dependency-auditorlisted

Multi-language dependency vulnerability scanning and license compliance auditing. TRIGGER when: user asks to audit dependencies, check for vulnerabilities, review licenses, detect outdated or bloated packages, or assess supply chain risk. DO NOT TRIGGER when: user is adding a specific dependency they have already chosen, or debugging a build failure unrelated to dependency versions.
DROOdotFOO/agent-skills · ★ 1 · AI & Automation · score 75

Install: claude install-skill DROOdotFOO/agent-skills

# Dependency Auditor ## What You Get - Vulnerability report with CVE IDs, CVSS scores, and fix recommendations - License compliance audit (copyleft flags, conflicts, missing licenses) - Prioritized upgrade plan with breaking change risk assessment ## Philosophy Dependencies are attack surface. Every transitive dependency is code you did not write, did not review, and may not maintain. Audit proactively, not after an incident. ## Workflow: 5 Phases ### Phase 1: Scan Dependencies Detect the project's ecosystem(s) from lockfiles and manifests. A single project may use multiple ecosystems (e.g., Node frontend + Python backend). Identify: - Direct dependencies and their versions - Transitive dependency tree depth - Pinned vs floating version specifiers ### Phase 2: Vulnerability Check Run ecosystem-specific audit commands. See [vulnerability-scanning.md](vulnerability-scanning.md) for per-language tools. For each vulnerability: - CVE identifier and CVSS score - Affected version range - Whether a patched version exists - Whether the vulnerable code path is reachable in this project ### Phase 3: License Audit Classify every dependency's license. See [license-compliance.md](license-compliance.md) for the taxonomy. Flag: - Copyleft licenses in proprietary projects - License conflicts between dependencies - Dependencies with no declared license - Dual-licensed packages where the commercial license applies ### Phase 4: Detect Bloat Identify dependencies that are: - Unused (