Section 02 · Infrastructure & Setup
Dependencies & Code Quality
Dependency management, security scanning, language choices, and monorepo structure
This guide walks you through auditing a repository's dependency management, language choices, and code quality tooling.
The Goal: Secure, Modern Stack
Dependencies should be actively maintained, automatically updated, and free of known vulnerabilities. The codebase should use modern tooling that catches bugs at compile time rather than runtime.
- Secure — no critical vulnerabilities, regular security audits
- Updated — automated dependency updates via Dependabot or Renovate
- Type-safe — TypeScript with strict mode enabled
- Consistent — linting rules follow best practices, not disabled wholesale
- Orchestrated — monorepos use Turborepo for efficient builds and caching
Before You Start
- Confirm you're in the target repository's root directory
- Verify the project is a Node.js/TypeScript project (most checks are Node-specific)
- Have the user available for questions about package choices and migration plans
dependency-management
No critical/high vulnerabilities, lockfile updated regularly
“Any critical CVEs sitting unpatched in your lockfile right now?”
Dependabot, Renovate, or documented manual process for tracking updates
“Who's watching for new vulnerabilities — a person or a bot?”
Critical dependencies are actively maintained, no deprecated packages
“Any critical packages with last commit over 2 years ago?”
language-tooling
TypeScript configured with strict mode, source files predominantly .ts/.tsx
“Still shipping .js files because strict mode felt too hard?”
ESLint extends recommended configs, critical rules not disabled
“How many eslint-disable comments are hiding real problems?”
Using pnpm with lockfile and packageManager field set
“Mixed npm and pnpm installs causing phantom dependency bugs?”