audit: Dependency vulnerabilities and supply chain

[Snider]

Security Audit: Dependencies & Supply Chain

Audit all dependencies for vulnerabilities and supply chain risks.

Dependency Analysis

1. Direct Dependencies

   • List all with versions
   • Check for known CVEs
   • Identify outdated packages
   • License compliance

2. Transitive Dependencies

   • Full dependency tree
   • Hidden vulnerabilities
   • Unmaintained packages

3. Lock Files

   • Are lock files committed?
   • Integrity hashes present?
   • Consistent across environments?

Supply Chain Risks

1. Package Sources

   • Official registries only?
   • Typosquatting risks
   • Compromised maintainers

2. Build Process

   • Reproducible builds?
   • CI/CD security
   • Artifact signing

3. Update Policy

   • Automated updates?
   • Security patch SLA
   • Breaking change handling

Tools to Use

• npm audit / yarn audit
• composer audit
• go mod verify
• safety (Python)
• Snyk / Dependabot reports

Output

Save to AUDIT-DEPENDENCIES.md

Include CVE list with severity and remediation priority.

[google-labs-jules]

Jules is on it. When finished, you will see another comment and be able to review a PR.

[google-labs-jules]

Ready for a review! A PR has been created.