Skip to main content

Bundles/dependency-supply-chain

Dependency & Supply Chain Audit

dependency-supply-chain · v1.1.0 · paid

Third-party dependency assessment covering security vulnerabilities, maintenance health, and license compliance.

Security Vulnerabilities

security-vulns · weight 0.35

No known critical CVEs in production dependencies
ab-000949
critical
No known high-severity CVEs in production dependencies
ab-000950
high
Lock file is committed and current
ab-000951
high
Postinstall scripts are reviewed and safe
ab-000952
high
No packages removed from the npm registry (unpublished)
ab-000953
critical
No obvious typosquatting packages
ab-000954
medium

Maintenance & Health

maintenance · weight 0.25

No dependencies with no maintainer activity in 2+ years
ab-000955
medium
No deprecated packages in dependencies
ab-000956
high
No packages with fewer than 50 weekly downloads
ab-000957
medium
No wildcard or excessively loose version ranges
ab-000958
medium
Direct dependencies are on current major versions
ab-000959
low

License Compliance

license · weight 0.2

No copyleft licenses in proprietary project production dependencies
ab-000960
critical
No packages with unknown or missing licenses
ab-000961
high
No conflicting license combinations in production dependencies
ab-000962
medium
License inventory is documented
ab-000963
low

Optimization

optimization · weight 0.2

Total dependency count is reasonable for project size
ab-000964
medium
No unnecessarily large packages where lighter alternatives exist
ab-000965
low
No duplicate packages at conflicting versions
ab-000966
low
Dependencies are imported efficiently
ab-000967
low
No dev dependencies serving production runtime roles
ab-000968
high
Unused dependencies are identified
ab-000969
info
Bundle impact of significant new dependencies is evaluated
ab-000970
info