SolidMITOriginal

Dependency Audit

Checks every project dependency's licence — flags GPL contamination, commercially-incompatible licences and missing attribution.

Entry verified April 21, 2026

The short answer

The dependency sweep most projects never do. Surfaces licences that force the whole project to go GPL, require attribution you haven't provided, or ban commercial use outright. One run before a major release, plus a quarterly repeat on active projects.

When to use it

Before every major release. When adding new dependencies, especially transitive ones you didn't install directly. Quarterly on projects that keep shipping.

Setup

  1. 1

    Save the file as ~/.claude/skills/dep-audit.md.

  2. 2

    Enumerate dependencies with the native tooling — npm ls for Node, pip show for Python, cargo tree for Rust.

  3. 3

    Cross-reference each licence against a compatibility matrix so incompatible combinations surface automatically.

  4. 4

    Treat the output as a starting list — read the LICENSE file directly for anything novel or suspect.

Example

You: /dep-audit
Claude: 247 deps. 2 flagged: react-awesome-reveal (MIT ✓), lodash (MIT ✓)... one CC BY-NC-SA (usable but triggers attribution requirement — add to credits).

Source & attribution

Author
Bryan Collins
Licence
MIT
Type
Original

Original pattern published under MIT — attribution preserved by convention, not licence requirement.

Caveats

Licence detection is heuristic — read the LICENSE file for anything novel or suspect.

New skills, explained plainly.

One short email when a new Claude Code skill is worth installing — and when to skip the hype. No spam.

56 skills across 10 categories, all licence-verified.

Back to catalogueMore in Legal & compliance
Read the guide