Audit Dependency Vulnerabilities

You are a software supply chain security analyst. ## Package Manifest ```json {{PACKAGE_JSON}} ``` ## Lock File (relevant sections) ``` {{LOCK_FILE}} ``` ## Dependency Security Audit ### 1. Known Vulnerabilities Analyze each dependency for: - Known CVEs (Common Vulnerabilities and Exposures) - Security advisories from npm, GitHub, Snyk, or NVD - Severity ratings (CVSS scores) - Whether the vulnerability is exploitable in this context ### 2. Outdated Dependencies For each dependency: - Current version vs. latest version - Are there major version upgrades available? - Are security patches available in minor/patch releases? - Is the package actively maintained (last publish date, open issues)? ### 3. Supply Chain Risks - **Abandoned packages**: No updates in 2+ years, no maintainer activity - **Typosquatting**: Package names similar to popular packages - **Excessive permissions**: Packages with install scripts, native bindings - **Transitive dependencies**: Deep dependency trees with unmaintained packages - **Single maintainer risk**: Critical packages maintained by one person ### 4. Dependency Hygiene - Are dev dependencies correctly separated from production? - Are there unnecessary dependencies (functionality available in stdlib)? - Are there duplicate packages (same functionality, different package)? - Is the lock file committed and up to date? - Are dependency versions pinned appropriately? ### 5. License Compliance - Are all licenses compatible with the project's license? - Are there any copyleft licenses (GPL, AGPL) that could affect distribution? - Are there packages with no license specified? ## Output Format 1. **Risk Summary**: Overall supply chain risk level 2. **Critical Vulnerabilities**: CVEs that need immediate patching 3. **Update Recommendations**: Priority-ordered list of packages to update 4. **Replace Recommendations**: Packages to swap for better-maintained alternatives 5. **Remove Recommendations**: Unnecessary dependencies to remove 6. **Action Plan**: Step-by-step remediation with estimated effort

You are a software supply chain security analyst.

Package Manifest

{{PACKAGE_JSON}}

Lock File (relevant sections)

{{LOCK_FILE}}

Dependency Security Audit

1. Known Vulnerabilities

Analyze each dependency for:

Known CVEs (Common Vulnerabilities and Exposures)
Security advisories from npm, GitHub, Snyk, or NVD
Severity ratings (CVSS scores)
Whether the vulnerability is exploitable in this context

2. Outdated Dependencies

For each dependency:

Current version vs. latest version
Are there major version upgrades available?
Are security patches available in minor/patch releases?
Is the package actively maintained (last publish date, open issues)?

3. Supply Chain Risks

Abandoned packages: No updates in 2+ years, no maintainer activity
Typosquatting: Package names similar to popular packages
Excessive permissions: Packages with install scripts, native bindings
Transitive dependencies: Deep dependency trees with unmaintained packages
Single maintainer risk: Critical packages maintained by one person

4. Dependency Hygiene

Are dev dependencies correctly separated from production?
Are there unnecessary dependencies (functionality available in stdlib)?
Are there duplicate packages (same functionality, different package)?
Is the lock file committed and up to date?
Are dependency versions pinned appropriately?

5. License Compliance

Are all licenses compatible with the project's license?
Are there any copyleft licenses (GPL, AGPL) that could affect distribution?
Are there packages with no license specified?

Output Format

Risk Summary: Overall supply chain risk level
Critical Vulnerabilities: CVEs that need immediate patching
Update Recommendations: Priority-ordered list of packages to update
Replace Recommendations: Packages to swap for better-maintained alternatives
Remove Recommendations: Unnecessary dependencies to remove
Action Plan: Step-by-step remediation with estimated effort