audit_dependencies
Audit a lockfile to confirm installed versions against OSV advisories, returning the lead finding and direct-versus-transitive dependency split.
Instructions
Audit a single manifest/lockfile and return a VERIFIED finding.
Pass the raw lockfile text and its filename (package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, poetry.lock, Pipfile.lock, Gemfile.lock, composer.lock, Cargo.lock). Returns the one finding that actually matters (the lead), the full direct-vs-transitive split, and the basis of the verdict. Versions are the INSTALLED lockfile versions, not the declared floor; advisories are confirmed via OSV. Deterministic.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| lockfile_content | Yes | ||
| filename | Yes |