Skip to content

Commit 8fdf029

Browse files
authored
feat(skills): add quality, launch, and post-launch skills
Add 8 new skills covering quality assurance, launch preparation, and post-launch operations including test strategy, performance benchmarking, launch checklist, monitoring setup, incident response, and retrospective facilitation.
1 parent f8af379 commit 8fdf029

8 files changed

Lines changed: 1714 additions & 0 deletions

File tree

Lines changed: 211 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,211 @@
1+
---
2+
name: analyze-dependencies
3+
description: Audit project dependencies for risk when the user asks to check dependencies, audit packages, review dependency health, check for vulnerabilities, or assess supply chain risk
4+
owner: chalk
5+
version: "1.0.0"
6+
metadata-version: "1"
7+
allowed-tools: Read, Glob, Grep, Bash
8+
argument-hint: "[package manager file or specific dependency to analyze]"
9+
---
10+
11+
# Analyze Dependencies
12+
13+
## Overview
14+
15+
Audit the project's dependency tree across five risk dimensions: freshness, vulnerabilities, bundle impact, license compliance, and maintenance status. Produce a risk-scored report with actionable recommendations for each dependency.
16+
17+
## Workflow
18+
19+
1. **Read project context** — Check `.chalk/docs/engineering/` for:
20+
- Architecture docs (to understand which dependencies are critical path)
21+
- Previous dependency audits
22+
- Any documented dependency policies or license requirements
23+
24+
2. **Locate dependency manifests** — Scan the project for:
25+
- `package.json` / `package-lock.json` / `yarn.lock` / `pnpm-lock.yaml` (Node.js)
26+
- `pyproject.toml` / `requirements.txt` / `Pipfile` / `poetry.lock` (Python)
27+
- `pubspec.yaml` / `pubspec.lock` (Dart/Flutter)
28+
- `Cargo.toml` / `Cargo.lock` (Rust)
29+
- `go.mod` / `go.sum` (Go)
30+
- `Gemfile` / `Gemfile.lock` (Ruby)
31+
- `pom.xml` / `build.gradle` (Java/Kotlin)
32+
- If `$ARGUMENTS` specifies a file, focus on that manifest
33+
34+
3. **Inventory dependencies** — For each manifest, list:
35+
- Direct dependencies (production)
36+
- Direct dev dependencies
37+
- Note the declared version constraints (exact, range, caret, tilde)
38+
39+
4. **Assess freshness** — For each dependency:
40+
- Current installed version vs. latest available version
41+
- Run the appropriate command: `npm outdated`, `pip list --outdated`, `pub outdated`, etc.
42+
- Classify the gap:
43+
- **Current**: on latest or within one minor version
44+
- **Stale**: one or more minor versions behind
45+
- **Outdated**: one or more major versions behind
46+
- **Abandoned**: no release in 2+ years
47+
48+
5. **Check for vulnerabilities** — Run the appropriate audit command:
49+
- `npm audit` / `yarn audit` / `pnpm audit`
50+
- `pip audit` or `safety check`
51+
- `cargo audit`
52+
- `bundle audit`
53+
- Record: CVE ID, severity (critical/high/medium/low), affected version range, fix available (yes/no)
54+
- Check transitive dependencies, not just direct ones
55+
56+
6. **Evaluate bundle impact** — Where applicable:
57+
- For Node.js: check package size, number of transitive dependencies, tree-shakeability
58+
- For frontend projects: note if a large library is used for a small feature (e.g., lodash for one function)
59+
- Flag dependencies that pull in disproportionately large sub-dependency trees
60+
61+
7. **Check license compliance** — For each dependency:
62+
- Identify the license (MIT, Apache-2.0, GPL, LGPL, AGPL, BSD, ISC, etc.)
63+
- Flag copyleft licenses (GPL, AGPL, LGPL) that may have viral implications
64+
- Flag unlicensed or custom-licensed packages
65+
- Flag license changes between the installed version and latest version
66+
- Note: MIT, Apache-2.0, BSD, ISC are generally permissive and low risk
67+
68+
8. **Assess maintenance status** — For each dependency, check:
69+
- Last publish date
70+
- Open issues and PRs (especially security-related)
71+
- Number of maintainers (bus factor)
72+
- Whether the project is archived or deprecated
73+
- Classify: **Active** (regular releases, responsive maintainers), **Maintained** (occasional releases, issues addressed), **Minimal** (rare updates, issues pile up), **Unmaintained** (no activity in 12+ months)
74+
75+
9. **Score each dependency** — Assign a risk score based on all dimensions:
76+
- **Low**: Current, no vulnerabilities, permissive license, actively maintained
77+
- **Medium**: Stale or one minor concern (e.g., slightly outdated, minimal maintenance)
78+
- **High**: Outdated or multiple concerns (known vulnerability with fix available, copyleft license, large bundle impact)
79+
- **Critical**: Known exploitable vulnerability, abandoned with no alternative, or license violation
80+
81+
10. **Generate recommendations** — For each dependency with medium or higher risk:
82+
- **Update**: Newer version fixes the issue. Note any breaking changes.
83+
- **Replace**: Better-maintained alternative exists. Name the alternative.
84+
- **Remove**: Dependency is unused or its functionality can be inlined.
85+
- **Monitor**: Risk is acceptable for now but should be tracked.
86+
- **Immediate Action**: Critical vulnerability or license violation requiring urgent attention.
87+
88+
11. **Determine the next file number** — List files in `.chalk/docs/engineering/` matching `*_dependency_audit*`. Find the highest number and increment by 1.
89+
90+
12. **Write the report** — Save to `.chalk/docs/engineering/<n>_dependency_audit.md`.
91+
92+
13. **Confirm** — Summarize: total dependencies analyzed, risk distribution, critical items requiring immediate attention.
93+
94+
## Filename Convention
95+
96+
```
97+
<number>_dependency_audit.md
98+
```
99+
100+
Examples:
101+
- `5_dependency_audit.md`
102+
- `9_dependency_audit.md`
103+
104+
## Dependency Audit Format
105+
106+
```markdown
107+
# Dependency Audit
108+
109+
Last updated: <YYYY-MM-DD>
110+
Package manager: <npm / pip / pub / cargo / etc.>
111+
Manifest: <path to manifest file>
112+
113+
## Summary
114+
115+
| Risk Level | Count | Action Required |
116+
|------------|-------|-----------------|
117+
| Critical | <n> | Immediate action |
118+
| High | <n> | Plan remediation this sprint |
119+
| Medium | <n> | Schedule for next maintenance window |
120+
| Low | <n> | No action needed |
121+
| **Total** | **<n>** | |
122+
123+
## Vulnerability Summary
124+
125+
| CVE | Severity | Package | Installed | Fixed In | Transitive? |
126+
|-----|----------|---------|-----------|----------|-------------|
127+
| CVE-XXXX-XXXXX | Critical | <name> | <version> | <version> | No |
128+
129+
## Critical & High Risk Dependencies
130+
131+
### <package-name> — CRITICAL
132+
133+
| Dimension | Status | Detail |
134+
|-----------|--------|--------|
135+
| Freshness | Outdated | Installed: 2.1.0, Latest: 4.0.0 |
136+
| Vulnerabilities | CVE-XXXX-XXXXX (High) | RCE via crafted input |
137+
| Bundle Impact | 450KB | Pulls in 23 transitive deps |
138+
| License | MIT | No issues |
139+
| Maintenance | Unmaintained | Last release: 2022-01-15 |
140+
141+
**Risk**: <Why this is critical>
142+
**Recommendation**: Replace with `<alternative>`. Migration guide: <link or steps>.
143+
144+
### <package-name> — HIGH
145+
146+
| Dimension | Status | Detail |
147+
|-----------|--------|--------|
148+
| ... | ... | ... |
149+
150+
**Risk**: <explanation>
151+
**Recommendation**: <action>
152+
153+
## Medium Risk Dependencies
154+
155+
| Package | Version | Risk Factors | Recommendation |
156+
|---------|---------|-------------|----------------|
157+
| <name> | <ver> | Stale (3 minor behind), minimal maintenance | Update to <ver> |
158+
159+
## Low Risk Dependencies
160+
161+
| Package | Version | License | Last Updated |
162+
|---------|---------|---------|-------------|
163+
| <name> | <ver> | MIT | 2024-11-01 |
164+
165+
## License Compliance
166+
167+
| License | Count | Packages | Risk |
168+
|---------|-------|----------|------|
169+
| MIT | <n> | <list> | None |
170+
| Apache-2.0 | <n> | <list> | None |
171+
| GPL-3.0 | <n> | <list> | Copyleft — review required |
172+
| Unlicensed | <n> | <list> | Unknown — investigate |
173+
174+
## Recommendations Summary
175+
176+
### Immediate Action
177+
1. <package>: <action and reason>
178+
179+
### This Sprint
180+
1. <package>: <action and reason>
181+
182+
### Next Maintenance Window
183+
1. <package>: <action and reason>
184+
185+
### Monitor
186+
1. <package>: <what to watch for>
187+
```
188+
189+
## Risk Scoring Matrix
190+
191+
| Dimension | Low | Medium | High | Critical |
192+
|-----------|-----|--------|------|----------|
193+
| Freshness | Current or 1 minor behind | 2+ minor behind | 1+ major behind | Abandoned (2+ years) |
194+
| Vulnerabilities | None known | Low severity | High severity, fix available | Critical severity or no fix |
195+
| Bundle Impact | < 50KB, few transitive | 50-200KB | 200KB-1MB | > 1MB or 50+ transitive deps |
196+
| License | MIT, BSD, ISC, Apache-2.0 | LGPL | GPL | AGPL or unlicensed |
197+
| Maintenance | Active (monthly releases) | Maintained (quarterly) | Minimal (yearly) | Unmaintained or archived |
198+
199+
The overall risk score for a dependency is the highest score across all dimensions.
200+
201+
> **Note:** These risk levels assume distributed, proprietary software. Adjust based on your project's distribution model — for internal-only tools, even copyleft licenses may be low risk. For dynamically linked libraries, LGPL is often low risk.
202+
203+
## Anti-patterns
204+
205+
- **Only checking for vulnerabilities, ignoring staleness** — A dependency with no CVEs but abandoned for 3 years is a ticking time bomb. When a vulnerability is discovered, there will be no one to patch it. Staleness is a leading indicator of future risk.
206+
- **Not checking transitive dependencies** — Your project may have 20 direct dependencies but 200 transitive ones. A critical vulnerability in a transitive dependency is just as exploitable. Always audit the full tree.
207+
- **Ignoring license issues** — Using a GPL library in a proprietary product can create legal exposure. License compliance is not optional, and "we will deal with it later" becomes expensive when a customer or investor asks.
208+
- **Only auditing production dependencies** — Dev dependencies run in your CI/CD pipeline and developer machines. A compromised dev dependency can inject malicious code into your build artifacts. Audit everything.
209+
- **Treating the audit as a one-time activity** — Dependencies change constantly. New vulnerabilities are disclosed daily. Schedule regular audits (at least monthly) and integrate `npm audit` / `pip audit` into CI.
210+
- **Recommending updates without checking breaking changes** — "Just update to latest" is not actionable advice. Check the changelog for breaking changes, especially across major versions, and note migration effort in the recommendation.
211+
- **Ignoring bundle impact in frontend projects** — A 2MB dependency for a single utility function destroys load time. Always consider whether the functionality can be achieved with a smaller package or inlined code.

0 commit comments

Comments
 (0)