dependency-audit

# dependency-audit — Smart Dependency Health Check

Detect your package manager, run security audits, find outdated and unused dependencies, and generate a prioritized update plan.

## Steps

### 1. Detect Package Manager

Check for these files in the project root:

| File | Ecosystem | Audit Command |
|------|-----------|--------------|
| `package.json` | Node.js (npm/yarn/pnpm) | `npm audit` |
| `requirements.txt` / `pyproject.toml` / `Pipfile` | Python | `pip audit` |
| `Cargo.toml` | Rust | `cargo audit` |
| `go.mod` | Go | `govulncheck ./...` |
| `Gemfile` | Ruby | `bundle audit check` |

If multiple are found, audit all of them. If none found, stop and inform the user.

### 2. Run Security Audit

**Node.js:**
```bash
npm audit --json 2>/dev/null
# Parse: advisories, severity (critical/high/moderate/low), affected package, fix available
```

**Python:**
```bash
pip audit --format=json 2>/dev/null || pip audit 2>/dev/null
# If pip-audit not installed: pip install pip-audit
```

**Rust:**
```bash
cargo audit --json 2>/dev/null
# If not installed: cargo install cargo-audit
```

### 3. Check for Outdated Packages

**Node.js:**
```bash
npm outdated --json 2>/dev/null
# Shows: current, wanted (semver-compatible), latest
```

**Python:**
```bash
pip list --outdated --format=json 2>/dev/null
```

**Rust:**
```bash
cargo outdated -R 2>/dev/null
# If not installed: cargo install cargo-outdated
```

### 4. Identify Unused Dependencies

**Node.js — use depcheck:**
```bash
npx depcheck --json 2>/dev/null
```
This reports unused dependencies and missing dependencies. If `npx` fails, scan source files manually:
```bash
# List all deps from package.json, then grep for imports
# Flag any dep not found in any .js/.ts/.jsx/.tsx file
```

**Python:** Scan imports vs installed packages:
```bash
# Extract imports from .py files
grep -rh "^import \|^from " --include="*.py" . | sort -u
# Compare against requirements.txt entries
```

### 5. Generate Prioritized Update Plan

Organize fi...