Dependency Audit Skill
Produce a complete dependency audit report for a project — covering security vulnerabilities (with CVE references), license compliance against policy, outdated packages prioritised by risk, transitive dependency risk analysis, and a concrete remediation plan with timeline. A good dependency audit gives the team a clear, prioritised action list — not a raw dump of audit output that no one acts on.
Required Inputs
Ask for these if not already provided:
- Project language and ecosystem — npm, pip/PyPI, Maven/Gradle, Go modules, Cargo, RubyGems, NuGet, or mixed
- Dependency list or package manifest — paste the contents of
package.json, requirements.txt, go.mod, pom.xml, etc., or provide the audit tool output
- License policy — which licenses are allowed, which are restricted (e.g. "GPL is prohibited", "MIT/Apache/BSD only", or "no policy yet — recommend one")
- Current security tooling — Dependabot, Snyk, OWASP Dependency-Check, npm audit, pip-audit, or none
Output Format
Dependency Audit Report: [Project Name]
Ecosystem: [npm / pip / Maven / Go / etc.]
Audit date: [Date]
Auditor: [Name]
Total direct dependencies: [N]
Total transitive dependencies: [N]
Audit tool(s) used: [npm audit / pip-audit / Snyk / OWASP Dependency-Check / etc.]
Executive Summary
| Category | Finding | Risk level |
|---|
| Critical vulnerabilities | [N] CVEs requiring immediate action | [Critical / High / Low] |
| High vulnerabilities | [N] CVEs — fix within 7 days | [High / Medium] |
| License violations | [N] packages with non-compliant licenses | [High / Low] |
| Severely outdated packages | [N] packages > 2 major versions behind | [Medium] |
| Packages with no active maintenance | [N] packages — no commits in 12+ months | [Medium] |
| Overall dependency health score | [Score]/100 | [Red / Amber / Green] |
Scoring methodology: Critical CVEs: −20 each. High CVEs: −10 each. License violations: −15 each. Abandoned packages: −5 each. Maximum deduction: 100. Score ≥80 = Green, 60–79 = Amber, <60 = Red.
Immediate actions required:
- [Most critical action — e.g. "Upgrade lodash from 4.17.11 to 4.17.21 to fix CVE-2021-23337 (Critical — prototype pollution)"]
- [Second action]
- [Third action]
1. Security Vulnerability Findings
Critical and High Severity (Act within 24–72 hours)
| Package | Installed version | Fix version | CVE | Severity | CVSS score | Description | Exploitability |
|---|
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Critical | [9.x] | [e.g. Prototype pollution via merge function — remote code execution possible] | [Known exploit / PoC available / No known exploit] |
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | High | [7.x] | [e.g. Path traversal in file serving utility] | [PoC available] |
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | High | [7.x] | [e.g. Regular expression denial of service (ReDoS)] | [No known exploit] |
Medium Severity (Fix within 30 days)
| Package | Installed version | Fix version | CVE | Severity | CVSS score | Description |
|---|
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Medium | [5.x] | [Description] |
| [package-name] | [X.Y.Z] | [A.B.C] | [CVE-YYYY-NNNNN] | Medium | [4.x] | [Description] |
Low Severity (Fix within 90 days or accept risk)
| Package | Installed version | Fix version | CVE | Severity | Description |
|---|
| [package-name] | [X.Y.Z] | [A.B.C] | Low | [Description] | |
Vulnerabilities With No Fix Available
| Package | CVE | Severity | Recommended mitigation |
|---|
| [package-name] | [CVE-YYYY-NNNNN] | [High] | [e.g. "Remove this package — alternative: [replacement]"] |
| [package-name] | [CVE-YYYY-NNNNN] | [Medium] | [e.g. "Vendor has a fix in progress — track issue [URL]. Mitigate by [X]"] |
2. License Compliance Matrix
License Policy Reference
| License | Category | Policy | Notes |
|---|
| MIT | Permissive | Allowed | Attribution required in distributed products |
| Apache 2.0 | Permissive | Allowed | Attribution + NOTICE file required |
| BSD 2-Clause / 3-Clause | Permissive | Allowed | Attribution required |
| ISC | Permissive | Allowed | |
| MPL 2.0 | Weak copyleft | Allowed with review | Source disclosure required for modified MPL files only |
| LGPL v2 / v3 | Weak copyleft | Allowed with review | Dynamic linking permitted; static linking may require disclosure |
| GPL v2 / v3 | Strong copyleft | Restricted | May require open-sourcing the entire codebase — legal review required |
| AGPL v3 | Strong copyleft | Restricted | Network use triggers copyleft — especially risky for SaaS |
| SSPL | Source available | Prohibited | Not OSI-approved — treat as proprietary |
| Proprietary / Commercial | Commercial | Requires contract | Verify license covers current use case and scale |
| Unknown / Unlicensed | — | Prohibited | No license = all rights reserved — cannot use legally |
Findings: Packages With Compliance Issues
| Package | License | Issue | Recommendation | Risk if unaddressed |
|---|
| [package-name] | GPL v3 | Copyleft — may require open-sourcing this project | Replace with [alternative] or get legal sign-off | Legal / IP risk |
| [package-name] | AGPL v3 | Network copyleft — SaaS use triggers disclosure | Replace with [alternative] | Legal / IP risk |
| [package-name] | Proprietary | License may not cover current usage tier | Verify license scope with vendor | Contract breach |
| [package-name] | Unknown | No license declared in package metadata | Contact maintainer or replace | Cannot use legally |
All Licenses in Use (Full Inventory)
| License | Package count | Compliance status |
|---|
| MIT | [N] | Compliant |
| Apache 2.0 | [N] | Compliant |
| BSD-3-Clause | [N] | Compliant |
| ISC | [N] | Compliant |
| MPL 2.0 | [N] | Review required |
| GPL v3 | [N] | Non-compliant |
| Unknown | [N] | Non-compliant |
3. Outdated Package Analysis
Severely Outdated (2+ major versions behind — high upgrade effort)
| Package | Installed | Latest stable | Versions behind | Last updated | Breaking changes summary |
|---|
| [package-name] | [1.x.x] | [3.x.x] | 2 major | [Date] | [e.g. "API redesign in v2; async support added in v3"] |
| [package-name] | [0.x.x] | [2.x.x] | 2 major | [Date] | [Summary] |
Moderately Outdated (1 major version behind)
| Package | Installed | Latest stable | Versions behind | Security fix in newer version? |
|---|
| [package-name] | [2.x.x] | [3.x.x] | 1 major | [Yes — CVE-YYYY-NNNNN / No] |
| [package-name] | [4.x.x] | [5.x.x] | 1 major | [No] |
Minor/Patch Updates Available (Low risk to update)
| Package | Installed | Latest | Contains security fix? |
|---|
| [package-name] | [2.3.1] | [2.3.9] | [Yes / No] |
| [package-name] | [1.0.0] | [1.2.1] | [No] |
4. Dependency Graph Risk Analysis
Transitive Dependency Risk
Transitive (indirect) dependencies carry risk because they are not explicitly managed. These are the highest-risk transitive dependencies in this project:
| Vulnerable transitive dep | Pulled in by | Installed version | Fix available | Action |
|---|
| [transitive-package] | [direct-parent] | [X.Y.Z] | [Yes — upgrade [parent] to [version]] | Upgrade direct dependency [parent] |
| [transitive-package] | [direct-parent] | [X.Y.Z] | [No] | Remove [parent] or use [alternative] |
Dependency Concentration Risk
These packages are depended on by many other packages in the project — a vulnerability or deprecation would have cascading effects:
| Package | Depended on by (N packages) | Actively maintained? | Risk level |
|---|
| [package-name] | [N] | [Yes / No — last commit: date] | [High / Medi |
