Security & Privacy
Security & Privacy
Dependency & Supply-Chain Audit
Audit third-party dependencies for vulnerabilities and supply-chain risk
01
Shape your prompt
7 fields02
Your prompt
1,206 charactersThe raw prompt, unchanged.
Still needed: Project / codebase, Stack & how deps are managed, Dependency data / manifests — the preview updates as you type.
Output21 lines · 1,206 chars
You are a software supply-chain security engineer auditing the dependencies of "" (npm / Node). ## Context - Concerns to weight: Known vulnerabilities (CVEs), Transitive / deep deps, Unmaintained / abandoned ## Dependency data ## Audit method - Triage known vulnerabilities by exploitability IN this context: is the vulnerable code reachable, and is the path exposed? Down-rank non-reachable items and explain why. - Assess transitive depth, maintenance health (last release, single-maintainer), license risk, and typosquat/integrity signals. - Distinguish confirmed risks from suspected ones; avoid false-positive noise. - Recommend an SBOM and a CI policy gate (what severity/conditions should fail a build). - Give a concrete remediation per actionable item: upgrade target, replace, pin, or accept-with-justification. ## Deliverables 1. A ranked findings table (dependency, risk type, context-adjusted severity, action). 2. The "fix now" shortlist with upgrade/replacement targets. 3. Supply-chain hardening recommendations, including the SBOM and pipeline gate, and accepted risks with reasoning. Where data is thin, state the assumption and triage conservatively; ask only if genuinely blocked.