DEP-001 critical dependency-management

Dependencies secure and maintained

No critical/high vulnerabilities, lockfile updated regularly

Question to ask

"Any critical CVEs sitting unpatched in your lockfile right now?"

Verification guide

Severity: Critical

Check automatically:

  1. Run vulnerability scan:

    # Node.js projects
pnpm audit 2>/dev/null || npm audit 2>/dev/null

# Python projects
pip-audit 2>/dev/null || safety check 2>/dev/null

  2. Check lockfile freshness:

    git log -1 --format="%ci %s" -- pnpm-lock.yaml package-lock.json yarn.lock 2>/dev/null

  3. Count outdated packages (informational):

    pnpm outdated 2>/dev/null || npm outdated 2>/dev/null

Pass criteria:

  • No critical or high vulnerabilities in audit output
  • Lockfile updated within last 30 days

Fail criteria:

  • Any critical vulnerabilities
  • High vulnerabilities without documented exception
  • Lockfile not touched in 90+ days

If vulnerabilities found, ask user: "Found [X] critical and [Y] high vulnerabilities. Are any of these documented exceptions with mitigations in place?"

Evidence to capture:

  • Vulnerability count by severity (critical/high/moderate/low)
  • Last lockfile update date and commit message
  • List of critical/high vulnerabilities with affected packages

Section

02. Dependencies & Code Quality

Infrastructure & Setup

← Previous

GIT-020

Proper .gitignore configured

 Next →

DEP-002

Dependency update system configured