/packages

Comprehensively manage project dependencies with automated dashboards, security audits, safe updates, and vulnerability management across all major package managers.

Quick Start

Copy/agileflow:packages ACTION=dashboard

Purpose

This command provides complete dependency management by:

• Detecting project dependencies across npm, pip, cargo, and other package managers
• Generating comprehensive dependency dashboards with status and vulnerability info
• Running security audits and identifying CVEs
• Planning and applying safe dependency updates
• Creating stories for security issues
• Tracking and reporting on maintenance health

Parameters

Examples

View Dependency Dashboard

Copy/agileflow:packages

Shows comprehensive dashboard of all dependencies with status, vulnerabilities, and recommendations.

Export Dashboard as HTML

Copy/agileflow:packages ACTION=dashboard OUTPUT=html

Generates interactive HTML dashboard with sortable tables and graphs.

Security Audit Only

Copy/agileflow:packages ACTION=audit

Runs security checks and reports vulnerabilities without making changes.

Update Security Vulnerabilities

Copy/agileflow:packages ACTION=update SCOPE=security

Safely updates packages with known security issues and asks for confirmation.

Update Minor Versions

Copy/agileflow:packages ACTION=update SCOPE=minor

Updates minor versions (new features, backwards compatible).

Auto-Create PR for Updates

Copy/agileflow:packages ACTION=update SCOPE=all AUTO_PR=yes

Updates all packages and creates a pull request automatically.

Actions

ACTION=dashboard (Default)

Generates comprehensive dependency report showing:

• Total count - Production and development dependencies
• Vulnerability status - Critical, high, medium, low
• Update availability - Major, minor, patch versions
• License info - For compliance tracking
• Health score - Overall dependency maintenance health

Output Example:

Copy# Dependencies Dashboard
 
Project: my-app
Generated: 2025-12-24 10:00:00 UTC
Total Dependencies: 145 (prod: 98, dev: 47)
 
## Summary
 
| Category | Count | Action Needed |
|----------|-------|---------------|
| Critical Vulnerabilities | 2 | Update immediately |
| Major Updates | 12 | Review breaking changes |
| Minor Updates | 28 | Safe to update |
| Up-to-date | 85 | No action |
| Deprecated | 3 | Find alternatives |
 
## Critical Vulnerabilities
 
### express@4.16.0
Current: 4.16.0 → Latest: 4.18.2 (+2 major)
Severity: HIGH (CVSS 7.5)
CVE: CVE-2022-24999
Description: ReDoS vulnerability in Express.js routing
Fix: npm install express@4.18.2
 
[Additional vulnerability details...]
 
## Maintenance Score: 78/100
 
Breakdown:
- Security: 60/100 (2 critical vulnerabilities)
- Freshness: 80/100 (most deps recent)
- License compliance: 95/100 (2 GPL warnings)
- Bundle size: 75/100 (some optimization possible)

ACTION=update

Plans and applies dependency updates with safety checks:

1. Detects outdated packages using appropriate package manager
2. Categorizes by type - security, major, minor, patch
3. Shows update plan with breaking change warnings
4. Asks for confirmation before applying
5. Runs tests after updates (if available)
6. Creates PR if requested
7. Generates report with all changes

Supported Package Managers:

• Node.js: npm, yarn, pnpm
• Python: pip, pip-tools, poetry
• Ruby: bundler (Gemfile)
• Go: go mod
• Rust: cargo
• Java: Maven, Gradle
• .NET: NuGet

Security Updates are always prioritized and recommended immediately.

Major Updates create individual stories for review (may require code changes).

Minor/Patch Updates can be batched safely.

ACTION=audit

Runs security audit only without updating:

Shows all known vulnerabilities with:

• Severity levels (critical, high, moderate, low)
• CVE identifiers and descriptions
• Affected package versions
• Recommended fixes

Example:

Copy# Security Audit Report
 
Generated: 2025-12-24 10:00:00 UTC
Package Manager: npm
 
## Critical (2)
- express@4.16.0: CVE-2022-24999 (CVSS 7.5)
- lodash@4.17.19: CVE-2021-23337 (CVSS 7.4)
 
## High (0)
None
 
## Moderate (3)
[Details...]
 
Recommendation: Run /agileflow:packages ACTION=update SCOPE=security

Package Manager Detection

The command automatically detects and supports:

Output Formats

Markdown (Default)

Human-readable report with tables, suitable for documentation:

Copy/agileflow:packages ACTION=dashboard OUTPUT=markdown

HTML

Interactive dashboard with filtering, sorting, and visualization:

Copy/agileflow:packages ACTION=dashboard OUTPUT=html

JSON

Structured data for tooling and integration:

Copy/agileflow:packages ACTION=dashboard OUTPUT=json

CSV

Spreadsheet-compatible format:

Copy/agileflow:packages ACTION=dashboard OUTPUT=csv

Workflow Examples

Weekly Dependency Audit

Copy# Run every Monday
/agileflow:packages ACTION=audit

Review all vulnerabilities and plan updates.

Monthly Maintenance

Copy# Update minor and patch versions
/agileflow:packages ACTION=update SCOPE=minor

Stay current with non-breaking changes.

Quarterly Major Updates

Copy# Review major version upgrades
/agileflow:packages ACTION=update SCOPE=major

Plan and test breaking changes carefully.

Emergency Security Patch

Copy# Immediately update critical vulnerabilities
/agileflow:packages ACTION=update SCOPE=security

Create PR and deploy quickly if tests pass.

CI Integration

Automated Audit in CI

Add to GitHub Actions:

Copy- name: Dependency audit
  run: npm audit --audit-level=high
 
- name: Check outdated
  run: npm outdated || true  # Don't fail, just report

Dependabot Configuration

Create .github/dependabot.yml:

Copyversion: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
 
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"

Dependabot will automatically create PRs for updates.

Weekly Dependency Check

Add scheduled workflow:

Copyname: Dependencies
on:
  schedule:
    - cron: '0 9 * * 1'  # Monday 9am
 
jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: /agileflow:packages ACTION=dashboard

Creating Stories for Vulnerabilities

When security issues are found, create stories:

Format:

CopyUS-XXXX: Fix security vulnerability in [PACKAGE]
 
Severity: [CRITICAL|HIGH|MEDIUM]
CVE: [CVE-XXXX-XXXXX]
Current: [version]
Fix: [recommended version]
 
Steps to Fix:
1. Update package: npm install package@latest
2. Run tests: npm test
3. Review changelog for breaking changes

Best Practices

1. Prioritize Security - Always update critical vulnerabilities immediately

2. Batch Minor Updates - Group non-breaking updates for efficiency

3. Test After Updates - Always run full test suite after updates

4. Review Major Changes - Test major versions in staging before production

5. Monitor Deprecations - Act on deprecated packages early

6. License Compliance - Check licenses for corporate requirements

7. Bundle Size - Monitor bundle size impact of dependencies

8. Automated Audits - Run audits weekly, not just during releases

Rules

• Never auto-update critical packages without approval
• Always preview changes before applying (diff-first, YES/NO)
• Group minor/patch updates when possible
• Warn prominently about breaking changes
• Link to changelogs and migration guides
• Create stories for major upgrades
• Never skip tests after updating
• Always commit lock files (package-lock.json, Cargo.lock, etc.)

Related Commands

• /setup-tests - Configure automated testing
• /ci-setup - Set up CI checks
• /setup-deployment - Configure deployment