2.5k
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
3 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill dependency-autopsy- _meta.json292 B
- SKILL.md9.9 KB
Overview
This skill performs a deep health analysis of your dependency tree beyond simple vulnerability or version checks. It evaluates maintainer activity, bus factor, code bloat, license compatibility, replacement difficulty, and dependency depth to produce a risk-adjusted report. The output highlights critical findings, actionable recommendations, and an overall health grade to guide maintenance decisions.
How this skill works
It inspects package manifests and registry metadata, analyzes commit history and release patterns, and measures how much of a package your code actually uses. It computes seven vitals—Pulse, Bus Factor, Bloat, Replacement Difficulty, Version Health, License Health, and Dependency Depth—and aggregates those signals into a concise autopsy report. No external APIs or runtime instrumentation are required; analysis is based on manifests, published packages, and repository metadata.
When to use it
- Before adding a new dependency to your project (pre-install check).
- Regularly (e.g., monthly) as part of maintenance routines.
- Prior to major upgrades or refactors that touch dependency boundaries.
- Before security audits or license/compliance reviews.
- When investigating sudden bundle size growth or unexpected transitive deps.
Best practices
- Run the autopsy before merging new dependencies and treat critical findings as blockers.
- Prioritize fixes by risk: replace dead or single-maintainer packages first.
- Inline small utilities instead of pulling large dependency trees when feasible.
- Keep an eye on transitive license flags (copyleft) and resolve before release.
- Combine autopsy findings with CVE reports to form a complete remediation plan.
Example use cases
- Detecting a dead image library with a high-severity vuln and replacing it with an actively maintained alternative.
- Finding that lodash adds 340 KB to the bundle while you only use three functions and switching to native or modular imports.
- Uncovering a GPL-3 transitive dependency introduced deep in the tree before a commercial release.
- Estimating upgrade effort and breaking changes for a dependency two major versions behind.
- Identifying single-committer projects with failing CI that pose a bus-factor risk.
FAQ
No. The analysis uses package manifests, published metadata, and repository history; it does not execute your code or call external APIs.
How accurate is the usage/bloat measurement?
Usage estimates come from static analysis of your imports/exports and bundle impact heuristics; they are conservative guides, not exact byte-for-byte counts.
Can it detect license conflicts in transitive dependencies?
Yes. It surfaces transitive license types and flags potential incompatibilities so you can resolve them before release.