Skip to content

fix: Make the dependency audit skill scalable, make all calls through the cjs script#51

Open
Cesar-M-Diaz wants to merge 4 commits into
mainfrom
cesar/dependency-updates
Open

fix: Make the dependency audit skill scalable, make all calls through the cjs script#51
Cesar-M-Diaz wants to merge 4 commits into
mainfrom
cesar/dependency-updates

Conversation

@Cesar-M-Diaz

@Cesar-M-Diaz Cesar-M-Diaz commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • New Features
    • Reworked dependency auditing to run a bundled helper with batched NCM lookups, capped concurrency, and remediation verification.
    • Generates deterministic Markdown reports (with summary, remediation plan, breaking-change notes, rollback guidance, and coverage gaps) and offers saving the report; JSON output remains supported.
  • Bug Fixes
    • Preserves helper output as authoritative; prevents rebuilding reports from incomplete or integrity-error output.
    • Adds stronger guardrails for integrity checks and remediation/version handling (including “latest-fallback”).
  • Documentation
    • Updated skill behavior and markdown vs JSON output rules.
  • Tests
    • Expanded coverage for batching/retries/recovery, renderer integrity/totals, and output truncation limits.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4292d7cc-0d4c-4ca3-a47d-a8afe4cc48a9

📥 Commits

Reviewing files that changed from the base of the PR and between d85e005 and 6df6534.

📒 Files selected for processing (2)
  • packages/core/test/unit/skills/audit-dependencies-renderer.test.ts
  • skills/ns-audit-dependencies/render-audit-report.cjs
🚧 Files skipped from review as they are similar to previous changes (1)
  • skills/ns-audit-dependencies/render-audit-report.cjs

Walkthrough

Adds a bundled NCM dependency audit CLI with dependency collection, batched GraphQL queries, retries, recovery, vulnerability extraction, remediation verification, validated Markdown rendering, updated skill instructions, and extensive unit coverage.

Changes

Dependency audit

Layer / File(s) Summary
Dependency collection and CLI export
skills/ns-audit-dependencies/collect-dependencies.cjs
Exports collectDependencies, adjusts pnpm parsing state, and changes CLI failures to thrown errors with exit codes.
NCM client and audit primitives
skills/ns-audit-dependencies/audit-dependencies.cjs, packages/core/test/unit/skills/audit-dependencies-script.test.ts
Adds GraphQL batching, timeout and retry handling, failure classification, semantic-version utilities, content compaction, and CLI helper validation.
Audit orchestration and remediation
skills/ns-audit-dependencies/audit-dependencies.cjs, packages/core/test/unit/skills/audit-dependencies-script.test.ts
Implements concurrent auditing, recovery, vulnerability findings, remediation verification, progress reporting, and bounded output.
Report validation and rendering
skills/ns-audit-dependencies/render-audit-report.cjs, packages/core/test/unit/skills/audit-dependencies-renderer.test.ts
Adds integrity validation, Markdown-safe rendering, complete finding output, coverage gaps, remediation details, and renderer tests.
Skill workflow and behavior validation
skills/ns-audit-dependencies/SKILL.md, skills/ns-audit-dependencies/audit-dependencies.cjs
Updates helper execution, injected-result handling, incomplete-audit rules, report handling, remediation guardrails, and CLI output behavior.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Skill
  participant audit-dependencies.cjs
  participant collectDependencies
  participant NCM
  participant renderAuditReport
  Skill->>audit-dependencies.cjs: run audit command
  audit-dependencies.cjs->>collectDependencies: collect dependency tree
  audit-dependencies.cjs->>NCM: fetch dependency and remediation scores
  NCM-->>audit-dependencies.cjs: scores, failures, or omitted responses
  audit-dependencies.cjs->>renderAuditReport: render validated summary
  renderAuditReport-->>Skill: authoritative Markdown report
Loading

Possibly related issues

  • nodesource/nsolid-plugin#50 — Covers the scalable, resilient, remediation-aware dependency audit behavior implemented here.

Suggested reviewers: dobleuber, mafesernaarboleda, ehortua

Poem

I hopped through batches, swift and bright,
Found risky leaves and versions right.
Retries bounced; bad gaps grew small,
Concrete fixes answered the call.
Reports stayed whole from first to last—
A bunny cheers the audit’s cast.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the shift to the CJS audit script and the scalability-focused refactor.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cesar/dependency-updates

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install timed out. The project may have too many dependencies for the sandbox.


Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/ns-audit-dependencies/audit-dependencies.cjs`:
- Around line 719-723: Update the score handling in activeVulnerabilities so
non-array or missing pkg.scores is treated as an invalid-response and the
package remains unchecked, rather than defaulting to an empty clean result.
Preserve filtering and compactVulnerability mapping only for valid score arrays.
- Around line 200-206: Bound all nested NCM-provided finding content, not just
the package count controlled by MAX_FINDINGS. Extend compactStringList and the
finding-processing paths to cap collection sizes and individual string lengths
for vulnerabilities, assessments, ranges, and related fields, while tracking and
reporting how many items or characters were truncated. Apply the same limits
consistently across the other finding aggregation and output paths.

In `@skills/ns-audit-dependencies/SKILL.md`:
- Line 13: Update the fenced command block in SKILL.md to specify the Bash
language by changing its opening fence to ```bash, while preserving the block’s
existing contents and closing fence.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 32b3bbbc-59a9-4908-a6d2-b3f6d40420a5

📥 Commits

Reviewing files that changed from the base of the PR and between ace2ec3 and f3de91b.

📒 Files selected for processing (4)
  • packages/core/test/unit/skills/audit-dependencies-script.test.ts
  • skills/ns-audit-dependencies/SKILL.md
  • skills/ns-audit-dependencies/audit-dependencies.cjs
  • skills/ns-audit-dependencies/collect-dependencies.cjs

Comment on lines +200 to +206
function compactStringList (value) {
const values = Array.isArray(value) ? value : typeof value === 'string' ? [value] : []
return Array.from(new Set(values
.filter(item => typeof item === 'string')
.map(item => item.trim())
.filter(Boolean)))
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 Performance & Scalability | 🟠 Major | ⚡ Quick win

Bound each finding’s nested content.

MAX_FINDINGS limits package count only; NCM-provided vulnerabilities, assessments, ranges, and strings remain unbounded. A verbose response can still generate arbitrarily large stdout and agent context. Cap collection sizes/string lengths and report truncation counts.

Also applies to: 274-309, 724-739

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/ns-audit-dependencies/audit-dependencies.cjs` around lines 200 - 206,
Bound all nested NCM-provided finding content, not just the package count
controlled by MAX_FINDINGS. Extend compactStringList and the finding-processing
paths to cap collection sizes and individual string lengths for vulnerabilities,
assessments, ranges, and related fields, while tracking and reporting how many
items or characters were truncated. Apply the same limits consistently across
the other finding aggregation and output paths.

Comment thread skills/ns-audit-dependencies/audit-dependencies.cjs Outdated
Comment thread skills/ns-audit-dependencies/SKILL.md Outdated
  - remove the 50-package findings limit
  - bound oversized NCM strings with truncation accounting
  - treat malformed score responses as unchecked
  - match resolved versions returned for latest requests
  - support SemVer build metadata in remediation checks
  - update audit instructions and regression coverage

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/ns-audit-dependencies/render-audit-report.cjs`:
- Around line 30-67: Extend validateAuditSummary to validate every nested object
and collection required by validation and rendering—including vulnerabilities,
packages, batchFailures, and each finding.moduleRisks—before any property
dereference or iteration. For every missing or malformed structure, throw
integrityError so malformed summaries consistently preserve the
AUDIT_REPORT_INTEGRITY_ERROR contract; keep valid-summary counting behavior
unchanged.
- Around line 51-67: Update the summary validation in render-audit-report.cjs to
validate batchFailures and remediation.failures counters as non-negative values
and assert each total matches the sum represented by its byReason breakdown,
preventing contradictory rendered totals. Extend the existing integrity-error
regression tests with cases covering both mismatch types, while preserving the
current validation behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e348be1c-f3fc-4eb7-95d0-6a57c0e0d4c4

📥 Commits

Reviewing files that changed from the base of the PR and between e729559 and d85e005.

📒 Files selected for processing (5)
  • packages/core/test/unit/skills/audit-dependencies-renderer.test.ts
  • packages/core/test/unit/skills/audit-dependencies-script.test.ts
  • skills/ns-audit-dependencies/SKILL.md
  • skills/ns-audit-dependencies/audit-dependencies.cjs
  • skills/ns-audit-dependencies/render-audit-report.cjs
🚧 Files skipped from review as they are similar to previous changes (2)
  • skills/ns-audit-dependencies/audit-dependencies.cjs
  • packages/core/test/unit/skills/audit-dependencies-script.test.ts

Comment thread skills/ns-audit-dependencies/render-audit-report.cjs Outdated
Comment on lines +51 to +67
assertEqual(summary.findings.length, summary.vulnerabilities.affectedPackages, 'affected package versions')
assertEqual(vulnerabilityTotal, summary.vulnerabilities.total, 'vulnerability records')
assertCounts(vulnerabilityCounts, summary.vulnerabilities.bySeverity, 'severity')
assertCounts(remediationCounts, {
verified: summary.remediation.verified,
unresolved: summary.remediation.unresolved,
verificationFailed: summary.remediation.verificationFailed,
notRequired: summary.remediation.notRequired
}, 'remediation')

const uncheckedCounts = {}
for (const pkg of summary.uncheckedPackages) {
uncheckedCounts[pkg.reason] = (uncheckedCounts[pkg.reason] || 0) + 1
}
assertEqual(summary.packages.checked + summary.packages.unchecked, summary.packages.total, 'package coverage')
assertEqual(summary.uncheckedPackages.length, summary.packages.unchecked, 'unchecked package versions')
assertCounts(stableCounts(uncheckedCounts), summary.packages.uncheckedByReason, 'unchecked reason')

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Reconcile the failure totals that the report prints.

batchFailures.total and remediation.failures.total are rendered on Lines 171–172 but never validated against byReason. A summary such as { total: 1, byReason: {} } passes validation and reports “1 (none),” creating a contradictory audit result. Validate non-negative counters and assert each total equals its reason breakdown.

Proposed direction
+function sumCounts (counts, label) {
+  return Object.entries(counts || {}).reduce((total, [, count]) => {
+    if (!Number.isSafeInteger(count) || count < 0) {
+      throw integrityError(`${label} contains an invalid count`)
+    }
+    return total + count
+  }, 0)
+}
+
 function validateAuditSummary (summary) {
   // existing checks
+  assertEqual(
+    summary.batchFailures.total,
+    sumCounts(summary.batchFailures.byReason, 'batch failure reasons'),
+    'terminal batch failures'
+  )
+  assertEqual(
+    summary.remediation.failures.total,
+    sumCounts(summary.remediation.failures.byReason, 'remediation failure reasons'),
+    'remediation candidate failures'
+  )

Add regression cases alongside the existing integrity-error test for both mismatches.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
assertEqual(summary.findings.length, summary.vulnerabilities.affectedPackages, 'affected package versions')
assertEqual(vulnerabilityTotal, summary.vulnerabilities.total, 'vulnerability records')
assertCounts(vulnerabilityCounts, summary.vulnerabilities.bySeverity, 'severity')
assertCounts(remediationCounts, {
verified: summary.remediation.verified,
unresolved: summary.remediation.unresolved,
verificationFailed: summary.remediation.verificationFailed,
notRequired: summary.remediation.notRequired
}, 'remediation')
const uncheckedCounts = {}
for (const pkg of summary.uncheckedPackages) {
uncheckedCounts[pkg.reason] = (uncheckedCounts[pkg.reason] || 0) + 1
}
assertEqual(summary.packages.checked + summary.packages.unchecked, summary.packages.total, 'package coverage')
assertEqual(summary.uncheckedPackages.length, summary.packages.unchecked, 'unchecked package versions')
assertCounts(stableCounts(uncheckedCounts), summary.packages.uncheckedByReason, 'unchecked reason')
function sumCounts (counts, label) {
return Object.entries(counts || {}).reduce((total, [, count]) => {
if (!Number.isSafeInteger(count) || count < 0) {
throw integrityError(`${label} contains an invalid count`)
}
return total + count
}, 0)
}
assertEqual(summary.findings.length, summary.vulnerabilities.affectedPackages, 'affected package versions')
assertEqual(vulnerabilityTotal, summary.vulnerabilities.total, 'vulnerability records')
assertCounts(vulnerabilityCounts, summary.vulnerabilities.bySeverity, 'severity')
assertCounts(remediationCounts, {
verified: summary.remediation.verified,
unresolved: summary.remediation.unresolved,
verificationFailed: summary.remediation.verificationFailed,
notRequired: summary.remediation.notRequired
}, 'remediation')
assertEqual(
summary.batchFailures.total,
sumCounts(summary.batchFailures.byReason, 'batch failure reasons'),
'terminal batch failures'
)
assertEqual(
summary.remediation.failures.total,
sumCounts(summary.remediation.failures.byReason, 'remediation failure reasons'),
'remediation candidate failures'
)
const uncheckedCounts = {}
for (const pkg of summary.uncheckedPackages) {
uncheckedCounts[pkg.reason] = (uncheckedCounts[pkg.reason] || 0) + 1
}
assertEqual(summary.packages.checked + summary.packages.unchecked, summary.packages.total, 'package coverage')
assertEqual(summary.uncheckedPackages.length, summary.packages.unchecked, 'unchecked package versions')
assertCounts(stableCounts(uncheckedCounts), summary.packages.uncheckedByReason, 'unchecked reason')
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/ns-audit-dependencies/render-audit-report.cjs` around lines 51 - 67,
Update the summary validation in render-audit-report.cjs to validate
batchFailures and remediation.failures counters as non-negative values and
assert each total matches the sum represented by its byReason breakdown,
preventing contradictory rendered totals. Extend the existing integrity-error
regression tests with cases covering both mismatch types, while preserving the
current validation behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant