| name | dependency-check |
| description | Analyze project dependencies for outdated packages, security vulnerabilities, and licensing issues. Use for dependency audits and maintenance. |
| context | fork |
| agent | Explore |
| allowed-tools | Read, Grep, Glob, Bash(npm audit *), Bash(pip-audit *), Bash(npm outdated *), Bash(pip list --outdated *) |
| disable-model-invocation | true |
Dependency Check
Analyze dependencies for the project at $ARGUMENTS.
Analysis Scope
1. Outdated Packages
Identify packages with available updates:
- Major version updates (breaking changes likely)
- Minor version updates (new features)
- Patch updates (bug fixes)
2. Security Vulnerabilities
Check for known vulnerabilities:
- CVE references
- Severity ratings
- Affected versions
3. License Compliance
Review dependency licenses:
- Identify restrictive licenses (GPL, AGPL)
- Flag license incompatibilities
- Note unknown licenses
Dynamic Context
- Package files: !
find . -maxdepth 3 -name "package.json" -o -name "requirements.txt" -o -name "Pipfile" -o -name "go.mod" -o -name "Cargo.toml" 2>/dev/null | head -5
- Lock files: !
find . -maxdepth 3 -name "package-lock.json" -o -name "yarn.lock" -o -name "Pipfile.lock" -o -name "poetry.lock" 2>/dev/null | head -5
Instructions
For Node.js Projects
-
Check outdated packages:
npm outdated --json 2>/dev/null || echo "{}"
-
Run security audit:
npm audit --json 2>/dev/null || echo "{}"
For Python Projects
-
Check outdated packages:
pip list --outdated --format=json 2>/dev/null || echo "[]"
-
Run security audit (if pip-audit installed):
pip-audit --format=json 2>/dev/null || echo "pip-audit not installed"
General Checks
- Read the dependency manifest files
- Identify direct vs transitive dependencies
- Check for duplicate dependencies
- Note any pinned versions that may be outdated
Output Format
Return a JSON dependency report:
{
"project_type": "nodejs",
"manifest_files": ["package.json"],
"summary": {
"total_dependencies": 45,
"direct": 12,
"dev": 8,
"outdated": 5,
"vulnerable": 2
},
"outdated": [
{
"package": "lodash",
"current": "4.17.15",
"wanted": "4.17.21",
"latest": "4.17.21",
"type": "patch",
"breaking_changes": false
},
{
"package": "react",
"current": "17.0.2",
"wanted": "17.0.2",
"latest": "18.2.0",
"type": "major",
"breaking_changes": true
}
],
"vulnerabilities": [
{
"package": "minimist",
"severity": "high",
"cve": "CVE-2021-44906",
"description": "Prototype pollution",
"fixed_in": "1.2.6",
"recommendation": "Update to ^1.2.6"
}
],
"license_issues": [
{
"package": "gpl-library",
"license": "GPL-3.0",
"concern": "Copyleft license may require open-sourcing your code"
}
],
"recommendations": [
"Update lodash to patch security vulnerability",
"Consider upgrading to React 18 (breaking changes)",
"Review GPL-licensed dependency compatibility"
]
}
Priority Actions
- Critical: Security vulnerabilities with available fixes
- High: Major version updates for security fixes
- Medium: Outdated packages with minor updates
- Low: Patch updates, license reviews
Notes
- Always test thoroughly after updating dependencies
- Consider using lockfiles for reproducible builds
- Set up automated dependency scanning in CI/CD