dependency-audit

Dependency Audit Skill

Produce a complete dependency audit report for a project — covering security vulnerabilities (with CVE references), license compliance against policy, outdated packages prioritised by risk, transitive dependency risk analysis, and a concrete remediation plan with timeline. A good dependency audit gives the team a clear, prioritised action list — not a raw dump of audit output that no one acts on.

Required Inputs

Ask for these if not already provided:

• Project language and ecosystem — npm, pip/PyPI, Maven/Gradle, Go modules, Cargo, RubyGems, NuGet, or mixed
• Dependency list or package manifest — paste the contents of package.json, requirements.txt, go.mod, pom.xml, etc., or provide the audit tool output
• License policy — which licenses are allowed, which are restricted (e.g. "GPL is prohibited", "MIT/Apache/BSD only", or "no policy yet — recommend one")
• Current security tooling — Dependabot, Snyk, OWASP Dependency-Check, npm audit, pip-audit, or none

Output Format

---

Dependency Audit Report: [Project Name]

Ecosystem: [npm / pip / Maven / Go / etc.] Audit date: [Date] Auditor: [Name] Total direct dependencies: [N] Total transitive dependencies: [N] Audit tool(s) used: [npm audit / pip-audit / Snyk / OWASP Dependency-Check / etc.]

---

Executive Summary

Category	Finding	Risk level
Critical vulnerabilities	[N] CVEs requiring immediate action	[Critical / High / Low]
High vulnerabilities	[N] CVEs — fix within 7 days	[High / Medium]
License violations	[N] packages with non-compliant licenses	[High / Low]
Severely outdated packages	[N] packages > 2 major versions behind	[Medium]
Packages with no active maintenance	[N] packages — no commits in 12+ months	[Medium]
Overall dependency health score	[Score]/100	[Red / Amber / Green]

Scoring methodology: Critical CVEs: −20 each. High CVEs: −10 each. License violations: −15 each. Abandoned packages: −5 each. Maximum deduction: 100. Score ≥80 = Green, 60–79 = Amber, <60 = Red.

Immediate actions required:

1. [Most critical action — e.g. "Upgrade lodash from 4.17.11 to 4.17.21 to fix CVE-2021-23337 (Critical — prototype pollution)"]
2. [Second action]
3. [Third action]

---

1. Security Vulnerability Findings

Critical and High Severity (Act within 24–72 hours)

Package	Installed version	Fix version	CVE	Severity	CVSS score	Description	Exploitability
[package-name]	[X.Y.Z]	[A.B.C]	[CVE-YYYY-NNNNN]	Critical	[9.x]	[e.g. Prototype pollution via merge function — remote code execution possible]	[Known exploit / PoC available / No known exploit]
[package-name]	[X.Y.Z]	[A.B.C]	[CVE-YYYY-NNNNN]	High	[7.x]	[e.g. Path traversal in file serving utility]	[PoC available]
[package-name]	[X.Y.Z]	[A.B.C]	[CVE-YYYY-NNNNN]	High	[7.x]	[e.g. Regular expression denial of service (ReDoS)]	[No known exploit]

Medium Severity (Fix within 30 days)

Package	Installed version	Fix version	CVE	Severity	CVSS score	Description
[package-name]	[X.Y.Z]	[A.B.C]	[CVE-YYYY-NNNNN]	Medium	[5.x]	[Description]
[package-name]	[X.Y.Z]	[A.B.C]	[CVE-YYYY-NNNNN]	Medium	[4.x]	[Description]

Low Severity (Fix within 90 days or accept risk)

Package	Installed version	Fix version	CVE	Severity	Description
[package-name]	[X.Y.Z]	[A.B.C]	Low	[Description]

Vulnerabilities With No Fix Available

Package	CVE	Severity	Recommended mitigation
[package-name]	[CVE-YYYY-NNNNN]	[High]	[e.g. "Remove this package — alternative: [replacement]"]
[package-name]	[CVE-YYYY-NNNNN]	[Medium]	[e.g. "Vendor has a fix in progress — track issue [URL]. Mitigate by [X]"]

---

2. License Compliance Matrix

License Policy Reference

License	Category	Policy	Notes
MIT	Permissive	Allowed	Attribution required in distributed products
Apache 2.0	Permissive	Allowed	Attribution + NOTICE file required
BSD 2-Clause / 3-Clause	Permissive	Allowed	Attribution required
ISC	Permissive	Allowed
MPL 2.0	Weak copyleft	Allowed with review	Source disclosure required for modified MPL files only
LGPL v2 / v3	Weak copyleft	Allowed with review	Dynamic linking permitted; static linking may require disclosure
GPL v2 / v3	Strong copyleft	Restricted	May require open-sourcing the entire codebase — legal review required
AGPL v3	Strong copyleft	Restricted	Network use triggers copyleft — especially risky for SaaS
SSPL	Source available	Prohibited	Not OSI-approved — treat as proprietary
Proprietary / Commercial	Commercial	Requires contract	Verify license covers current use case and scale
Unknown / Unlicensed	—	Prohibited	No license = all rights reserved — cannot use legally

Findings: Packages With Compliance Issues

Package	License	Issue	Recommendation	Risk if unaddressed
[package-name]	GPL v3	Copyleft — may require open-sourcing this project	Replace with [alternative] or get legal sign-off	Legal / IP risk
[package-name]	AGPL v3	Network copyleft — SaaS use triggers disclosure	Replace with [alternative]	Legal / IP risk
[package-name]	Proprietary	License may not cover current usage tier	Verify license scope with vendor	Contract breach
[package-name]	Unknown	No license declared in package metadata	Contact maintainer or replace	Cannot use legally

All Licenses in Use (Full Inventory)

License	Package count	Compliance status
MIT	[N]	Compliant
Apache 2.0	[N]	Compliant
BSD-3-Clause	[N]	Compliant
ISC	[N]	Compliant
MPL 2.0	[N]	Review required
GPL v3	[N]	Non-compliant
Unknown	[N]	Non-compliant

---

3. Outdated Package Analysis

Severely Outdated (2+ major versions behind — high upgrade effort)

Package	Installed	Latest stable	Versions behind	Last updated	Breaking changes summary
[package-name]	[1.x.x]	[3.x.x]	2 major	[Date]	[e.g. "API redesign in v2; async support added in v3"]
[package-name]	[0.x.x]	[2.x.x]	2 major	[Date]	[Summary]

Moderately Outdated (1 major version behind)

Package	Installed	Latest stable	Versions behind	Security fix in newer version?
[package-name]	[2.x.x]	[3.x.x]	1 major	[Yes — CVE-YYYY-NNNNN / No]
[package-name]	[4.x.x]	[5.x.x]	1 major	[No]

Minor/Patch Updates Available (Low risk to update)

Package	Installed	Latest	Contains security fix?
[package-name]	[2.3.1]	[2.3.9]	[Yes / No]
[package-name]	[1.0.0]	[1.2.1]	[No]

---

4. Dependency Graph Risk Analysis

Transitive Dependency Risk

Transitive (indirect) dependencies carry risk because they are not explicitly managed. These are the highest-risk transitive dependencies in this project:

Vulnerable transitive dep	Pulled in by	Installed version	Fix available	Action
[transitive-package]	[direct-parent]	[X.Y.Z]	[Yes — upgrade [parent] to [version]]	Upgrade direct dependency [parent]
[transitive-package]	[direct-parent]	[X.Y.Z]	[No]	Remove [parent] or use [alternative]

Dependency Concentration Risk

These packages are depended on by many other packages in the project — a vulnerability or deprecation would have cascading effects:

Package	Depended on by (N packages)	Actively maintained?	Risk level
[package-name]	[N]	[Yes / No — last commit: date]	[High / Medium]
[package-name]	[N]	[Yes]	[Medium]

Abandoned / Unmaintained Packages

Package	Last release	Last commit	Weekly downloads	Recommended alternative
[package-name]	[Date]	[Date]	[N]	[alternative-package]
[package-name]	[Date]	[Date]	[N]	[Maintained fork: URL]

---

5. Remediation Plan

30-Day Plan

Week 1 — Critical vulnerabilities (Days 1–7)

Action	Owner	Package	Effort	Notes
Upgrade [package] [old] → [new]	[Name]	[package-name]	[30 min]	[No API changes / check breaking changes guide: URL]
Replace [package] with [alternative]	[Name]	[package-name]	[2 hours]	[No fix available — must replace]
Patch override for [transitive-dep]	[Name]	[transitive-dep]	[15 min]	[Add resolutions/overrides entry in manifest]

# Commands for Week 1 upgrades:

# npm
npm install [package]@[target-version]
npm audit fix --force  # use with caution — may introduce breaking changes

# pip
pip install --upgrade [package]==[target-version]
pip-audit --fix  # if using pip-audit

# Go
go get [module]@[version]
go mod tidy

# Maven
# Update pom.xml version property, then:
mvn versions:use-latest-releases -DallowMajorUpdates=false
mvn dependency:resolve

Week 2 — High vulnerabilities and license violations (Days 8–14)

Action	Owner	Package	Effort	Notes
Upgrade [package]	[Name]	[package-name]	[1 hour]
Replace GPL-licensed [package]	[Name]	[package-name]	[4 hours]	[Alternative: [package]]
Legal review for [package] license	Legal team	[package-name]	[Legal team SLA]	[Submit via [process]]

Week 3 — Medium vulnerabilities and abandoned packages (Days 15–21)

Action	Owner	Package	Effort	Notes
Upgrade [package]	[Name]	[package-name]	[30 min]
Replace abandoned [package]	[Name]	[package-name]	[2 hours]	[Maintained fork or alternative: [URL]]

Week 4 — Process improvements (Days 22–30)

Action	Owner	Effort	Notes
Enable Dependabot / Renovate for automated PRs	[Name]	[2 hours]	[Config in Section 6]
Add npm audit / pip-audit to CI — fail on Critical/High	[Name]	[1 hour]	[Config in Section 6]
Document license policy in CONTRIBUTING.md	[Name]	[1 hour]	[Based on policy in Section 2]
Schedule next quarterly audit	[Name]	[15 min]	[Add to team calendar]

---

6. Policy Recommendations

Automated Vulnerability Scanning in CI

Add the following to your CI pipeline to catch vulnerabilities before they merge:

# GitHub Actions — adapt for your CI platform
dependency-audit:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v3

    # npm
    - name: npm audit
      run: npm audit --audit-level=high
      # Fails build on High or Critical vulnerabilities

    # pip
    - name: pip-audit
      run: |
        pip install pip-audit
        pip-audit --requirement requirements.txt --severity high

    # Go
    - name: govulncheck
      run: |
        go install golang.org/x/vuln/cmd/govulncheck@latest
        govulncheck ./...

Dependabot / Renovate Configuration

# .github/dependabot.yml — automated dependency update PRs
version: 2
updates:
  - package-ecosystem: "[npm / pip / gomod / maven]"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 10
    labels:
      - "dependencies"
      - "automated"
    ignore:
      # Ignore major version bumps — review these manually
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]

License Scanning

# npm — license checker
npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC' \
  --failOn 'GPL;AGPL;LGPL'

# Python — pip-licenses
pip install pip-licenses
pip-licenses --allow-only="MIT;Apache Software License;BSD License;ISC License" \
  --fail-on="GNU General Public License"

# Go — go-licenses
go install github.com/google/go-licenses@latest
go-licenses check ./... --allowed_licenses=MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause

---

7. Dependency Health Score Detail

Category	Max points	Score	Notes
No critical vulnerabilities	30	[N]/30	−20 per critical CVE
No high vulnerabilities	20	[N]/20	−10 per high CVE
License compliance	20	[N]/20	−15 per violation
No abandoned packages	15	[N]/15	−5 per abandoned package
Up-to-date major versions	10	[N]/10	−2 per major version behind
Automated scanning enabled	5	[N]/5	All-or-nothing
Total	100	[Score]/100	[Red / Amber / Green]

---

Quality Checks

• Every Critical and High CVE has a named owner and a resolution date in the 30-day plan
• License findings have been reviewed by legal or a named engineer with authority to accept the risk
• Transitive dependency vulnerabilities are included — not just direct dependencies
• Abandoned packages have a concrete replacement recommendation, not just "consider replacing"
• CI pipeline change is included — the audit findings should be the last time these are caught manually
• The dependency health score is calculated from actual findings, not estimated
• Remediation plan actions are specific commands or steps, not "upgrade package X" without version targets