Checks outdated packages, unused deps, reinvented wheels, vulnerability scan (CVE/CVSS). Supports mode: full | vulnerabilities_only.
apm install @levnikolaevich/ln-625-dependencies-auditor
[](https://apm-p1ls2dz87-atlamors-projects.vercel.app/packages/@levnikolaevich/ln-625-dependencies-auditor)---
name: ln-625-dependencies-auditor
description: "Checks outdated packages, unused deps, reinvented wheels, vulnerability scan (CVE/CVSS). Supports mode: full | vulnerabilities_only."
allowed-tools: Read, Grep, Glob, Bash
license: MIT
---
> **Paths:** File paths (`shared/`, `references/`, `../ln-*`) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.
# Dependencies & Reuse Auditor (L3 Worker)
Specialized worker auditing dependency management, code reuse, and security vulnerabilities.
## Purpose & Scope
- **Worker in ln-620 coordinator pipeline** (full audit mode)
- **Worker in ln-760 security-setup pipeline** (vulnerabilities_only mode)
- Audit **dependencies and reuse** (Categories 7+8: Medium Priority)
- Check outdated packages, unused deps, wheel reinvention, **CVE vulnerabilities**
- Calculate compliance score (X/10)
## Parameters
| Param | Values | Default | Description |
|-------|--------|---------|-------------|
| mode | `full` / `vulnerabilities_only` | `full` | `full` = all 5 checks, `vulnerabilities_only` = only CVE scan |
## Inputs (from Coordinator)
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.
Receives `contextStore` with tech stack, package manifest paths, codebase root, output_dir.
**From ln-620 (codebase-auditor):** mode=full (default)
**From ln-760 (security-setup):** mode=vulnerabilities_only
## Workflow
**MANDATORY READ:** Load `shared/references/two_layer_detection.md` for detection methodology.
1) Parse context + mode parameter + output_dir
2) Run dependency checks (Layer 1: audit tools, based on mode)
3) Analyze context per candidate (Layer 2):
- Available Features: read usage — is lodash used for 1 function (easy replace) or deeply integrated (hard)?
- Custom Implementations: read code — truly reimplementing a library, or domain-specific logic?
- Vulnerability: read code — is the vulnerable API actually called in this project?
4) Collect findings
5) Calculate score
6) **Write Report:** Build full markdown report in memory per `shared/templates/audit_worker_report_template.md`, write to `{output_dir}/625-dependencies.md` in single Write call
7) **Return Summary:** Return minimal summary to coordinator
---
## Audit Rules (5 Checks)
### 1. Outdated Packages
**Mode:** full only
**Detection:**
- Run `npm outdated --json` (Node.js)
- Run `pip list --outdated --format=json` (Python)
- Run `cargo outdated --format=json` (Rust)
**Severity:**
- **HIGH:** Major version behind (security risk)
- **MEDIUM:** Minor version behind
- **LOW:** Patch version behind
**Recommendation:** Update to latest version, test for breaking changes
**Effort:** S-M (update version, run tests)
### 2. Unused Dependencies
**Mode:** full only
**Detection:**
- Parse package.json/requirements.txt
- Grep codebase for `import`/`require` statements
- Find dependencies never imported
**Severity:**
- **MEDIUM:** Unused production dependency (bloats bundle)
- **LOW:** Unused dev dependency
**Recommendation:** Remove from package manifest
**Effort:** S (delete line, test)
### 3. Available Features Not Used
**Mode:** full only
**Detection:**
- Check for axios when native fetch available (Node 18+)
- Check for lodash when Array methods sufficient
- Check for moment when Date.toLocaleString sufficient
**Severity:**
- **MEDIUM:** Unnecessary dependency (increases bundle size)
**Recommendation:** Use native alternative
**Effort:** M (refactor code to use native API)
### 4. Custom Implementations
**Mode:** full only
**Detection:**
- Grep for custom sorting algorithms
- Check for hand-rolled validation (vs validator.js)
- Find custom date parsing (vs date-fns/dayjs)
**Severity:**
- **HIGH:** Custom crypto (security risk)
- **MEDIUM:** Custom utilities with well-tested alternatives
**Recommendation:** Replace with established library
**Effort:** M (integrate library, replace calls)
### 5. Vulnerability Scan (CVE/CVSS)
**Mode:** full AND vulnerabilities_only
**Detection:**
- Detect ecosystems: npm, NuGet, pip, Go, Bundler, Cargo, Composer
- Run audit commands per `references/vulnerability_commands.md`
- Parse results with CVSS mapping per `shared/references/cvss_severity_mapping.md`
**Severity:**
- **CRITICAL:** CVSS 9.0-10.0 (immediate fix required)
- **HIGH:** CVSS 7.0-8.9 (fix within 48h)
- **MEDIUM:** CVSS 4.0-6.9 (fix within 1 week)
- **LOW:** CVSS 0.1-3.9 (fix when convenient)
**Fix Classification:**
- Patch update (x.x.Y) → safe auto-fix
- Minor update (x.Y.0) → usually safe
- Major update (Y.0.0) → manual review required
- No fix available → document and monitor
**Recommendation:** Update to fixed version, verify lock file integrity
**Effort:** S-L (depends on breaking changes)
---
## Scoring Algorithm
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md` and `shared/references/audit_scoring.md`.
**Note:** When mode=vulnerabilities_only, score based only on vulnerability findings.
## Output Format
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md` and `shared/templates/audit_worker_report_template.md`.
Write report to `{output_dir}/625-dependencies.md` with `category: "Dependencies & Reuse"` and checks: outdated_packages, unused_deps, available_natives, custom_implementations, vulnerability_scan.
Return summary to coordinator:
```
Report written: docs/project/.audit/ln-620/{YYYY-MM-DD}/625-dependencies.md
Score: X.X/10 | Issues: N (C:N H:N M:N L:N)
```
## Reference Files
| File | Purpose |
|------|---------|
| `references/vulnerability_commands.md` | Ecosystem-specific audit commands |
| `references/ci_integration_guide.md` | CI/CD integration guidance |
| `shared/references/cvss_severity_mapping.md` | CVSS to severity level mapping |
| `shared/references/audit_output_schema.md` | Audit output schema |
## Critical Rules
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.
- **Do not auto-fix:** Report only, never modify package manifests or lock files
- **Mode-aware execution:** In `vulnerabilities_only` mode, skip checks 1-4 entirely
- **Effort realism:** S = <1h, M = 1-4h, L = >4h
- **CVSS-based severity:** Map vulnerability severity strictly via `shared/references/cvss_severity_mapping.md`
- **Exclusions:** Skip devDependencies for vulnerability severity escalation, skip vendored/bundled deps
## Definition of Done
**MANDATORY READ:** Load `shared/references/audit_worker_core_contract.md`.
- contextStore parsed (including mode parameter and output_dir)
- All applicable checks completed (5 for full, 1 for vulnerabilities_only)
- Findings collected with severity, location, effort, fix_type, recommendation
- Score calculated per `shared/references/audit_scoring.md`
- Report written to `{output_dir}/625-dependencies.md` (atomic single Write call)
- Summary returned to coordinator
---
**Version:** 4.0.0
**Last Updated:** 2026-02-05