Assesses third-party dependency risk across CVEs, maintenance health, license exposure, and supply-chain hygiene. Use when onboarding new packages or reviewing a lockfile before a release.
Click to play with sound.
---
name: Dependency Risk Audit
description: Audits third-party dependencies for CVEs, abandoned packages, license risk, and supply-chain hygiene indicators. Load when adding new packages, reviewing a lockfile, or preparing for a security review.
---
# Dependency Risk Audit
Third-party packages are the most common source of supply-chain compromise and known-vulnerability exploitation. Treat dependency selection as a security decision, not just a convenience one.
## CVE and Known Vulnerability Triage
Run the ecosystem's native audit tool first (npm audit, pip-audit, bundle audit, govulncheck). For each finding:
- Confirm exploitability in context — a CVE in a CLI-only code path of a server-side lib may not be reachable.
- Check whether a fixed version exists and whether upgrading is a semver-compatible bump.
- Flag any CVSS 7.0+ finding with no available fix as a blocking risk requiring a compensating control or replacement.
Do not dismiss findings without a written reason.
## Maintenance Health Signals
A dependency with no CVEs today can become a liability tomorrow. For any new or high-traffic dependency check:
- Last release date and commit activity (no release in 24+ months on an active ecosystem is a yellow flag).
- Number of open security issues versus closed.
- Whether the package has a documented security policy or contact.
- Single-maintainer packages without a succession plan carry concentration risk — flag them.
… install to load the full skillSign in to rate and review this skill.
No reviews yet. Be the first to review this skill.