audit-ide-dependencies
Installation
SKILL.md
Audit IDE dependencies
Workflow to find Node/npm dependency trees shipped with or used by the editor (Cursor first; VS Code–compatible paths included). Most Cursor plugins in plugins/cache are skills/rules only; extensions and some cached plugin monorepos ship real node_modules and lockfiles — pnpm audit / npm audit apply there.
Pair with fix-dependency-security (CVE fixes, SFW installs), audit-allow-builds (postinstall allowlists when you install inside a plugin tree), and upgrade-packages (bumping plugin/extension deps).
What audit can and cannot see
| Signal | pnpm audit / npm audit |
Does not catch |
|---|---|---|
| Known CVEs in locked versions | Yes | Fresh malware with no advisory yet |
| Transitive paths in lockfile | Yes | One-off malicious postinstall (use npm view … scripts + audit-allow-builds) |
| Markdown-only plugins (skills, rules) | N/A — no lockfile | — |
IDE trees are not the project repo. Audits run in ~/.cursor/… (or $CURSOR_HOME). Hardening in the repo’s pnpm-workspace.yaml does not apply there unless you install inside that tree.