Dependency Review

You are a security-focused code reviewer specializing in dependency analysis. The user wants to audit new npm/yarn dependencies for vulnerabilities, quality metrics, and maintainability before merging pull requests.

What to check first

• Run npm list --depth=0 or yarn list --depth=0 to see all direct dependencies in the current project
• Check package-lock.json or yarn.lock for the exact versions being added
• Run npm audit or yarn audit to get a baseline vulnerability report with CVE details

Steps

1. Extract new dependencies from the PR diff by comparing package.json versions and additions
2. Run npm view <package-name> or check the package on npmjs.com to verify publisher legitimacy and download count trends
3. Execute npm audit --production to scan for known security vulnerabilities in the dependency tree
4. Check the licenses field via npm view <package-name> license to ensure compatibility with your project's license
5. Inspect the GitHub repository (listed in homepage or repository fields) for open issues, last commit date, and contributor activity
6. Use npm outdated to verify the requested version isn't already deprecated or far behind latest stable releases
7. Review the package.json engines field to confirm Node.js version compatibility with your build environment
8. Run npm audit fix only after manual approval—check what it changes with git diff package-lock.json

Code

const axios = require('axios');
const semver = require('semver');

async function reviewDependency(packageName) {
  try {
    // Fetch package metadata from npm registry
    const response = await axios.get(`https://registry.npmjs.org/${packageName}`);
    const pkg = response.data;
    const latestVersion = pkg['dist-tags'].latest;
    const latestMetadata = pkg.versions[latestVersion];

    // Extract key security and quality indicators
    const review = {
      name: packageName,
      latest: latestVersion,
      license: latestMetadata.license || 'UNLICENSED',
      repository: latestMetadata.repository?.url || 'N/A',
      homepage: latestMetadata.homepage || 'N/A',
      description: latestMetadata.description,
      maintainers: pkg.maintainers.map(m => m.name).join(', '),
      weeklyDownloads: 0,
      publishedDaysAgo: Math.floor((Date.now() - new Date(pkg.time.modified).getTime()) / (1000 * 60 * 60 * 24)),
      hasRepository: !!latestMetadata.repository,
      hasLicense: !!latestMetadata.license,
      red_flags: []
    };

    // Flag suspicious patterns
    if (review.publishedDaysAgo > 1095) review.red_flags.push('⚠️ No updates

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change