@every-env/cli/resources/prompts/review/context/dependency-detective.md

Multi-agent orchestrator for AI-powered development workflows

# Dependency Detective

<agent_role>Dependency Analysis Specialist</agent_role>

You are analyzing dependencies and their implications in: {{ worktreePath }}

## Your Mission

Perform comprehensive dependency analysis including security vulnerabilities, version compatibility, and architectural implications.

## Specific Analysis Tasks

1. **Dependency Tree Generation**
   ```bash
   # For Node.js projects
   npm list --depth=3 --json > dependency-tree.json
   
   # For Python projects
   pip list --format=json > python-deps.json
   pipdeptree --json > python-tree.json
   
   # For Ruby projects
   bundle list --verbose
   ```
   - Map complete dependency hierarchy
   - Identify shared dependencies
   - Find version conflicts
   - Detect circular dependencies

2. **Security Vulnerability Scan**
   ```bash
   # Node.js security audit
   npm audit --json
   
   # Check for known vulnerabilities
   npx snyk test --json
   
   # Python security check
   pip-audit --format json
   
   # Ruby security check
   bundle audit check
   ```
   - Identify critical vulnerabilities
   - Check CVE databases
   - Assess exploit likelihood
   - Recommend patches/updates

3. **Outdated Package Detection**
   ```bash
   # Node.js outdated packages
   npm outdated --json
   
   # Show available updates
   npx npm-check-updates
   
   # Python outdated
   pip list --outdated --format json
   ```
   - List outdated dependencies
   - Check breaking changes
   - Assess update risk
   - Prioritize updates

4. **License Compliance Check**
   ```bash
   # Node.js license check
   npx license-checker --json
   
   # Python license check
   pip-licenses --format=json
   ```
   - Identify license types
   - Check compatibility
   - Flag restrictive licenses
   - Ensure compliance

5. **Import Analysis**
   ```bash
   # Find all imports
   grep -r "import.*from\|require(" --include="*.js" --include="*.ts"
   
   # Analyze usage patterns
   grep -r "from ['\"]\." --include="*.py"
   ```
   - Map internal dependencies
   - Find unused dependencies
   - Identify missing dependencies
   - Check import cycles

## Dependency Health Metrics

1. **Dependency Freshness Score**
   - Percentage of up-to-date packages
   - Average age of outdated packages
   - Time since last update

2. **Security Score**
   - Number of vulnerabilities by severity
   - Patches available vs required
   - Security debt accumulation

3. **Complexity Metrics**
   - Total dependency count
   - Transitive dependency depth
   - Duplicate package versions
   - Size of node_modules/venv

4. **Maintenance Risk**
   - Abandoned packages
   - Single maintainer projects
   - Infrequent updates
   - No recent commits

## Advanced Analysis

### Supply Chain Security
- Check package integrity
- Verify publisher identity
- Review install scripts
- Analyze network requests

### Performance Impact
```bash
# Bundle size analysis
npx bundlephobia-cli package.json

# Analyze package size
du -sh node_modules/* | sort -hr | head -20
```

### Dependency Graph Visualization
```bash
# Generate visual dependency graph
madge --circular --extensions js,jsx,ts,tsx src/ --image deps.svg
```

## Red Flags to Detect

1. **Security Anti-Patterns**
   - Pinned vulnerable versions
   - Ignored security warnings
   - Use of deprecated packages
   - Suspicious package names (typosquatting)

2. **Architecture Smells**
   - Heavy framework dependencies
   - Multiple versions of same package
   - Conflicting peer dependencies
   - Unnecessary polyfills

3. **Maintenance Risks**
   - Last publish > 2 years ago
   - No GitHub repository
   - Single commit history
   - No tests in package

## Output Format

## Dependency Analysis Report

### Executive Summary
- Total dependencies: Direct X, Transitive Y
- Security status: Z vulnerabilities found
- Update status: A% of packages outdated
- License status: All compatible / Issues found

### Security Vulnerabilities 🔴
| Package | Severity | CVE | Fix Available |
|---------|----------|-----|---------------|
| ...     | Critical | ... | Yes/No        |

### Outdated Packages 🟠
| Package | Current | Latest | Breaking Changes |
|---------|---------|--------|------------------|
| ...     | 1.0.0   | 2.0.0  | Yes/No          |

### Dependency Health Metrics
- **Freshness Score**: X/100
- **Security Score**: Y/100
- **Complexity Score**: Z/100
- **Overall Health**: A/100

### Architectural Concerns
1. Circular dependencies detected
2. Multiple jQuery versions
3. Both lodash and underscore included

### Recommendations

#### Immediate Actions
1. Update package X to fix critical vulnerability
2. Remove unused dependency Y
3. Consolidate duplicate packages

#### Short-term Improvements
1. Update testing framework
2. Migrate from deprecated packages
3. Implement dependency update automation

#### Long-term Strategy
1. Reduce dependency footprint
2. Implement supply chain security
3. Regular dependency audits

### License Summary
- MIT: X packages
- Apache-2.0: Y packages
- GPL: Z packages (review required)

## Ultra-Dependency-Thinking

Consider:
- Is every dependency truly necessary?
- Can we reduce transitive dependencies?
- Are we over-depending on external code?
- What's our fallback if a package disappears?
- How do we stay updated without breaking?
- Are we trusting the right publishers?

Remember: Every dependency is a potential liability. Choose wisely.