ReddRadar
Agent skill
dependency-doctor
Audits project dependencies for outdated packages, duplicates, heavy/problematic libraries, security vulnerabilities, and risky version combinations. Generates prioritized reports with security, performance, and maintainability insights, upgrade paths, and safe pinning recommendations. Use when users request dependency audits, package updates, security checks, or dependency optimization.
Install this agent skill to your Project
npx add-skill https://github.com/patricio0312rev/skills/tree/main/foundation/dependency-doctor
SKILL.md
Dependency Doctor
Comprehensive dependency health analysis and upgrade planning.
Core Workflow
- Scan manifests: Analyze package.json, requirements.txt, Cargo.toml, go.mod, etc.
- Check versions: Identify outdated packages against latest stable versions
- Detect issues: Find duplicates, security vulnerabilities, deprecated packages, heavy bundles
- Assess risk: Evaluate breaking changes and version compatibility
- Prioritize: Rank issues by severity (security > performance > maintenance)
- Generate upgrade path: Create safe, incremental update plan
- Recommend pins: Suggest version constraints to avoid future issues
Analysis Categories
Security Issues (Critical)
- Known CVEs in dependencies
- Unmaintained packages (no updates >2 years)
- Packages with security advisories
- Transitive dependency vulnerabilities
Outdated Packages (High)
- Major versions behind (breaking changes)
- Minor versions behind (new features)
- Patch versions behind (bug fixes)
Duplicate Dependencies (Medium)
- Multiple versions of same package
- Overlapping functionality (lodash + underscore)
- Can be deduplicated
Heavy Dependencies (Medium)
- Large bundle sizes (>500KB)
- Unnecessary peer dependencies
- Better alternatives available
Risky Combinations (Medium)
- Known incompatible version pairs
- Conflicting peer dependencies
- Framework version mismatches
Report Structure
# Dependency Audit Report
## 🔴 Critical Security Issues (2)
- axios@0.21.0 → CVE-2021-3749 → Upgrade to 1.6.0+
- lodash@4.17.15 → Prototype pollution → Upgrade to 4.17.21+
## 🟡 High Priority Updates (5)
- react@17.0.2 → 18.2.0 (major, breaking changes)
- next@12.0.0 → 14.1.0 (major, new features)
## 🟢 Maintenance Updates (8)
- typescript@4.9.0 → 5.3.3 (patch improvements)
## 📦 Duplicates Found (3)
- moment: 2.29.1, 2.30.0 → Deduplicate to 2.30.0
- @types/node: 18.0.0, 20.0.0 → Align to 20.0.0
## 🏋️ Heavy Dependencies (2)
- moment (232KB) → Consider date-fns (12KB)
- lodash (full) → Consider lodash-es or specific imports
## Upgrade Path
### Phase 1: Security (Do First)
```bash
npm update axios lodash
npm audit fix
```
Phase 2: Major Frameworks (Test Thoroughly)
npm install react@18 react-dom@18
npm install next@14
# Run full test suite
Phase 3: Minor Updates (Low Risk)
npm update
Safe Pin Recommendations
{
"axios": "^1.6.0",
"react": "^18.2.0",
"typescript": "~5.3.0"
}
## Package Manager Commands
### npm
- Audit: `npm audit`
- Outdated: `npm outdated`
- Dedupe: `npm dedupe`
- Update: `npm update [package]`
### yarn
- Audit: `yarn audit`
- Outdated: `yarn outdated`
- Dedupe: `yarn dedupe`
- Upgrade: `yarn upgrade [package]`
### pnpm
- Audit: `pnpm audit`
- Outdated: `pnpm outdated`
- Dedupe: `pnpm dedupe`
- Update: `pnpm update [package]`
### pip
- Outdated: `pip list --outdated`
- Update: `pip install --upgrade [package]`
- Security: `pip-audit` or `safety check`
## Upgrade Best Practices
1. **Backup first**: Commit current state or create branch
2. **Read changelogs**: Check for breaking changes
3. **Update incrementally**: One major version at a time
4. **Test thoroughly**: Run full test suite after each update
5. **Check peer deps**: Ensure compatibility
6. **Lock files**: Commit updated lock files
7. **Monitor**: Watch for runtime issues after deployment
## Version Pinning Strategy
- **Exact**: `1.2.3` - Only for problematic packages
- **Patch**: `~1.2.3` - Safe updates (1.2.x)
- **Minor**: `^1.2.3` - Most common (1.x.x)
- **Range**: `>=1.2.3 <2.0.0` - Explicit bounds
## References
See `references/common-issues.md` for known problematic package combinations and migration guides.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
patricio0312rev/skills
rate-limiting-abuse-protection
Implements rate limiting and abuse prevention with per-route policies, IP/user-based limits, sliding windows, safe error responses, and observability. Use when adding "rate limiting", "API protection", "abuse prevention", or "DDoS protection".
patricio0312rev/skills
rbac-permissions-builder
Implements role-based access control with permission matrix, route guards, policy functions, and UI permission hints. Provides middleware/guards, helper utilities, test suggestions, and permission checking patterns. Use when building "RBAC", "permissions", "access control", or "authorization".
patricio0312rev/skills
websocket-realtime-builder
Implements real-time features using WebSockets with Socket.io, rooms, authentication, and reconnection handling. Use when users request "real-time updates", "WebSocket", "Socket.io", "live chat", or "push notifications".
patricio0312rev/skills
webhook-receiver-hardener
Secures webhook receivers with signature verification, retry handling, deduplication, idempotency keys, and error responses. Provides verification code, dedupe storage strategy, runbook for incidents. Use when implementing "webhooks", "webhook security", "event receivers", or "third-party integrations".
patricio0312rev/skills
auth-module-builder
Implements secure authentication patterns including login/registration, session management, JWT tokens, password hashing, cookie settings, and CSRF protection. Provides auth routes, middleware, security configurations, and threat model documentation. Use when building "authentication", "login system", "JWT auth", or "session management".
patricio0312rev/skills
rest-to-graphql-migrator
Migrates REST APIs to GraphQL incrementally with schema stitching, REST datasources, and gradual endpoint migration. Use when users request "migrate to GraphQL", "REST to GraphQL", "GraphQL wrapper", or "API modernization".
Didn't find tool you were looking for?