Prompt of the Day: Scan Your Dependencies for Known Vulnerabilities
Series: Prompt of the Day — Part 17 of 30
The Incident That Changed How I Think About npm install
On March 31, 2026, a developer on a mid-size fintech team ran a routine npm install after pulling the latest branch. Nothing looked unusual. The lock file updated, the build passed, and the PR got merged. What no one noticed was that axios — the HTTP client with 83 million weekly downloads — had just shipped two poisoned versions (1.14.1 and 0.30.4) carrying a cross-platform Remote Access Trojan, delivered through a malicious transitive dependency called plain-crypto-js@4.2.1. By the time Picus Security flagged the Axios supply chain attack, attackers had already harvested credentials from dozens of downstream environments.
That wasn't an isolated bad week. March 2026 also saw the TeamPCP group compromise LiteLLM on PyPI — versions 1.82.7 and 1.82.8 — a library that sits directly between AI applications and every major LLM provider, giving it privileged access to API keys for OpenAI, Anthropic, and beyond. The same group had already hit Aqua's Trivy security scanner and CheckMarx VS Code extensions that same month.
This is the world your code lives in. Your AI assistant can help — but only if you give it the right prompt.
The Prompt
Act as a supply chain security auditor. Analyze the dependencies in this project and:
1. List every direct and transitive dependency with its current pinned version.
2. Check each against known CVE databases (NVD, OSV, GitHub Advisory) and flag any with HIGH or CRITICAL severity.
3. For each flagged package, tell me: the CVE ID, what the vulnerability allows an attacker to do, the fixed version, and the exact upgrade command.
4. Identify any packages that have been recently transferred to a new maintainer, deprecated, or have had unusual version activity in the past 90 days — these are high-risk signals even without a CVE.
5. Generate a `npm audit --json` or `pip-audit` command I can run right now to verify your findings.
6. Produce a prioritized remediation checklist: fix CRITICAL first, then HIGH, then flag MEDIUM for review.
Here is my [package.json / requirements.txt / pyproject.toml]:
[PASTE FILE CONTENTS HERE]
Why It Works
This prompt works because it forces the AI out of "helpful suggester" mode and into structured auditor mode. Here's what each section accomplishes:
"Direct and transitive dependencies" — Most developers only think about packages they explicitly installed. The Axios attack used a transitive dependency (plain-crypto-js) you'd never see unless you looked two levels deep. Stating this explicitly closes the blind spot.
"CVE ID, what it allows, fixed version, exact command" — Vague security warnings are useless. Specifying this structure forces the AI to give you actionable output, not a lecture. You get npm install axios@1.14.0 not "consider upgrading".
"Recently transferred, deprecated, or unusual version activity" — This is the sleeper hit of the prompt. The Shai-Hulud campaign (which infected over 500 npm packages in September 2025, including chalk, debug, and strip-ansi with a combined 2.6 billion weekly downloads) exploited legitimate packages with no CVE at the time of attack. Maintainer account compromise leaves fingerprints in version history before it leaves fingerprints in CVE databases.
"Generate the audit command" — Forces the AI to stay honest. If it says a package is vulnerable and your npm audit disagrees, you now have a discrepancy to investigate rather than false confidence.
The Anti-Prompt
Here's what most vibe coders actually type:
// BAD PROMPT
Are my dependencies safe?
Why it fails:
- Too vague to be actionable. The AI will give you a reassuring paragraph about "keeping dependencies up to date" with zero specifics.
- No scope definition. It doesn't know if you mean direct deps, transitive deps, dev deps, or all of the above.
- No output structure. You'll get prose when you need a checklist.
- No verification step. There's no way to confirm the answer is accurate for your specific version tree.
The bad prompt is the equivalent of asking a doctor "am I healthy?" without showing them any test results. The good prompt is a full blood panel with specific markers to check.
Real-World Code Examples
Python — run pip-audit and feed results to your AI
# Install pip-audit if you don't have it
pip install pip-audit
# Generate a JSON report
pip-audit --format=json --output=audit-report.json
# Then paste the JSON into your AI with the prompt above
Node.js — use npm audit output as context
# Generate structured audit output
npm audit --json > audit-report.json
# Check transitive deps explicitly
npm ls --all --json > dependency-tree.json
Python — quick inline check with safety
# requirements.txt scan via safety CLI
pip install safety
safety check --full-report
TypeScript — use audit-ci in CI pipelines
# Block merges if HIGH or CRITICAL vulns are found
npx audit-ci --high
Feed the output of any of these commands directly into your AI with the structured prompt above. The AI can cross-reference CVE details, explain impact in plain English, and write the upgrade PR description for you.
Variations
For Docker/container projects:
Analyze the base image and installed packages in this Dockerfile for known CVEs.
Flag anything with CVSS score ≥ 7.0 and suggest a patched base image tag.
For GitHub Actions / CI workflows:
Review this GitHub Actions workflow for pinned action versions.
Flag any actions using @main or unpinned SHA references — these are supply chain attack vectors.
Suggest SHA-pinned equivalents for each.
For a quick pre-commit check:
Before I commit, scan my package-lock.json diff for any newly added or upgraded
packages. For each change, check if the new version has any CVEs filed in the
past 6 months and flag maintainer account changes.
For teams adopting SBOM practices:
Generate a Software Bill of Materials (SBOM) in CycloneDX format for this project
and identify which components are end-of-life or have no active maintainer.
The 25-Year Lesson
I've been in this industry long enough to remember when the biggest dependency risk was a library that broke your API. Now we're dealing with self-replicating worms that spread through npm's pre-install hooks, bypassing static scanners and guaranteeing execution on every build server that pulls the package. In 2025, 20 malicious PyPI packages disguised as time utilities and cloud SDKs collectively racked up over 14,100 downloads, silently harvesting AWS, Alibaba, and Tencent cloud credentials.
Your AI assistant won't automatically protect you from this. But with the right prompt, it becomes a first-pass security engineer that catches what a rushed code review misses.
Audit before you merge. Every time.
Action Checklist
- Run
npm audit --jsonorpip-audit --format=jsonon your active project today - Feed the output + your dependency manifest into the prompt above
- Check for any packages with recent maintainer transfers or unusual publish activity
- Add
npx audit-ci --high(Node) orpip-audit(Python) to your CI pipeline as a blocking step - Pin your GitHub Actions to specific SHA hashes, not branch names or tags
- Schedule a monthly "dependency health" review for all active repos
- Generate an SBOM for any project that ships to production
Ask The Guild
Community prompt for this week:
Have you ever found a real vulnerability — or worse, been hit by one — through a third-party dependency? What was the package, what was the impact, and what did you change in your workflow afterward? Share your war story in the thread. The more specific the better — your lesson might save someone else's production environment.