dependency-audit

# Dependency Audit

## Quick Start

Audit dependencies based on project type:

```bash
# Node.js
npm audit

# Python
pip-audit

# Go
govulncheck ./...
```

## Instructions

### Step 1: Identify Package Manager

Check for manifest files:
- `package.json` / `package-lock.json` → npm/yarn
- `requirements.txt` / `pyproject.toml` → pip
- `go.mod` → Go modules
- `Cargo.toml` → Cargo (Rust)
- `Gemfile` → Bundler (Ruby)

### Step 2: Run Audit

**Node.js (npm):**
```bash
npm audit
npm audit --json  # Machine-readable output
```

**Node.js (yarn):**
```bash
yarn audit
yarn audit --json
```

**Python:**
```bash
pip install pip-audit
pip-audit
pip-audit -r requirements.txt
```

**Go:**
```bash
govulncheck ./...
```

**Ruby:**
```bash
bundle audit check --update
```

### Step 3: Analyze Results

Categorize by severity:

| Severity | CVSS | Action |
|----------|------|--------|
| Critical | 9.0+ | Update immediately |
| High | 7.0-8.9 | Update within 24h |
| Moderate | 4.0-6.9 | Update this sprint |
| Low | < 4.0 | Update when convenient |

### Step 4: Fix Vulnerabilities

**npm - Auto-fix:**
```bash
npm audit fix
npm audit fix --force  # Breaking changes allowed
```

**npm - Manual update:**
```bash
npm update vulnerable-package
# or specific version
npm install vulnerable-package@2.0.0
```

**Python - Update package:**
```bash
pip install --upgrade vulnerable-package
# or pin safe version in requirements.txt
vulnerable-package>=2.0.0
```

### Step 5: Verify Fixes

Re-run audit to confirm:
```bash
npm audit  # Should show 0 vulnerabilities
pip-audit  # Should show no issues
```

## Common Scenarios

### Transitive Dependencies

When vulnerability is in a sub-dependency:

```bash
# Check dependency tree
npm ls vulnerable-package

# Force resolution (npm)
# Add to package.json:
{
  "overrides": {
    "vulnerable-package": "2.0.0"
  }
}
```

### No Fix Available

When no patched version exists:
1. Check if vulnerability affects your usage
2. Consider alternative packages
3. Impleme