npm-package-auditlisted

# npm Package Audit ultrathink <!-- anthril-output-directive --> > **Output path directive (canonical — overrides in-body references).** > All file outputs from this skill MUST be written under `.anthril/audits/`. > Run `mkdir -p .anthril/audits` before the first `Write` call. > Primary artefact: `.anthril/audits/npm-package-audit.md`. > Do NOT write to the project root or to bare filenames at cwd. > Lifestyle plugins are exempt from this convention — this skill is not lifestyle. ## Dependencies External tools required at runtime: - **`node`** (>= 18) — runs `package.json` introspection one-liners - **`npm`** — executes `npm run build`, `npm pack --dry-run`, audit commands - **`jq`** — parses JSON in scripts under `scripts/` - **`git`** (optional) — used for repository metadata checks Scripts under `scripts/` assume a POSIX shell (`bash`). All run from the package root. ## Before You Start 1. **Locate the package.** Find `package.json` in the target directory. If a path was not provided, look in the current working directory. If no `package.json` is found, ask the user for the package path. 2. **Run the build.** Execute `npm run build` (or the project's build command) so `dist/` artefacts are available for inspection. If the build fails, report it as a Phase 4 critical finding but continue with remaining phases. 3. **Map the project structure.** Run a directory listing excluding `node_modules/`, `.git/`, and `dist/` to understand the codebase layout. ## User Context