Dependency Audit is a skill that cross-references project manifest files against actual import and require statements in source code to surface dependency problems developers commonly miss. It works across four ecosystems: Node.js and TypeScript projects using npm, yarn, or pnpm (including scoped packages and test-file detection); Python projects using pip with requirements.txt or pyproject.toml; Go projects via go.mod analysis; and Rust projects via Cargo.toml with dev-dependency separation.
The skill categorizes findings into three distinct buckets. Unused packages are declared in the manifest but never imported in source, contributing to build bloat and an unnecessary attack surface. Misplaced dependencies are dev-only packages that have leaked into production dependency declarations, or vice versa. Phantom dependencies are packages actively imported in source code but not explicitly declared in the manifest — a category that can cause production crashes when transitive dependency trees change.
Unlike basic linters that check manifest syntax alone, this skill maps the full dependency graph while respecting the boundary between production source and test suites. The output is a DEPENDENCY_AUDIT.md report that lists every issue found and includes actionable CLI commands to resolve each one. An agent using this skill can trigger an audit as part of a CI workflow, pre-release check, or routine codebase maintenance to keep manifests accurate and minimal.