Problem
Large dependency audits sent full getPackageVersions responses into the agent workflow. A 100-package batch could return approximately 473 KB, mostly unused quality and metadata fields.
This caused output overflow, high token usage, slow audits, and awkward file-based workarounds.
Additionally:
- Failed batches left many packages unchecked with limited recovery.
- The audit could not recommend a verified fixed version and risked falling back to @latest.
Solution
- Parse lockfiles and query NCM through one synchronous helper.
- Return only compact findings for affected packages.
- Add progress, retries, backoff, batch splitting, and omitted-response recovery.
- Keep failed packages explicitly unchecked.
- Preserve advisory ranges, quality, risk, and license data.
- Verify upgrade candidates through NCM.
- Emit only concrete verified versions—never @latest.
- Require agents to poll the original execution session.
Acceptance Criteria
- Raw and clean-package NCM data stay outside AI context.
- Concurrency never exceeds two.
- Transient and omitted responses receive bounded recovery.
- Failed packages remain unchecked.
- Verified remediation targets contain no active NCM advisories.
- Existing sorting and the 50-finding limit remain unchanged.
- Unit tests, lint, skill validation, and synchronization checks pass.
Problem
Large dependency audits sent full getPackageVersions responses into the agent workflow. A 100-package batch could return approximately 473 KB, mostly unused quality and metadata fields.
This caused output overflow, high token usage, slow audits, and awkward file-based workarounds.
Additionally:
Solution
Acceptance Criteria