Back to Details

ln-625-dependencies-auditor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Dependencies & Reuse Auditor (L3 Worker)

依赖与复用审计工具(L3 Worker)

Specialized worker auditing dependency management, code reuse, and security vulnerabilities.
一款专注于审计依赖管理、代码复用及安全漏洞的Worker工具。

Purpose & Scope

用途与范围

  • Worker in ln-620 coordinator pipeline (full audit mode)
  • Worker in ln-760 security-setup pipeline (vulnerabilities_only mode)
  • Audit dependencies and reuse (Categories 7+8: Medium Priority)
  • Check outdated packages, unused deps, wheel reinvention, CVE vulnerabilities
  • Calculate compliance score (X/10)
  • ln-620协调器流水线中的Worker(完整审计模式)
  • ln-760安全配置流水线中的Worker(仅漏洞扫描模式)
  • 审计依赖与复用(类别7+8:中等优先级)
  • 检查过时包、未使用依赖、重复造轮子情况以及CVE漏洞
  • 计算合规性得分(X/10)

Parameters

参数

ParamValuesDefaultDescription
mode
full
/ 
vulnerabilities_only
full
full
= all 5 checks, 
vulnerabilities_only
= only CVE scan
参数取值默认值描述
mode
full
/ 
vulnerabilities_only
full
full
= 执行全部5项检查,
vulnerabilities_only
= 仅执行CVE扫描

Inputs (from Coordinator)

输入(来自协调器)

Receives 
contextStore
with tech stack, package manifest paths, codebase root.
From ln-620 (codebase-auditor): mode=full (default) From ln-760 (security-setup): mode=vulnerabilities_only
接收包含技术栈、包清单路径及代码库根目录的
contextStore
来自ln-620(代码库审计工具): mode=full(默认值) 来自ln-760(安全配置工具): mode=vulnerabilities_only

Workflow

工作流

  1. Parse context + mode parameter
  2. Run dependency checks (based on mode)
  3. Collect findings
  4. Calculate score
  5. Return JSON
  1. 解析上下文与mode参数
  2. 根据模式执行依赖检查
  3. 收集检查结果
  4. 计算得分
  5. 返回JSON结果

Audit Rules (5 Checks)

审计规则(5项检查)

1. Outdated Packages

1. 过时包检查

Mode: full only
Detection:
  • Run 
    npm outdated --json
    (Node.js)
  • Run 
    pip list --outdated --format=json
    (Python)
  • Run 
    cargo outdated --format=json
    (Rust)
Severity:
  • HIGH: Major version behind (security risk)
  • MEDIUM: Minor version behind
  • LOW: Patch version behind
Recommendation: Update to latest version, test for breaking changes
Effort: S-M (update version, run tests)
模式: 仅full模式支持
检测方式:
  • 执行
    npm outdated --json
    (Node.js环境)
  • 执行
    pip list --outdated --format=json
    (Python环境)
  • 执行
    cargo outdated --format=json
    (Rust环境)
严重程度:
  • 高: 落后主版本(存在安全风险)
  • 中: 落后次版本
  • 低: 落后补丁版本
建议: 更新至最新版本,测试是否存在破坏性变更
工作量: 小-中(更新版本,运行测试)

2. Unused Dependencies

2. 未使用依赖检查

Mode: full only
Detection:
  • Parse package.json/requirements.txt
  • Grep codebase for 
    import
    /
    require
    statements
  • Find dependencies never imported
Severity:
  • MEDIUM: Unused production dependency (bloats bundle)
  • LOW: Unused dev dependency
Recommendation: Remove from package manifest
Effort: S (delete line, test)
模式: 仅full模式支持
检测方式:
  • 解析package.json/requirements.txt
  • 在代码库中搜索
    import
    /
    require
    语句
  • 找出从未被导入的依赖
严重程度:
  • 中: 未使用的生产依赖(会增大包体积)
  • 低: 未使用的开发依赖
建议: 从包清单中移除
工作量: 小(删除对应行,测试)

3. Available Features Not Used

3. 可用原生功能未利用检查

Mode: full only
Detection:
  • Check for axios when native fetch available (Node 18+)
  • Check for lodash when Array methods sufficient
  • Check for moment when Date.toLocaleString sufficient
Severity:
  • MEDIUM: Unnecessary dependency (increases bundle size)
Recommendation: Use native alternative
Effort: M (refactor code to use native API)
模式: 仅full模式支持
检测方式:
  • 当Node 18+支持原生fetch时,检查是否仍使用axios
  • 当数组方法足够时,检查是否仍使用lodash
  • 当Date.toLocaleString足够时,检查是否仍使用moment
严重程度:
  • 中: 不必要的依赖(会增大包体积)
建议: 使用原生替代方案
工作量: 中(重构代码以使用原生API)

4. Custom Implementations

4. 自定义实现检查

Mode: full only
Detection:
  • Grep for custom sorting algorithms
  • Check for hand-rolled validation (vs validator.js)
  • Find custom date parsing (vs date-fns/dayjs)
Severity:
  • HIGH: Custom crypto (security risk)
  • MEDIUM: Custom utilities with well-tested alternatives
Recommendation: Replace with established library
Effort: M (integrate library, replace calls)
模式: 仅full模式支持
检测方式:
  • 在代码库中搜索自定义排序算法
  • 检查是否手动实现验证逻辑(而非使用validator.js)
  • 找出自定义日期解析逻辑(而非使用date-fns/dayjs)
严重程度:
  • 高: 自定义加密逻辑(存在安全风险)
  • 中: 已有成熟替代方案的自定义工具类
建议: 替换为成熟的第三方库
工作量: 中(集成第三方库,替换调用逻辑)

5. Vulnerability Scan (CVE/CVSS)

5. 漏洞扫描(CVE/CVSS)

Mode: full AND vulnerabilities_only
Detection:
  • Detect ecosystems: npm, NuGet, pip, Go, Bundler, Cargo, Composer
  • Run audit commands per 
    references/vulnerability_commands.md
  • Parse results with CVSS mapping per 
    shared/references/cvss_severity_mapping.md
Severity:
  • CRITICAL: CVSS 9.0-10.0 (immediate fix required)
  • HIGH: CVSS 7.0-8.9 (fix within 48h)
  • MEDIUM: CVSS 4.0-6.9 (fix within 1 week)
  • LOW: CVSS 0.1-3.9 (fix when convenient)
Fix Classification:
  • Patch update (x.x.Y) → safe auto-fix
  • Minor update (x.Y.0) → usually safe
  • Major update (Y.0.0) → manual review required
  • No fix available → document and monitor
Recommendation: Update to fixed version, verify lock file integrity
Effort: S-L (depends on breaking changes)
模式: full和vulnerabilities_only模式均支持
检测方式:
  • 识别生态系统:npm、NuGet、pip、Go、Bundler、Cargo、Composer
  • 执行
    references/vulnerability_commands.md
    中定义的生态系统专属审计命令
  • 根据
    shared/references/cvss_severity_mapping.md
    中的CVSS映射规则解析结果
严重程度:
  • 关键: CVSS 9.0-10.0(需立即修复)
  • 高: CVSS 7.0-8.9(48小时内修复)
  • 中: CVSS 4.0-6.9(1周内修复)
  • 低: CVSS 0.1-3.9(方便时修复)
修复分类:
  • 补丁更新(x.x.Y)→ 可安全自动修复
  • 次版本更新(x.Y.0)→ 通常安全
  • 主版本更新(Y.0.0)→ 需手动审核
  • 无可用修复方案→ 记录并持续监控
建议: 更新至修复版本,验证锁文件完整性
工作量: 小-大(取决于是否存在破坏性变更)

Scoring Algorithm

评分算法

See 
shared/references/audit_scoring.md
for unified formula and score interpretation.
Note: When mode=vulnerabilities_only, score based only on vulnerability findings.
统一公式及得分说明请参考
shared/references/audit_scoring.md
注意: 当mode=vulnerabilities_only时,得分仅基于漏洞检查结果。

Output Format

输出格式

json
{
  "category": "Dependencies & Reuse",
  "mode": "full",
  "score": 7,
  "total_issues": 12,
  "critical": 1,
  "high": 3,
  "medium": 5,
  "low": 3,
  "checks": [
    {"id": "outdated_packages", "name": "Outdated Packages", "status": "failed", "details": "2 packages behind major versions"},
    {"id": "unused_deps", "name": "Unused Dependencies", "status": "warning", "details": "4 unused dev dependencies"},
    {"id": "available_natives", "name": "Available Natives", "status": "passed", "details": "No unnecessary polyfills"},
    {"id": "custom_implementations", "name": "Custom Implementations", "status": "warning", "details": "2 custom utilities found"},
    {"id": "vulnerability_scan", "name": "Vulnerability Scan (CVE)", "status": "failed", "details": "1 critical, 2 high vulnerabilities"}
  ],
  "findings": [
    {
      "severity": "CRITICAL",
      "location": "package.json",
      "issue": "lodash@4.17.15 has CVE-2021-23337 (CVSS 7.2)",
      "principle": "Security / Vulnerability Management",
      "recommendation": "Update to lodash@4.17.21",
      "effort": "S",
      "fix_type": "patch"
    },
    {
      "severity": "HIGH",
      "location": "package.json:15",
      "issue": "express v4.17.0 (current: v4.19.2, 2 major versions behind)",
      "principle": "Dependency Management / Security Updates",
      "recommendation": "Update to v4.19.2 for security fixes",
      "effort": "M"
    }
  ]
}
json
{
  "category": "Dependencies & Reuse",
  "mode": "full",
  "score": 7,
  "total_issues": 12,
  "critical": 1,
  "high": 3,
  "medium": 5,
  "low": 3,
  "checks": [
    {"id": "outdated_packages", "name": "Outdated Packages", "status": "failed", "details": "2 packages behind major versions"},
    {"id": "unused_deps", "name": "Unused Dependencies", "status": "warning", "details": "4 unused dev dependencies"},
    {"id": "available_natives", "name": "Available Natives", "status": "passed", "details": "No unnecessary polyfills"},
    {"id": "custom_implementations", "name": "Custom Implementations", "status": "warning", "details": "2 custom utilities found"},
    {"id": "vulnerability_scan", "name": "Vulnerability Scan (CVE)", "status": "failed", "details": "1 critical, 2 high vulnerabilities"}
  ],
  "findings": [
    {
      "severity": "CRITICAL",
      "location": "package.json",
      "issue": "lodash@4.17.15 has CVE-2021-23337 (CVSS 7.2)",
      "principle": "Security / Vulnerability Management",
      "recommendation": "Update to lodash@4.17.21",
      "effort": "S",
      "fix_type": "patch"
    },
    {
      "severity": "HIGH",
      "location": "package.json:15",
      "issue": "express v4.17.0 (current: v4.19.2, 2 major versions behind)",
      "principle": "Dependency Management / Security Updates",
      "recommendation": "Update to v4.19.2 for security fixes",
      "effort": "M"
    }
  ]
}

Reference Files

参考文件

FilePurpose
references/vulnerability_commands.md
Ecosystem-specific audit commands
references/ci_integration_guide.md
CI/CD integration guidance
shared/references/cvss_severity_mapping.md
CVSS to severity level mapping
shared/references/audit_scoring.md
Audit scoring formula
shared/references/audit_output_schema.md
Audit output schema
Version: 4.0.0 Last Updated: 2026-02-05
文件用途
references/vulnerability_commands.md
生态系统专属审计命令
references/ci_integration_guide.md
CI/CD集成指南
shared/references/cvss_severity_mapping.md
CVSS至严重程度的映射规则
shared/references/audit_scoring.md
审计评分公式
shared/references/audit_output_schema.md
审计输出规范
版本: 4.0.0 最后更新: 2026-02-05