Dependency Risk Audit
Run a repeatable dependency-risk audit for Python projects and return a prioritized remediation plan.
Workflow
Step 1: Identify dependency source of truth
- Detect package manager and files in this order:
- Prefer lockfiles for resolved versions.
- Record Python runtime constraint from:
- ()
- CI config (if present)
Step 2: Build dependency inventory
Create an inventory with:
- package name
- installed/resolved version
- dependency type ( or )
- pin style (, , )
- marker constraints (Python version, platform markers)
If direct/transitive split is unavailable from project files, state that limitation explicitly.
Step 3: Run security advisory checks
Prefer
. If unavailable, fall back to lockfile/static analysis and mark advisories as partially evaluated.
Common commands:
bash
# requirements.txt projects
pip-audit -r requirements.txt -f json
# active environment
pip-audit -f json
For non-requirements workflows, export to requirements format first when possible, then audit that export.
For each finding, capture:
- advisory ID (for example , , )
- package + affected version
- fixed version range
- severity (if available)
- exploit or impact notes (if available)
Step 4: Detect stale pins
Classify each direct dependency:
- : no newer release in same major
- : behind within same major
- : newer major available
- : latest data unavailable
Flag stale pins as higher risk when:
- package is internet-facing, auth-related, crypto-related, or framework/core runtime
- current version is multiple majors behind
- package has a recent advisory history
Step 5: Evaluate upgrade-path safety
For each dependency requiring change, assess upgrade risk:
- : patch/minor upgrade, no known breaking changes
- : minor upgrade with behavior/config changes
- : major upgrade, Python-version jump, or resolver conflicts likely
Check these risk signals:
- major-version jump required to reach fixed secure version
- declared Python requirement of target version conflicts with project runtime
- conflicting upper bounds across dependencies
- framework-coupled libraries that typically require code migrations
When possible, propose a stepwise path:
- patch/minor upgrades first
- isolated major upgrades next
- framework/runtime upgrades last
Step 6: Produce the report
Return a markdown report using this structure:
markdown
## Dependency Risk Audit
Audit root: `<path>`
Dependency source: `<lockfile or manifest>`
Python runtime target: `<version/constraint>`
### Executive Summary
- Overall risk: [LOW|MEDIUM|HIGH|CRITICAL]
- Known advisories: X (Critical Y, High Z, ...)
- Stale direct dependencies: X (Major-stale Y)
- Unsafe upgrade paths: X
### Security Advisories
| ------- | ------- | -------- | -------- | -------- | ----- |
### Stale Pins
| ------- | ------- | ------ | ---------- | ---------- |
### Upgrade Path Risks
| ------- | ----------------- | ---- | --------- | ---------------- |
### Prioritized Remediation Plan
1. ...
2. ...
3. ...
### Not Evaluated
- Item + reason
Scoring Guidance (optional)
If the user asks for a numeric score, start at
and deduct:
- Critical advisory:
- High advisory:
- Medium advisory:
- Low advisory:
- Major-stale direct dependency:
- High-risk upgrade path:
Floor at
. Cap repeated deductions for the same package/advisory pair.
Remediation Loop
If the user asks for fixes:
- Address critical/high advisories first, prioritizing low-risk upgrades.
- Re-run audit steps 2-6.
- Report risk delta, unresolved blockers, and required code changes/tests.