|
| 1 | +--- |
| 2 | +name: analyze-dependencies |
| 3 | +description: Audit project dependencies for risk when the user asks to check dependencies, audit packages, review dependency health, check for vulnerabilities, or assess supply chain risk |
| 4 | +owner: chalk |
| 5 | +version: "1.0.0" |
| 6 | +metadata-version: "1" |
| 7 | +allowed-tools: Read, Glob, Grep, Bash |
| 8 | +argument-hint: "[package manager file or specific dependency to analyze]" |
| 9 | +--- |
| 10 | + |
| 11 | +# Analyze Dependencies |
| 12 | + |
| 13 | +## Overview |
| 14 | + |
| 15 | +Audit the project's dependency tree across five risk dimensions: freshness, vulnerabilities, bundle impact, license compliance, and maintenance status. Produce a risk-scored report with actionable recommendations for each dependency. |
| 16 | + |
| 17 | +## Workflow |
| 18 | + |
| 19 | +1. **Read project context** — Check `.chalk/docs/engineering/` for: |
| 20 | + - Architecture docs (to understand which dependencies are critical path) |
| 21 | + - Previous dependency audits |
| 22 | + - Any documented dependency policies or license requirements |
| 23 | + |
| 24 | +2. **Locate dependency manifests** — Scan the project for: |
| 25 | + - `package.json` / `package-lock.json` / `yarn.lock` / `pnpm-lock.yaml` (Node.js) |
| 26 | + - `pyproject.toml` / `requirements.txt` / `Pipfile` / `poetry.lock` (Python) |
| 27 | + - `pubspec.yaml` / `pubspec.lock` (Dart/Flutter) |
| 28 | + - `Cargo.toml` / `Cargo.lock` (Rust) |
| 29 | + - `go.mod` / `go.sum` (Go) |
| 30 | + - `Gemfile` / `Gemfile.lock` (Ruby) |
| 31 | + - `pom.xml` / `build.gradle` (Java/Kotlin) |
| 32 | + - If `$ARGUMENTS` specifies a file, focus on that manifest |
| 33 | + |
| 34 | +3. **Inventory dependencies** — For each manifest, list: |
| 35 | + - Direct dependencies (production) |
| 36 | + - Direct dev dependencies |
| 37 | + - Note the declared version constraints (exact, range, caret, tilde) |
| 38 | + |
| 39 | +4. **Assess freshness** — For each dependency: |
| 40 | + - Current installed version vs. latest available version |
| 41 | + - Run the appropriate command: `npm outdated`, `pip list --outdated`, `pub outdated`, etc. |
| 42 | + - Classify the gap: |
| 43 | + - **Current**: on latest or within one minor version |
| 44 | + - **Stale**: one or more minor versions behind |
| 45 | + - **Outdated**: one or more major versions behind |
| 46 | + - **Abandoned**: no release in 2+ years |
| 47 | + |
| 48 | +5. **Check for vulnerabilities** — Run the appropriate audit command: |
| 49 | + - `npm audit` / `yarn audit` / `pnpm audit` |
| 50 | + - `pip audit` or `safety check` |
| 51 | + - `cargo audit` |
| 52 | + - `bundle audit` |
| 53 | + - Record: CVE ID, severity (critical/high/medium/low), affected version range, fix available (yes/no) |
| 54 | + - Check transitive dependencies, not just direct ones |
| 55 | + |
| 56 | +6. **Evaluate bundle impact** — Where applicable: |
| 57 | + - For Node.js: check package size, number of transitive dependencies, tree-shakeability |
| 58 | + - For frontend projects: note if a large library is used for a small feature (e.g., lodash for one function) |
| 59 | + - Flag dependencies that pull in disproportionately large sub-dependency trees |
| 60 | + |
| 61 | +7. **Check license compliance** — For each dependency: |
| 62 | + - Identify the license (MIT, Apache-2.0, GPL, LGPL, AGPL, BSD, ISC, etc.) |
| 63 | + - Flag copyleft licenses (GPL, AGPL, LGPL) that may have viral implications |
| 64 | + - Flag unlicensed or custom-licensed packages |
| 65 | + - Flag license changes between the installed version and latest version |
| 66 | + - Note: MIT, Apache-2.0, BSD, ISC are generally permissive and low risk |
| 67 | + |
| 68 | +8. **Assess maintenance status** — For each dependency, check: |
| 69 | + - Last publish date |
| 70 | + - Open issues and PRs (especially security-related) |
| 71 | + - Number of maintainers (bus factor) |
| 72 | + - Whether the project is archived or deprecated |
| 73 | + - Classify: **Active** (regular releases, responsive maintainers), **Maintained** (occasional releases, issues addressed), **Minimal** (rare updates, issues pile up), **Unmaintained** (no activity in 12+ months) |
| 74 | + |
| 75 | +9. **Score each dependency** — Assign a risk score based on all dimensions: |
| 76 | + - **Low**: Current, no vulnerabilities, permissive license, actively maintained |
| 77 | + - **Medium**: Stale or one minor concern (e.g., slightly outdated, minimal maintenance) |
| 78 | + - **High**: Outdated or multiple concerns (known vulnerability with fix available, copyleft license, large bundle impact) |
| 79 | + - **Critical**: Known exploitable vulnerability, abandoned with no alternative, or license violation |
| 80 | + |
| 81 | +10. **Generate recommendations** — For each dependency with medium or higher risk: |
| 82 | + - **Update**: Newer version fixes the issue. Note any breaking changes. |
| 83 | + - **Replace**: Better-maintained alternative exists. Name the alternative. |
| 84 | + - **Remove**: Dependency is unused or its functionality can be inlined. |
| 85 | + - **Monitor**: Risk is acceptable for now but should be tracked. |
| 86 | + - **Immediate Action**: Critical vulnerability or license violation requiring urgent attention. |
| 87 | + |
| 88 | +11. **Determine the next file number** — List files in `.chalk/docs/engineering/` matching `*_dependency_audit*`. Find the highest number and increment by 1. |
| 89 | + |
| 90 | +12. **Write the report** — Save to `.chalk/docs/engineering/<n>_dependency_audit.md`. |
| 91 | + |
| 92 | +13. **Confirm** — Summarize: total dependencies analyzed, risk distribution, critical items requiring immediate attention. |
| 93 | + |
| 94 | +## Filename Convention |
| 95 | + |
| 96 | +``` |
| 97 | +<number>_dependency_audit.md |
| 98 | +``` |
| 99 | + |
| 100 | +Examples: |
| 101 | +- `5_dependency_audit.md` |
| 102 | +- `9_dependency_audit.md` |
| 103 | + |
| 104 | +## Dependency Audit Format |
| 105 | + |
| 106 | +```markdown |
| 107 | +# Dependency Audit |
| 108 | + |
| 109 | +Last updated: <YYYY-MM-DD> |
| 110 | +Package manager: <npm / pip / pub / cargo / etc.> |
| 111 | +Manifest: <path to manifest file> |
| 112 | + |
| 113 | +## Summary |
| 114 | + |
| 115 | +| Risk Level | Count | Action Required | |
| 116 | +|------------|-------|-----------------| |
| 117 | +| Critical | <n> | Immediate action | |
| 118 | +| High | <n> | Plan remediation this sprint | |
| 119 | +| Medium | <n> | Schedule for next maintenance window | |
| 120 | +| Low | <n> | No action needed | |
| 121 | +| **Total** | **<n>** | | |
| 122 | + |
| 123 | +## Vulnerability Summary |
| 124 | + |
| 125 | +| CVE | Severity | Package | Installed | Fixed In | Transitive? | |
| 126 | +|-----|----------|---------|-----------|----------|-------------| |
| 127 | +| CVE-XXXX-XXXXX | Critical | <name> | <version> | <version> | No | |
| 128 | + |
| 129 | +## Critical & High Risk Dependencies |
| 130 | + |
| 131 | +### <package-name> — CRITICAL |
| 132 | + |
| 133 | +| Dimension | Status | Detail | |
| 134 | +|-----------|--------|--------| |
| 135 | +| Freshness | Outdated | Installed: 2.1.0, Latest: 4.0.0 | |
| 136 | +| Vulnerabilities | CVE-XXXX-XXXXX (High) | RCE via crafted input | |
| 137 | +| Bundle Impact | 450KB | Pulls in 23 transitive deps | |
| 138 | +| License | MIT | No issues | |
| 139 | +| Maintenance | Unmaintained | Last release: 2022-01-15 | |
| 140 | + |
| 141 | +**Risk**: <Why this is critical> |
| 142 | +**Recommendation**: Replace with `<alternative>`. Migration guide: <link or steps>. |
| 143 | + |
| 144 | +### <package-name> — HIGH |
| 145 | + |
| 146 | +| Dimension | Status | Detail | |
| 147 | +|-----------|--------|--------| |
| 148 | +| ... | ... | ... | |
| 149 | + |
| 150 | +**Risk**: <explanation> |
| 151 | +**Recommendation**: <action> |
| 152 | + |
| 153 | +## Medium Risk Dependencies |
| 154 | + |
| 155 | +| Package | Version | Risk Factors | Recommendation | |
| 156 | +|---------|---------|-------------|----------------| |
| 157 | +| <name> | <ver> | Stale (3 minor behind), minimal maintenance | Update to <ver> | |
| 158 | + |
| 159 | +## Low Risk Dependencies |
| 160 | + |
| 161 | +| Package | Version | License | Last Updated | |
| 162 | +|---------|---------|---------|-------------| |
| 163 | +| <name> | <ver> | MIT | 2024-11-01 | |
| 164 | + |
| 165 | +## License Compliance |
| 166 | + |
| 167 | +| License | Count | Packages | Risk | |
| 168 | +|---------|-------|----------|------| |
| 169 | +| MIT | <n> | <list> | None | |
| 170 | +| Apache-2.0 | <n> | <list> | None | |
| 171 | +| GPL-3.0 | <n> | <list> | Copyleft — review required | |
| 172 | +| Unlicensed | <n> | <list> | Unknown — investigate | |
| 173 | + |
| 174 | +## Recommendations Summary |
| 175 | + |
| 176 | +### Immediate Action |
| 177 | +1. <package>: <action and reason> |
| 178 | + |
| 179 | +### This Sprint |
| 180 | +1. <package>: <action and reason> |
| 181 | + |
| 182 | +### Next Maintenance Window |
| 183 | +1. <package>: <action and reason> |
| 184 | + |
| 185 | +### Monitor |
| 186 | +1. <package>: <what to watch for> |
| 187 | +``` |
| 188 | + |
| 189 | +## Risk Scoring Matrix |
| 190 | + |
| 191 | +| Dimension | Low | Medium | High | Critical | |
| 192 | +|-----------|-----|--------|------|----------| |
| 193 | +| Freshness | Current or 1 minor behind | 2+ minor behind | 1+ major behind | Abandoned (2+ years) | |
| 194 | +| Vulnerabilities | None known | Low severity | High severity, fix available | Critical severity or no fix | |
| 195 | +| Bundle Impact | < 50KB, few transitive | 50-200KB | 200KB-1MB | > 1MB or 50+ transitive deps | |
| 196 | +| License | MIT, BSD, ISC, Apache-2.0 | LGPL | GPL | AGPL or unlicensed | |
| 197 | +| Maintenance | Active (monthly releases) | Maintained (quarterly) | Minimal (yearly) | Unmaintained or archived | |
| 198 | + |
| 199 | +The overall risk score for a dependency is the highest score across all dimensions. |
| 200 | + |
| 201 | +> **Note:** These risk levels assume distributed, proprietary software. Adjust based on your project's distribution model — for internal-only tools, even copyleft licenses may be low risk. For dynamically linked libraries, LGPL is often low risk. |
| 202 | +
|
| 203 | +## Anti-patterns |
| 204 | + |
| 205 | +- **Only checking for vulnerabilities, ignoring staleness** — A dependency with no CVEs but abandoned for 3 years is a ticking time bomb. When a vulnerability is discovered, there will be no one to patch it. Staleness is a leading indicator of future risk. |
| 206 | +- **Not checking transitive dependencies** — Your project may have 20 direct dependencies but 200 transitive ones. A critical vulnerability in a transitive dependency is just as exploitable. Always audit the full tree. |
| 207 | +- **Ignoring license issues** — Using a GPL library in a proprietary product can create legal exposure. License compliance is not optional, and "we will deal with it later" becomes expensive when a customer or investor asks. |
| 208 | +- **Only auditing production dependencies** — Dev dependencies run in your CI/CD pipeline and developer machines. A compromised dev dependency can inject malicious code into your build artifacts. Audit everything. |
| 209 | +- **Treating the audit as a one-time activity** — Dependencies change constantly. New vulnerabilities are disclosed daily. Schedule regular audits (at least monthly) and integrate `npm audit` / `pip audit` into CI. |
| 210 | +- **Recommending updates without checking breaking changes** — "Just update to latest" is not actionable advice. Check the changelog for breaking changes, especially across major versions, and note migration effort in the recommendation. |
| 211 | +- **Ignoring bundle impact in frontend projects** — A 2MB dependency for a single utility function destroys load time. Always consider whether the functionality can be achieved with a smaller package or inlined code. |
0 commit comments