audit-ide-dependencies

Installation
SKILL.md

Audit IDE dependencies

Workflow to find Node/npm dependency trees shipped with or used by the editor (Cursor first; VS Code–compatible paths included). Most Cursor plugins in plugins/cache are skills/rules only; extensions and some cached plugin monorepos ship real node_modules and lockfiles — pnpm audit / npm audit apply there.

Pair with fix-dependency-security (CVE fixes, SFW installs), audit-allow-builds (postinstall allowlists when you install inside a plugin tree), and upgrade-packages (bumping plugin/extension deps).

What audit can and cannot see

Signal pnpm audit / npm audit Does not catch
Known CVEs in locked versions Yes Fresh malware with no advisory yet
Transitive paths in lockfile Yes One-off malicious postinstall (use npm view … scripts + audit-allow-builds)
Markdown-only plugins (skills, rules) N/A — no lockfile

IDE trees are not the project repo. Audits run in ~/.cursor/… (or $CURSOR_HOME). Hardening in the repo’s pnpm-workspace.yaml does not apply there unless you install inside that tree.


Workflow checklist

Installs
1
Repository
p10ns11y/skills
GitHub Stars
1
First Seen
Jun 8, 2026
audit-ide-dependencies — p10ns11y/skills