Dependency Check
Analyze dependencies for the project at $ARGUMENTS.
Analysis Scope
1. Outdated Packages
Identify packages with available updates:
- •Major version updates (breaking changes likely)
- •Minor version updates (new features)
- •Patch updates (bug fixes)
2. Security Vulnerabilities
Check for known vulnerabilities:
- •CVE references
- •Severity ratings
- •Affected versions
3. License Compliance
Review dependency licenses:
- •Identify restrictive licenses (GPL, AGPL)
- •Flag license incompatibilities
- •Note unknown licenses
Dynamic Context
- •Package files: !
find . -maxdepth 3 -name "package.json" -o -name "requirements.txt" -o -name "Pipfile" -o -name "go.mod" -o -name "Cargo.toml" 2>/dev/null | head -5 - •Lock files: !
find . -maxdepth 3 -name "package-lock.json" -o -name "yarn.lock" -o -name "Pipfile.lock" -o -name "poetry.lock" 2>/dev/null | head -5
Instructions
For Node.js Projects
- •
Check outdated packages:
bashnpm outdated --json 2>/dev/null || echo "{}" - •
Run security audit:
bashnpm audit --json 2>/dev/null || echo "{}"
For Python Projects
- •
Check outdated packages:
bashpip list --outdated --format=json 2>/dev/null || echo "[]"
- •
Run security audit (if pip-audit installed):
bashpip-audit --format=json 2>/dev/null || echo "pip-audit not installed"
General Checks
- •Read the dependency manifest files
- •Identify direct vs transitive dependencies
- •Check for duplicate dependencies
- •Note any pinned versions that may be outdated
Output Format
Return a JSON dependency report:
json
{
"project_type": "nodejs",
"manifest_files": ["package.json"],
"summary": {
"total_dependencies": 45,
"direct": 12,
"dev": 8,
"outdated": 5,
"vulnerable": 2
},
"outdated": [
{
"package": "lodash",
"current": "4.17.15",
"wanted": "4.17.21",
"latest": "4.17.21",
"type": "patch",
"breaking_changes": false
},
{
"package": "react",
"current": "17.0.2",
"wanted": "17.0.2",
"latest": "18.2.0",
"type": "major",
"breaking_changes": true
}
],
"vulnerabilities": [
{
"package": "minimist",
"severity": "high",
"cve": "CVE-2021-44906",
"description": "Prototype pollution",
"fixed_in": "1.2.6",
"recommendation": "Update to ^1.2.6"
}
],
"license_issues": [
{
"package": "gpl-library",
"license": "GPL-3.0",
"concern": "Copyleft license may require open-sourcing your code"
}
],
"recommendations": [
"Update lodash to patch security vulnerability",
"Consider upgrading to React 18 (breaking changes)",
"Review GPL-licensed dependency compatibility"
]
}
Priority Actions
- •Critical: Security vulnerabilities with available fixes
- •High: Major version updates for security fixes
- •Medium: Outdated packages with minor updates
- •Low: Patch updates, license reviews
Notes
- •Always test thoroughly after updating dependencies
- •Consider using lockfiles for reproducible builds
- •Set up automated dependency scanning in CI/CD