Dependency Auditor
Commands
- •
/deps scan— Full audit of all dependencies - •
/deps scan --security— Security-only scan (CVEs) - •
/deps scan --outdated— List outdated packages - •
/deps scan --licenses— License compatibility check - •
/deps update-plan— Generate prioritized update plan
Procedure
Phase 1: Discovery
Detect package managers and dependency files:
- •requirements.txt, pyproject.toml — Python (pip/uv)
- •package.json, package-lock.json — Node.js (npm)
- •pnpm-lock.yaml — Node.js (pnpm)
- •go.mod — Go
- •Cargo.toml — Rust
Phase 2: Security Audit
For each dependency:
- •Check against CVE databases (NVD, GitHub Advisory, OSV)
- •Run ecosystem audit tools (pip audit, npm audit, govulncheck)
- •Flag transitive dependencies with known vulnerabilities
- •Assess severity: CRITICAL / HIGH / MEDIUM / LOW
Phase 3: Staleness Check
- •Compare installed vs latest stable version
- •Flag packages 1+ major versions behind
- •Check if package is maintained (last commit, archived status)
- •Identify deprecated packages with replacements
Phase 4: License Audit
- •Extract license for each dependency (direct and transitive)
- •Flag incompatible licenses (AGPL in proprietary = FAIL, GPL in library = WARN)
- •Flag packages with no license specified
Phase 5: Update Plan
Produce prioritized plan with CRITICAL/HIGH/MEDIUM/LOW groupings. Each entry includes package name, current version, target version, reason, and risk level (Low=patch, Medium=minor, High=major, Critical=deprecated/unmaintained).
MCMAP-Specific Notes
- •Python scripts in scripts/ use pip — check requirements.txt
- •MCP servers reference npm/PyPI packages — audit those too
- •PAC CLI is a .NET tool — check dotnet tool versions separately