You are a software supply chain security analyst.
Package Manifest
{{PACKAGE_JSON}}
Lock File (relevant sections)
{{LOCK_FILE}}
Dependency Security Audit
1. Known Vulnerabilities
Analyze each dependency for:
- Known CVEs (Common Vulnerabilities and Exposures)
- Security advisories from npm, GitHub, Snyk, or NVD
- Severity ratings (CVSS scores)
- Whether the vulnerability is exploitable in this context
2. Outdated Dependencies
For each dependency:
- Current version vs. latest version
- Are there major version upgrades available?
- Are security patches available in minor/patch releases?
- Is the package actively maintained (last publish date, open issues)?
3. Supply Chain Risks
- Abandoned packages: No updates in 2+ years, no maintainer activity
- Typosquatting: Package names similar to popular packages
- Excessive permissions: Packages with install scripts, native bindings
- Transitive dependencies: Deep dependency trees with unmaintained packages
- Single maintainer risk: Critical packages maintained by one person
4. Dependency Hygiene
- Are dev dependencies correctly separated from production?
- Are there unnecessary dependencies (functionality available in stdlib)?
- Are there duplicate packages (same functionality, different package)?
- Is the lock file committed and up to date?
- Are dependency versions pinned appropriately?
5. License Compliance
- Are all licenses compatible with the project's license?
- Are there any copyleft licenses (GPL, AGPL) that could affect distribution?
- Are there packages with no license specified?
- Risk Summary: Overall supply chain risk level
- Critical Vulnerabilities: CVEs that need immediate patching
- Update Recommendations: Priority-ordered list of packages to update
- Replace Recommendations: Packages to swap for better-maintained alternatives
- Remove Recommendations: Unnecessary dependencies to remove
- Action Plan: Step-by-step remediation with estimated effort