Dependency Auditor

Audit dependencies for security, licenses, and health while generating a phased, low-risk upgrade and migration plan.

Install
cmdop skills install agensi-dependency-auditor

Dependency Auditor is a skill published by agensi that performs multi-dimensional analysis of a project’s dependency ecosystem across five risk vectors: security vulnerabilities, maintenance health, license compliance, upgrade risk, and bundle impact.

For security, it identifies CVEs and specifies the fixed versions that resolve them. Maintenance health analysis flags abandoned packages, bus-factor risks, and declining commit activity. License compliance auditing detects copyleft licenses such as GPL and AGPL, as well as packages with missing licenses that could create legal exposure. Upgrade risk assessment categorizes available updates as minor (low risk) or major (migration required), so engineering teams can triage effort accurately. For JavaScript projects, bundle impact analysis identifies heavy packages and suggests lighter alternatives — for example, replacing Moment.js with Day.js.

The output is structured as a phased execution plan rather than a flat report. It prioritizes security fixes first, batches low-risk minor updates, and provides breaking-change analysis with peer-dependency guidance for major version migrations.

Supported package ecosystems include npm, yarn, and pnpm for JavaScript and TypeScript; pip and poetry for Python; Cargo for Rust; Go modules; Composer for PHP; and Bundler for Ruby.

This skill is aimed at senior engineers and DevOps professionals who need structured, actionable dependency governance rather than a simple list of outdated packages.

Use cases

  • Identify CVEs in project dependencies and find the specific fixed versions to target
  • Flag abandoned or low-maintainer packages before they become a supply-chain liability
  • Audit all dependencies for GPL, AGPL, or missing licenses ahead of a compliance review
  • Generate a phased upgrade plan that sequences security fixes before breaking-change migrations
  • Assess bundle size impact of JavaScript dependencies and identify lighter substitutes
  • Analyze peer-dependency requirements and breaking changes before a major version upgrade

When to use it

  • When preparing a dependency audit report for a security or compliance review
  • When planning a large-scale dependency upgrade and needing a prioritized, phased approach
  • When evaluating whether a dependency is actively maintained before adopting it
  • When working in any of the supported ecosystems: npm, yarn, pnpm, pip, poetry, Cargo, Go modules, Composer, or Bundler

When not to use it

  • When the project uses a package manager not listed among the supported ecosystems
  • When real-time runtime vulnerability monitoring (rather than point-in-time audit) is required
  • When the need is automated dependency patching or pull-request generation rather than analysis and planning