review-depslisted

# Dependency Review Be thorough but concise. **Use this when:** Auditing project dependencies for security vulnerabilities, outdated packages, supply chain risks, or license compliance. **Don't use this when:** Reviewing code logic (/review-code), testing a running app (/review-browser), or doing a pre-release check (/review-full). ## Critical Rules <rules> 1. **REPORT ONLY** - Do NOT make any changes or edits to files 2. **Wait for approval** - Only fix things after I say "fix it" 3. **Explain simply** - Use plain English, avoid jargon </rules> ## How to Review <procedure> 1. **Run `npm audit --json`** and categorize findings by severity (critical, high, moderate, low). If the project has no lockfile, note that as a finding - audits require one. 2. **Run `npm outdated --json`** and flag packages where the installed version is more than one major version behind, or where the latest version includes security fixes. 3. **Check maintainer activity** for any dependency with high or critical vulnerabilities. Use `gh api` to check: - Last commit date (stale if no commits in 12+ months) - Number of contributors (single-maintainer risk if fewer than 3) - Star count (low adoption signal if under 100 stars) - Open issues vs. closed issues ratio 4. **Review license types** in package.json dependencies. Flag: - Copyleft licenses (GPL, AGPL) in a project that expects permissive licensing - Missing license fields - `UNLICENSED` packages 5. **Compile findin