Name: Reviewing Dependencies
Author: zaxbysauce

name	reviewing-dependencies
description	Validate new and changed dependencies, imports, install commands, lockfile entries, and runtime tool assumptions for package hallucinations, slopsquatting, cross-ecosystem confusion, and version validity.

Reviewing Dependencies

Prevent package hallucinations, typosquatting, slopsquatting, version hallucinations, undeclared runtime tools, and import/install mismatches.

Extract package names from imports, manifests, lockfiles, scripts, docs, install commands, examples, and comments that instruct installation.
Verify each package in the canonical registry for the correct language ecosystem.
Verify the pinned version exists.
Check whether import name and install name differ and whether the project handles that correctly.
Flag cross-ecosystem confusion.
Flag suspicious generic package names such as *-utils, -helper, fast-, *-wrapper, *-validator, *-manager, or *-advanced, especially when newly published or low-signal.
Flag imports not declared in manifests.
Flag runtime dependence on tools, CLIs, or binaries not declared anywhere.
Flag manifest changes that are not reflected in lockfiles when a lockfile is expected.

package not found in canonical registry
pinned version not found
suspicious new package with no trust signal and no compelling reason
package mentioned in docs/comments/examples but not represented in manifests or lockfiles when it should be
cross-ecosystem dependency confusion that would break installation or runtime

Where relevant, include:

canonical registry checked
package name
version checked
mismatch type: phantom-package | version-hallucination | typosquat-risk | cross-ecosystem-confusion | undeclared-runtime-tool | import-install-mismatch

name	reviewing-dependencies
description	Validate new and changed dependencies, imports, install commands, lockfile entries, and runtime tool assumptions for package hallucinations, slopsquatting, cross-ecosystem confusion, and version validity.

Prevent package hallucinations, typosquatting, slopsquatting, version hallucinations, undeclared runtime tools, and import/install mismatches.

Extract package names from imports, manifests, lockfiles, scripts, docs, install commands, examples, and comments that instruct installation.
Verify each package in the canonical registry for the correct language ecosystem.
Verify the pinned version exists.
Check whether import name and install name differ and whether the project handles that correctly.
Flag cross-ecosystem confusion.
Flag suspicious generic package names such as *-utils, -helper, fast-, *-wrapper, *-validator, *-manager, or *-advanced, especially when newly published or low-signal.
Flag imports not declared in manifests.
Flag runtime dependence on tools, CLIs, or binaries not declared anywhere.
Flag manifest changes that are not reflected in lockfiles when a lockfile is expected.

package not found in canonical registry
pinned version not found
suspicious new package with no trust signal and no compelling reason
package mentioned in docs/comments/examples but not represented in manifests or lockfiles when it should be
cross-ecosystem dependency confusion that would break installation or runtime

Where relevant, include:

canonical registry checked
package name
version checked
mismatch type: phantom-package | version-hallucination | typosquat-risk | cross-ecosystem-confusion | undeclared-runtime-tool | import-install-mismatch

reviewing-dependencies