Anthony Bordonaro

Dependency Audit Prompt

Prompt
promptsdependenciessecuritymaintenance

npm audit dumps 200 lines of nested JSON. npm outdated gives a table with no context. Neither tells you what actually matters — which of these 47 findings should I fix today, and which can I ignore? This prompt runs the checks and synthesizes the results into a prioritized action list.

The prompt

Audit this project's dependencies. Run these checks and synthesize the results:

## Checks

1. **Security vulnerabilities**
   Run `npm audit` (or `yarn audit`, `pnpm audit` — match the project's package manager).
   For each vulnerability, note: package name, severity, whether it's direct or transitive, and whether a fix is available via a semver-compatible upgrade.

2. **Outdated packages**
   Run `npm outdated` (or equivalent).
   Focus on: major version bumps (breaking changes likely), packages more than 1 major version behind, and packages with known migration guides.

3. **Unused dependencies**
   Check for a tool like `knip` or `depcheck` in the project. If available, run it.
   If not, search the codebase for actual imports/requires of each `dependencies` entry in package.json.
   A dependency is "likely unused" if no source file imports it — but verify against:
   - CLI tools invoked via `scripts` in package.json
   - Config files that reference plugins by name (Babel, ESLint, PostCSS, Tailwind)
   - Framework conventions (e.g., Next.js auto-loads certain packages)

4. **Heavy dependencies**
   Check the build output for bundle sizes if available.
   Flag any dependency over 50KB gzipped that could be replaced with a lighter alternative or a native API (e.g., `moment` → `date-fns` or `Intl`, `lodash` → native array methods).

## Output format

### Critical (act now)
- **[package]** — [severity] vulnerability in [direct/transitive] dep. Fix: `npm audit fix` / upgrade to [version] / [workaround if no fix available]

### Recommended (next sprint)
- **[package]** — [X] major versions behind. Current: [x.y.z], Latest: [a.b.c]. Breaking changes: [brief summary or link to changelog]

### Cleanup (when convenient)
- **[package]** — appears unused. Verify and remove with `npm uninstall [package]`
- **[package]** — [size]. Consider replacing with [lighter alternative]

### No action needed
[X] dependencies checked, [Y] up to date, [Z] with only patch/minor updates available.

## Rules
- Don't flag devDependencies as "unused" just because they don't appear in source imports — they're often used by config files, build tools, or test runners
- For transitive vulnerabilities with no fix available, say so clearly rather than suggesting an impossible upgrade
- Prioritize by actual risk, not by count. One critical vulnerability in a direct dependency matters more than ten low-severity issues in transitive deps
- Match the project's package manager. Don't suggest `npm` commands for a project using `pnpm` or `bun`

When to use it

  • Before a release — catch vulnerabilities before they ship
  • Monthly maintenance — keep dependencies from drifting too far behind
  • Onboarding to a new project — understand the health of the dependency tree
  • After npm audit spits out a wall of text you don't want to parse

When NOT to use it

  • Right after npm init — there's nothing to audit yet
  • When you just need to know if one specific package is outdated — npm outdated [package] is faster

Tips

  • For monorepos, run this per workspace. Cross-workspace dependency conflicts are a separate problem.
  • If npm audit reports vulnerabilities with no fix available, document them in a tracking issue rather than ignoring them silently.
  • For a deeper look at what's bloating your bundle, pair this with the Performance Audit prompt which analyzes bundle composition in more detail.
  • Consider adding knip or depcheck to your project — they're purpose-built for unused dependency detection and far more reliable than grep-based approaches.
Back to AI Toolkit