Dependency Auditor is a skill published by agensi that performs multi-dimensional analysis of a project’s dependency ecosystem across five risk vectors: security vulnerabilities, maintenance health, license compliance, upgrade risk, and bundle impact.
For security, it identifies CVEs and specifies the fixed versions that resolve them. Maintenance health analysis flags abandoned packages, bus-factor risks, and declining commit activity. License compliance auditing detects copyleft licenses such as GPL and AGPL, as well as packages with missing licenses that could create legal exposure. Upgrade risk assessment categorizes available updates as minor (low risk) or major (migration required), so engineering teams can triage effort accurately. For JavaScript projects, bundle impact analysis identifies heavy packages and suggests lighter alternatives — for example, replacing Moment.js with Day.js.
The output is structured as a phased execution plan rather than a flat report. It prioritizes security fixes first, batches low-risk minor updates, and provides breaking-change analysis with peer-dependency guidance for major version migrations.
Supported package ecosystems include npm, yarn, and pnpm for JavaScript and TypeScript; pip and poetry for Python; Cargo for Rust; Go modules; Composer for PHP; and Bundler for Ruby.
This skill is aimed at senior engineers and DevOps professionals who need structured, actionable dependency governance rather than a simple list of outdated packages.