Dependency Vulnerability Triager

When to invoke

• "Triage today's npm audit output."
• "I have 87 CVEs from pip-audit — what should I actually fix this week?"
• "Group these advisories by package and tell me the upgrade path."

Inputs needed

1. Scanner JSON from one of:
   • npm audit --json
   • pip-audit --format json
   • OSV-Scanner JSON
   • A generic list (the tool auto-detects)
2. (optional) Reachability hints — a text file listing import paths your app actually uses (one per line). Findings whose package isn't reachable get demoted.
3. (optional) Production-only flag — drop dev-dependency findings.