

  1. Find package manifests and lockfiles.
  2. Read the root package.json and any workspace manifests.
  3. List direct dependencies and devDependencies.
  4. Check for:
    • very old package versions
    • abandoned or suspicious packages
    • duplicate packages solving the same problem
    • unnecessary runtime dependencies
    • risky postinstall/build hooks
    • overly broad semver ranges
  5. Run available package-manager audit commands if appropriate.
  6. Summarize findings by severity.
  7. Recommend concrete next steps.

Commands

Prefer fast repo inspection first:

rg --files | rg '(^|/)(package\.json|package-lock\.json|bun\.lock|pnpm-lock\.yaml|yarn\.lock)$'

Inspect manifests:

cat package.json

If using Bun:

bun pm ls
bun audit

If using npm:

npm ls --depth=0
npm audit

If using pnpm:

pnpm ls --depth=0
pnpm audit

If using yarn:

yarn list --depth=0
yarn audit

Output format

Return:

  1. High-risk findings
  2. Medium-risk findings
  3. Low-risk cleanup items
  4. Packages worth upgrading soon
  5. Packages that may be removable
  6. Exact commands to verify or fix

Review rules

  • Prioritize real risk over noise.
  • Distinguish direct dependencies from transitive ones.
  • Do not recommend upgrades blindly; mention likely blast radius.
  • If audit output is noisy, extract only actionable items.
  • If no serious issues are found, say so explicitly.

Constraints

  • Do not modify dependency versions unless explicitly asked.
  • Do not remove packages unless explicitly asked.
  • Do not assume a package is abandoned without evidence from the repo context or audit/tool output.

版本历史

共 1 个版本

  • v1.0.0 当前
    2026-05-02 05:42 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

dev-programming

Mcporter

steipete
使用 mcporter CLI 直接列出、配置、认证及调用 MCP 服务器/工具(支持 HTTP 或 stdio),涵盖临时服务器、配置编辑及 CLI/类型生成功能。
★ 198 📥 68,168
dev-programming

CodeConductor.ai

larsonreever
AI驱动平台,提供快速全栈开发、智能体、工作流自动化及低代码AI集成的可扩展产品创建。
★ 80 📥 182,936
dev-programming

YouTube

byungkyu
使用托管OAuth集成YouTube Data API,支持搜索视频、管理播放列表、获取频道数据及评论互动,适用于用户需要时使用此技能。
★ 142 📥 42,066