The NPM Package Vulnerability Runbook skill integrates the npm Audit API (POST /-/npm/v1/security/audits) with the OSV.dev vulnerability database API to provide comprehensive dependency security analysis. It submits the full dependency tree to npm audit and enriches results with CVE details from the National Vulnerability Database API (services/rest/cve/2.0). Each vulnerability is classified by exploitability using CVSS v3.1 vector analysis. The skill generates ordered remediation runbooks that account for dependency tree depth—recommending direct dependency upgrades via npm update when safe, targeted overrides using npm overrides for transitive vulnerabilities, and manual patching instructions when no fix is available. It queries the npm Registry API (GET /{package}) to verify fix availability in newer versions. Semver constraint analysis identifies the minimum version bump required for each fix. The runbook output includes exact npm commands, package.json diffs, and rollback procedures for each remediation step.