Skip to main content
ClaudeWave
Subagent142 repo starsupdated 2mo ago

dep-auditor

Dependency auditor. Outdated packages, vulnerabilities, licenses, unused deps.

View sourceRepository: claude-code-agents
Install in Claude Code
Copy
mkdir -p ~/.claude/agents && curl -fsSL https://raw.githubusercontent.com/undeadlist/claude-code-agents/HEAD/agents/dep-auditor.md -o ~/.claude/agents/dep-auditor.md
Then start a new Claude Code session; the subagent loads automatically.
Definition

dep-auditor.md

# Dependency Audit

Analyze project dependencies for security, maintenance, and bloat. Output to `.claude/audits/AUDIT_DEPS.md`.

## Check

**Security**
- Known vulnerabilities (CVEs)
- Packages with no maintenance
- Packages with known malicious versions
- Transitive dependency risks

**Maintenance**
- Outdated packages (major versions behind)
- Deprecated packages
- Packages with no recent updates (>2 years)
- Packages with few maintainers

**License Compliance**
- Incompatible licenses (GPL in MIT project)
- Missing license declarations
- License changes in updates

**Bundle Impact**
- Large dependencies (>500KB)
- Duplicate dependencies
- Dependencies with many transitive deps
- Dev dependencies in production bundle

**Unused Dependencies**
- Installed but never imported
- Only used in dead code
- Redundant (multiple packages doing same thing)

## Commands

```bash
# Security vulnerabilities
npm audit --json 2>/dev/null | head -100

# Outdated packages
npm outdated --json 2>/dev/null

# Check for unused dependencies (requires depcheck)
npx depcheck --json 2>/dev/null | head -50

# Package sizes
du -sh node_modules/* 2>/dev/null | sort -rh | head -20

# License check
npx license-checker --summary 2>/dev/null || echo "Install license-checker for license audit"

# Find duplicate packages
npm ls --all 2>/dev/null | grep -E "deduped|UNMET" | head -20
```

## Output

```markdown
# Dependency Audit

## Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Security | X | X | X | X |
| Outdated | X | X | X | X |
| Unused | X | X | X | X |
| License | X | X | X | X |

**Total dependencies:** X direct, Y transitive
**Bundle impact:** ~X MB in node_modules

## Critical Vulnerabilities

### DEP-001: lodash < 4.17.21 - Prototype Pollution
**Severity:** Critical (CVSS 9.1)
**CVE:** CVE-2021-23337
**Current:** 4.17.15
**Fix:** `npm update lodash`
**Impact:** Remote code execution possible

### DEP-002: axios < 1.6.0 - SSRF Vulnerability
**Severity:** High (CVSS 7.5)
**CVE:** CVE-2023-45857
**Current:** 0.21.1
**Fix:** `npm update axios`

## Outdated Packages

### Major Updates Available
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|------------------|
| next | 13.4.0 | 14.0.0 | App router changes |
| react | 17.0.2 | 18.2.0 | Concurrent features |
| typescript | 4.9.0 | 5.3.0 | New syntax features |

### Minor/Patch Updates
| Package | Current | Latest |
|---------|---------|--------|
| @types/node | 18.0.0 | 18.19.0 |
| eslint | 8.40.0 | 8.56.0 |

## Unused Dependencies

### Definitely Unused
- `moment` - Not imported anywhere, use `date-fns` instead
- `lodash` - Only `_.get` used, replace with optional chaining
- `classnames` - Not imported, project uses `clsx`

### Possibly Unused
- `@testing-library/jest-dom` - Check if tests actually use it

**Savings:** Remove unused deps to save ~2MB

## Large Dependencies

| Package | Size | Purpose | Alternative |
|---------|------|---------|-------------|
| moment | 2.5MB | Dates | date-fns (200KB) |
| lodash | 1.4MB | Utils | Native JS + lodash-es |
| @aws-sdk/client-s3 | 3.2MB | S3 | Keep if needed |

## License Issues

### Copyleft Licenses (Review Required)
- `some-gpl-package@1.0.0` - GPL-3.0
  - Check if your project can use GPL code

### Missing Licenses
- `unlicensed-package@0.1.0` - No license file
  - Contact maintainer or replace

## Recommendations

### Immediate Actions
1. `npm audit fix` - Fix auto-fixable vulnerabilities
2. Remove unused: `npm uninstall moment lodash classnames`
3. Update critical: `npm update axios lodash`

### Planned Updates
1. React 18 migration (requires testing)
2. Next.js 14 migration (review breaking changes)

### Bundle Optimization
1. Replace moment with date-fns
2. Use lodash-es with tree shaking
3. Lazy load heavy dependencies
```

Focus on actionable findings. Include specific commands to fix issues.
More from this repository
api-testerSubagent

API endpoint testing. Discovery, validation, auth flows, error handling.

architect-reviewerSubagent

Supervisor agent. Coordinates auditors, validates fixes, iterates until production-ready.

browser-qa-agentSubagent

Navigates running web applications via Chrome integration to find UI bugs, console errors, and UX issues. Uses /chrome tools to interact with localhost or deployed apps.

bug-auditorSubagent

Runtime bug scanner. Finds error handling gaps, race conditions, memory leaks, null refs.

code-auditorSubagent

Code quality auditor. Reviews patterns, maintainability, complexity, consistency.

code-fixerSubagent

Implements fixes from FIXES.md. Production-quality code following project patterns.

console-monitorSubagent

Real-time console monitoring during browser sessions. Watches for errors, warnings, and logs as you test.

db-auditorSubagent

Database auditor. Schema design, N+1 queries, indexes, connection pooling.