Dependency age/health

Severity: Recommended

Outdated dependencies are a form of compounding technical debt with security implications. Tracking dependency health is essential.

Check automatically:

# Check for dependency update tooling
ls -la .github/dependabot.yml 2>/dev/null
find . -maxdepth 3 -type f \( -name "renovate.json*" -o -name ".dependabot*" \) 2>/dev/null

# Check for outdated deps (Node/pnpm)
pnpm outdated 2>/dev/null | head -20 || npm outdated 2>/dev/null | head -20

# Check for security vulnerabilities
pnpm audit 2>/dev/null | head -30 || npm audit 2>/dev/null | head -30

# Look for dependency health docs
grep -riE "dependency|outdated|upgrade|renovate|dependabot" docs/ --include="*.md" 2>/dev/null

Ask user:

• "Is there automated dependency update tooling?" (Dependabot, Renovate)
• "How far behind are dependencies typically?" (weeks, months, years)
• "Are security vulnerabilities tracked and addressed?"
• "Is there a policy for major version upgrades?"

Pass criteria:

• Dependency update tool configured (Dependabot/Renovate)
• No critical/high CVEs unaddressed
• Major dependencies not more than 1-2 major versions behind
• Team reviews and merges dependency PRs regularly

Fail criteria:

• No automated updates
• Dependencies years out of date
• Known CVEs ignored
• Dependency PRs pile up unreviewed

Cross-reference with:

• Section 2 (Dependencies & Code Quality)

Evidence to capture:

• Update tooling in use
• Count of outdated dependencies
• CVE status (critical/high count)
• Age of oldest dependency PR

---