Dependency Audit Module — Skill

Purpose

Review dependency health beyond just security alerts. Summarize the dependency graph, audit the Dependabot PR backlog, identify outdated dependencies, and recommend batch-merge strategies for low-risk bumps.

Applicability and Tier Behavior

• Tier 4 (Public, Releases): Full assessment with full ceremony. Batch-merge candidates are presented for individual review before merging; each merge triggers CI and is visible to repo watchers. Major version bumps require extra scrutiny — they can break external users.
• Tier 3 (Public, No Releases): Same as Tier 4. Public visibility applies to all merges.
• Tier 2 (Private, Code): Full assessment. Batch approval acceptable for patch/minor Dependabot PRs with CI passing.
• Tier 1 (Private, Docs): Skip dependency audit — docs repos typically don't have meaningful dependency graphs.

Execution Order

Runs as module #6 during full assessments (after Issue Triage). Defers Dependabot security alerts to the Security module — this module focuses on the broader dependency picture.

Helper Commands