Dependency Audit
Audits project dependencies for known security vulnerabilities across multiple package ecosystems.
Purpose & Scope
- •Detect vulnerable dependencies using ecosystem-specific tools
- •Support multiple ecosystems: npm, NuGet, pip, Go modules, Bundler, Cargo
- •Classify vulnerabilities by severity (Critical/High/Medium/Low)
- •Provide fix recommendations with safe auto-fix guidance
- •Return normalized report to parent orchestrator (ln-760)
When to Use
- •During project bootstrap (via ln-760-security-setup)
- •CI/CD pipeline security checks
- •Pre-release security validation
- •Regular scheduled audits
Workflow
Phase 1: Ecosystem Detection
Step 1: Detect Package Managers
- •Check for
package.json/package-lock.json(npm) - •Check for
*.csproj/packages.config(.NET) - •Check for
requirements.txt/Pipfile/pyproject.toml(Python) - •Check for
go.mod(Go) - •Check for
Gemfile(Ruby),Cargo.toml(Rust),composer.json(PHP)
Step 2: Check Tool Availability
- •For each detected ecosystem, verify audit tool is available
- •If tool missing: log warning, skip ecosystem (do not fail)
Phase 2: Audit Execution
Step 1: Run Ecosystem Audits
- •Execute audit command for each detected ecosystem
- •Prefer JSON output for parsing (see
references/audit_commands.md) - •Run audits in parallel where possible
Step 2: Parse Results
- •Normalize findings to common format: package, version, vulnerability ID, severity
- •Extract CVSS score if available
Phase 3: Report Generation
Step 1: Severity Classification
- •Map CVSS scores to severity per
references/severity_mapping.md - •Critical: CVSS 9.0-10.0
- •High: CVSS 7.0-8.9
- •Medium: CVSS 4.0-6.9
- •Low: CVSS 0.1-3.9
Step 2: Group and Sort
- •Group by ecosystem
- •Sort by severity (Critical first)
- •Include vulnerability count summary
Step 3: Build Report
- •Include package name, current version, fixed version
- •Include vulnerability ID (CVE/GHSA/OSV)
- •Do NOT include exploit details
Phase 4: Fix Recommendations
Step 1: Classify Fix Type
- •Patch update (safe auto-fix)
- •Minor update (usually safe)
- •Major update (manual review required)
- •No fix available (document and monitor)
Step 2: Generate Recommendations
- •For each vulnerability: suggest fix command
- •Flag breaking changes if major version bump
- •Note if fix requires code changes
Step 3: Return Results
- •Return structured report to orchestrator
- •Include summary: packages audited, vulnerabilities found, by severity
Critical Rules
- •Never auto-fix major versions - may introduce breaking changes
- •Verify lock file integrity - regenerate if corrupted
- •Respect severity thresholds - per environment (see
references/severity_mapping.md) - •Document unfixable vulns - add to known issues with review date
- •No exploit code - report IDs only, not exploitation details
Definition of Done
- • All detected ecosystems audited
- • Findings classified by severity with CVSS mapping
- • Fix recommendations provided (safe vs manual)
- • Report in normalized format returned
- • Critical vulnerabilities prominently flagged
- • Lock file integrity verified
Reference Files
| File | Purpose |
|---|---|
references/audit_commands.md | Ecosystem-specific audit commands |
references/severity_mapping.md | CVSS to severity level mapping |
references/ci_integration_guide.md | CI/CD integration guidance |
Version: 2.0.0 Last Updated: 2026-01-10