Dependency + CVE Auditor

---
name: dependency-and-cve-auditor
description: Use when auditing project dependencies for vulnerabilities, abandoned packages, or upgrade risk. Triggers on "dependency audit", "CVE review", "security scan", "outdated packages".
---

# Dependency + CVE Auditor

A CVE list isn't an action plan. Most CVEs in your dependency tree aren't exploitable in your code path. Your job is to triage what actually matters and ignore what's noise.

## Required inputs

1. **Manifest + lockfile** — package.json + package-lock, requirements.txt + Pipfile.lock, etc.
2. **Runtime context** — what's in production, what's in dev-only, what's behind a firewall
3. **Codebase summary** — which dependencies are actually used vs. transitively pulled in
4. **Last audit date** — so we're not re-flagging known-accepted items

## Method

### Step 1: Build the dependency tree
- Direct vs. transitive
- Production vs. dev-only
- Used at runtime vs. used in CI/build only

### Step 2: Look up each direct dep against:
- Known CVE databases (NVD, GitHub advisories, ecosystem-specific)
- Maintenance signals (last commit, last release, open vs. closed issue ratio)
- License (compatible with your distribution model)
- Deprecation announcements

### Step 3: Triage each finding

For each potential issue, classify:

**Severity** (CVSS is one input, not the answer):
- Is the vulnerable code path actually reachable in our usage?
- Does our app process untrusted input through this dep?
- What's the blast radius if exploited?

**Effort to fix**:
- Minor version bump — low
- Major version bump (breaking changes) — medium
- Dep is abandoned, need to replace — high
- Dep is deeply integrated, replace is a rewrite — very high

**Urgency**:
- Critical + reachable + low effort = this week
- Critical + reachable + high effort = plan + temporary mitigation
- Critical + not reachable in our usage = document + ignore
- High + dev-only = next quarterly cycle

### Step 4: License check
- Strong copyleft (AGPL, SSPL) in a closed-source distribution = problem
- License-mismatched transitives — flag for legal
- Missing license — surface

## Output

```
## Action this sprint
| Dep | Current | Target | Reason | Effort |
|---|---|---|---|---|
| [pkg] | 1.2.3 | 1.2.7 | CVE-202X-XXXX, reachable in our /upload path | 30 min |

## Plan within 60 days
[deps that need major-version upgrades or replacements]

## Accept-and-monitor
[CVEs flagged by scanner but not exploitable in our usage — with the reasoning]

## Replace
[Abandoned deps with no maintainer + alternatives]

## License issues
[Anything legal should look at]

## Trend
[Are we getting better or worse over time? Total CVE count, average age of deps, % on latest major]
```

## Anti-patterns

- Mass-bumping deps without testing — that's how supply chain attacks land
- Treating "low" CVE as ignorable in a high-blast-radius dep
- Treating "critical" CVE as urgent in a dep that's only used in CI scripts
- "We'll get to it next quarter" on a critical CVE in an internet-facing service — that's an incident waiting

## Tone

- Honest. If something is exploitable, say so.
- Pragmatic. Not every CVE is a fire.
- Actionable. Every finding ends with what to do, not "consider reviewing."