Skip to content

Make the dependency audit skill scalable, resilient, and remediation-aware #50

Description

@Cesar-M-Diaz

Problem

Large dependency audits sent full getPackageVersions responses into the agent workflow. A 100-package batch could return approximately 473 KB, mostly unused quality and metadata fields.
This caused output overflow, high token usage, slow audits, and awkward file-based workarounds.

Additionally:

  • Failed batches left many packages unchecked with limited recovery.
  • The audit could not recommend a verified fixed version and risked falling back to @latest.

Solution

  • Parse lockfiles and query NCM through one synchronous helper.
  • Return only compact findings for affected packages.
  • Add progress, retries, backoff, batch splitting, and omitted-response recovery.
  • Keep failed packages explicitly unchecked.
  • Preserve advisory ranges, quality, risk, and license data.
  • Verify upgrade candidates through NCM.
  • Emit only concrete verified versions—never @latest.
  • Require agents to poll the original execution session.

Acceptance Criteria

  • Raw and clean-package NCM data stay outside AI context.
  • Concurrency never exceeds two.
  • Transient and omitted responses receive bounded recovery.
  • Failed packages remain unchecked.
  • Verified remediation targets contain no active NCM advisories.
  • Existing sorting and the 50-finding limit remain unchanged.
  • Unit tests, lint, skill validation, and synchronization checks pass.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions