Dependency Audit

Audit project manifests against source code to find unused, missing, and misplaced dependencies across major languages.

Install
cmdop skills install agensi-dependency-audit

Dependency Audit is a skill that cross-references project manifest files against actual import and require statements in source code to surface dependency problems developers commonly miss. It works across four ecosystems: Node.js and TypeScript projects using npm, yarn, or pnpm (including scoped packages and test-file detection); Python projects using pip with requirements.txt or pyproject.toml; Go projects via go.mod analysis; and Rust projects via Cargo.toml with dev-dependency separation.

The skill categorizes findings into three distinct buckets. Unused packages are declared in the manifest but never imported in source, contributing to build bloat and an unnecessary attack surface. Misplaced dependencies are dev-only packages that have leaked into production dependency declarations, or vice versa. Phantom dependencies are packages actively imported in source code but not explicitly declared in the manifest — a category that can cause production crashes when transitive dependency trees change.

Unlike basic linters that check manifest syntax alone, this skill maps the full dependency graph while respecting the boundary between production source and test suites. The output is a DEPENDENCY_AUDIT.md report that lists every issue found and includes actionable CLI commands to resolve each one. An agent using this skill can trigger an audit as part of a CI workflow, pre-release check, or routine codebase maintenance to keep manifests accurate and minimal.

Use cases

  • Identify packages declared in package.json that are never imported in the project's source files
  • Detect dev-dependencies that have been mistakenly used in production code in a Node.js or TypeScript project
  • Find phantom Go module dependencies imported in .go files but absent from go.mod
  • Audit a Python project's requirements.txt or pyproject.toml for stale or undeclared packages before a release
  • Generate a DEPENDENCY_AUDIT.md report with ready-to-run CLI fix commands for a Rust Cargo.toml
  • Run a dependency hygiene check as part of an automated pre-merge or CI pipeline step

When to use it

  • When preparing a release and needing to verify that all runtime dependencies are explicitly declared
  • When reducing a project's attack surface by removing packages that are no longer used
  • When a production crash is suspected to stem from a missing or transitive-only dependency
  • When onboarding to an unfamiliar codebase and needing a clear picture of actual vs. declared dependencies
  • When the project uses Node.js, TypeScript, Python, Go, or Rust and has a standard manifest file

When not to use it

  • For languages or ecosystems outside Node.js/TypeScript, Python, Go, and Rust — other ecosystems are not supported
  • When the project does not use a standard manifest file such as package.json, requirements.txt, pyproject.toml, go.mod, or Cargo.toml
  • As a replacement for security vulnerability scanning — this skill detects structural dependency issues, not CVEs
  • When dynamic or runtime-constructed import paths are the primary import mechanism, as those may not be detected by static analysis