getdoorman 1.0.0

package/src/rules/dependencies/index.js

@@ -0,0 +1,1684 @@
+import { execSync } from 'child_process';
+import { existsSync } from 'fs';
+import { join } from 'path';
+
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].some(e => f.endsWith(e)); }
+function isCIFile(f) { return f.match(/\.github\/workflows\/.*\.ya?ml$|\.gitlab-ci\.ya?ml$|Jenkinsfile$|\.circleci\/config\.ya?ml$|\.travis\.yml$/) !== null; }
+
+const rules = [
+  // DEPS-001: Known vulnerabilities
+  {
+    id: 'DEPS-001',
+    category: 'dependencies',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Dependencies with Known Vulnerabilities',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      if (!files.has('package.json')) return findings;
+
+      try {
+        const result = execSync('npm audit --json 2>/dev/null', {
+          cwd: process.cwd(),
+          timeout: 30000,
+          encoding: 'utf-8',
+        });
+        const audit = JSON.parse(result);
+        const vulns = audit.vulnerabilities || {};
+
+        let criticalCount = 0;
+        let highCount = 0;
+
+        for (const [name, info] of Object.entries(vulns)) {
+          if (info.severity === 'critical') criticalCount++;
+          if (info.severity === 'high') highCount++;
+        }
+
+        if (criticalCount > 0) {
+          findings.push({
+            ruleId: 'DEPS-001', category: 'dependencies', severity: 'critical',
+            title: `${criticalCount} critical vulnerabilit${criticalCount === 1 ? 'y' : 'ies'} in dependencies`,
+            description: 'Run `npm audit fix` or update the affected packages.',
+            fix: null,
+          });
+        }
+        if (highCount > 0) {
+          findings.push({
+            ruleId: 'DEPS-001b', category: 'dependencies', severity: 'high',
+            title: `${highCount} high-severity vulnerabilit${highCount === 1 ? 'y' : 'ies'} in dependencies`,
+            description: 'Run `npm audit fix` or update the affected packages.',
+            fix: null,
+          });
+        }
+      } catch (e) {
+        // npm audit can fail for many reasons (no package-lock, network, etc.)
+        // Log at debug level so users can diagnose if needed
+        if (typeof context !== 'undefined' && context.debug) console.warn(`[DEPS-001] npm audit failed: ${e.message}`);
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-002: No lock file
+  {
+    id: 'DEPS-002',
+    category: 'dependencies',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Package Lock File',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      if (!files.has('package.json')) return findings;
+
+      const hasLock = files.has('package-lock.json') ||
+                      [...files.keys()].some(f => f === 'yarn.lock' || f === 'pnpm-lock.yaml' || f === 'bun.lockb');
+
+      if (!hasLock) {
+        findings.push({
+          ruleId: 'DEPS-002', category: 'dependencies', severity: 'medium',
+          title: 'No lock file committed — builds may be non-deterministic',
+          description: 'Commit your lock file (package-lock.json, yarn.lock, etc.) for reproducible builds.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-003: Using deprecated packages
+  {
+    id: 'DEPS-003',
+    category: 'dependencies',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Deprecated Dependencies',
+    check({ stack }) {
+      const findings = [];
+      const deprecated = {
+        'request': 'Use `node-fetch`, `axios`, or built-in `fetch` instead',
+        'moment': 'Use `date-fns`, `dayjs`, or `luxon` instead',
+        'uuid': null, // not deprecated but check version
+        'csurf': 'Deprecated due to issues. Use csrf-csrf or custom implementation',
+        'express-validator': null,
+        'body-parser': 'Built into Express 4.16+, remove it',
+        'querystring': 'Use URLSearchParams (built-in) instead',
+      };
+
+      for (const [dep, message] of Object.entries(deprecated)) {
+        if (dep in (stack.dependencies || {})) {
+          findings.push({
+            ruleId: 'DEPS-003', category: 'dependencies', severity: 'medium',
+            title: `Deprecated package: ${dep}`,
+            description: message || `${dep} is deprecated. Find a maintained alternative.`,
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-004: No .gitignore for node_modules
+  {
+    id: 'DEPS-004',
+    category: 'dependencies',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'node_modules Not in .gitignore',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+
+      const gitignore = files.get('.gitignore') || '';
+      if (!gitignore.includes('node_modules')) {
+        findings.push({
+          ruleId: 'DEPS-004', category: 'dependencies', severity: 'high',
+          title: 'node_modules not in .gitignore — may be committed to git',
+          description: 'Add node_modules to .gitignore. It should never be in version control.',
+          fix: {
+            type: 'insert',
+            position: 0,
+            content: 'node_modules/',
+            targetFile: '.gitignore',
+          },
+        });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-005: Wildcard version on security-critical package
+  { id: 'DEPS-005', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'Wildcard Version on Security-Critical Package',
+    check({ stack }) {
+      const findings = [];
+      const securityPkgs = ['express', 'jsonwebtoken', 'bcrypt', 'bcryptjs', 'helmet', 'passport', 'crypto-js', 'node-forge', 'axios'];
+      for (const [pkg, version] of Object.entries(stack.dependencies || {})) {
+        if (securityPkgs.includes(pkg) && (version === '*' || version === 'latest' || version === 'x')) {
+          findings.push({ ruleId: 'DEPS-005', category: 'dependencies', severity: 'high',
+            title: `Security-critical package "${pkg}" uses wildcard version "${version}"`,
+            description: 'Pin security-critical packages to exact versions. Wildcards can silently pull in compromised versions.', fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-006: No automated dependency updates
+  { id: 'DEPS-006', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'No Automated Dependency Updates',
+    check({ files }) {
+      const hasDependabot = [...files.keys()].some(f => f.includes('dependabot.yml') || f.includes('.dependabot'));
+      const hasRenovate = [...files.keys()].some(f => f.includes('renovate.json') || f.includes('.renovaterc'));
+      if (!hasDependabot && !hasRenovate) {
+        return [{ ruleId: 'DEPS-006', category: 'dependencies', severity: 'medium',
+          title: 'No automated dependency update tool (Dependabot/Renovate) configured',
+          description: 'Add Dependabot or Renovate to automatically receive security patches. Without automation, outdated deps accumulate.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // DEPS-007: GPL license in commercial project
+  { id: 'DEPS-007', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'GPL-Licensed Dependency',
+    check({ stack }) {
+      const findings = [];
+      const gplPackages = ['gpl-', 'gnu-', 'ffmpeg', 'gstreamer'];
+      for (const pkg of Object.keys(stack.dependencies || {})) {
+        if (gplPackages.some(g => pkg.toLowerCase().startsWith(g))) {
+          findings.push({ ruleId: 'DEPS-007', category: 'dependencies', severity: 'high',
+            title: `Potentially GPL-licensed package: ${pkg}`,
+            description: 'GPL requires your entire application to be open-sourced under GPL. Verify the license and consult legal if building commercial software.', fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-008: Dependency installed from git URL
+  { id: 'DEPS-008', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'Dependency from Git URL',
+    check({ stack }) {
+      const findings = [];
+      for (const [pkg, version] of Object.entries({ ...stack.dependencies, ...stack.devDependencies })) {
+        if (typeof version === 'string' && (version.startsWith('github:') || version.startsWith('git+') ||
+            version.startsWith('git://') || version.startsWith('bitbucket:'))) {
+          findings.push({ ruleId: 'DEPS-008', category: 'dependencies', severity: 'high',
+            title: `Package "${pkg}" installed from git URL — no integrity verification`,
+            description: 'Git URL dependencies bypass npm integrity checks and can change silently. Use published npm versions.', fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-009: Full lodash imported
+  { id: 'DEPS-009', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Full Lodash Imported',
+    check({ stack }) {
+      const findings = [];
+      if ('lodash' in (stack.dependencies || {})) {
+        findings.push({ ruleId: 'DEPS-009', category: 'dependencies', severity: 'medium',
+          title: 'Full lodash in production dependencies adds ~70KB to bundle',
+          description: "Import individual functions (import debounce from 'lodash/debounce') or use lodash-es with tree shaking.", fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-010: moment.js in dependencies
+  { id: 'DEPS-010', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'moment.js — Heavy Deprecated Library',
+    check({ stack }) {
+      const findings = [];
+      if ('moment' in (stack.dependencies || {})) {
+        findings.push({ ruleId: 'DEPS-010', category: 'dependencies', severity: 'medium',
+          title: 'moment.js adds 67KB+ and is in maintenance-only mode',
+          description: "Replace with date-fns (tree-shakeable) or dayjs (2KB). moment.js is no longer actively developed.", fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-011: request package (deprecated)
+  { id: 'DEPS-011', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Deprecated request Package',
+    check({ stack }) {
+      if ('request' in (stack.dependencies || {})) {
+        return [{ ruleId: 'DEPS-011', category: 'dependencies', severity: 'medium',
+          title: 'request package is deprecated and unmaintained',
+          description: "Replace with built-in fetch, axios, or got. The request package has been deprecated since 2020.", fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // DEPS-012: devDependency accidentally in dependencies
+  { id: 'DEPS-012', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Testing Library in Production Dependencies',
+    check({ stack }) {
+      const findings = [];
+      const testOnlyPkgs = ['jest', 'mocha', 'chai', 'sinon', 'jasmine', 'vitest', 'cypress', 'playwright',
+        'supertest', 'nock', 'faker', '@faker-js/faker', 'ts-jest', 'babel-jest'];
+      for (const pkg of Object.keys(stack.dependencies || {})) {
+        if (testOnlyPkgs.includes(pkg) || testOnlyPkgs.some(t => pkg.startsWith(`@${t}/`) || pkg.startsWith(`${t}-`))) {
+          findings.push({ ruleId: 'DEPS-012', category: 'dependencies', severity: 'medium',
+            title: `Test-only package "${pkg}" in production dependencies`,
+            description: 'Move test frameworks to devDependencies. They bloat production installs and may expose test infrastructure.', fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-013: No bundle size budget
+  { id: 'DEPS-013', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'No Bundle Size Budget',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasBudget = 'bundlesize' in allDeps || 'size-limit' in allDeps || '@size-limit/preset-app' in allDeps ||
+        [...files.keys()].some(f => f.includes('.bundlesize') || f.includes('size-limit'));
+      if (!hasBudget && [...files.keys()].some(f => f.match(/\.(jsx|tsx)$/))) {
+        findings.push({ ruleId: 'DEPS-013', category: 'dependencies', severity: 'low',
+          title: 'No bundle size budget configured',
+          description: 'Add size-limit to fail CI when bundle size exceeds budget. Unmonitored bundles grow silently.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-014: Multiple HTTP client libraries
+  { id: 'DEPS-014', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Multiple HTTP Client Libraries',
+    check({ stack }) {
+      const findings = [];
+      const httpClients = ['axios', 'got', 'node-fetch', 'superagent', 'ky', 'wretch'];
+      const used = httpClients.filter(c => c in (stack.dependencies || {}) || c in (stack.devDependencies || {}));
+      if (used.length >= 2) {
+        findings.push({ ruleId: 'DEPS-014', category: 'dependencies', severity: 'low',
+          title: `Multiple HTTP client libraries: ${used.join(', ')}`,
+          description: 'Standardize on one HTTP client. Multiple clients bloat the bundle and confuse contributors.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-015: No SRI for CDN scripts
+  { id: 'DEPS-015', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'CDN Scripts Without Subresource Integrity',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html)$/) && !fp.match(/_document\.(jsx|tsx)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/<script[^>]+src=["']https?:\/\//i) && !lines[i].match(/integrity=/i)) {
+            findings.push({ ruleId: 'DEPS-015', category: 'dependencies', severity: 'high',
+              title: 'CDN script without Subresource Integrity (SRI) hash',
+              description: 'Add integrity="sha384-..." to CDN <script> tags. Without SRI, a compromised CDN can serve malicious code.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-016: Package with known typosquatting name
+  { id: 'DEPS-016', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'Suspected Typosquatting Package',
+    check({ stack }) {
+      const findings = [];
+      const typosquats = { 'crossenv': 'cross-env', 'lodash-express': 'lodash', 'expres': 'express', 'requets': 'request', 'coloers': 'colors', 'mongoos': 'mongoose', 'exress': 'express', 'node-uuid': 'uuid', 'nodemon-alternative': 'nodemon', 'react-devtools-core2': 'react-devtools-core' };
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      for (const [dep, intended] of Object.entries(typosquats)) {
+        if (dep in allDeps) {
+          findings.push({ ruleId: 'DEPS-016', category: 'dependencies', severity: 'critical', title: `Suspected typosquatting: '${dep}' (intended: '${intended}')`, description: `Remove '${dep}' and install '${intended}'. Typosquatted packages can contain malware. Run npm audit and verify package before use.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-017: Using deprecated crypto package
+  { id: 'DEPS-017', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'Deprecated Cryptography Package',
+    check({ stack }) {
+      const findings = [];
+      const deprecated = { 'node-forge': 'Use Node.js built-in crypto or @noble/* libraries', 'crypto-js': 'Use Web Crypto API or Node.js built-in crypto', 'sjcl': 'Use Web Crypto API', 'jsencrypt': 'Use node:crypto or @noble/rsa', 'bcryptjs': 'Consider bcrypt (native) or argon2 for better security' };
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      for (const [dep, msg] of Object.entries(deprecated)) {
+        if (dep in allDeps) {
+          findings.push({ ruleId: 'DEPS-017', category: 'dependencies', severity: 'high', title: `Deprecated crypto package: ${dep}`, description: msg, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-018: No package-lock.json integrity in CI
+  { id: 'DEPS-018', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'CI Uses npm install Instead of npm ci',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.ya?ml$|Makefile|Dockerfile/i)) continue;
+        if (c.match(/npm\s+install(?!\s+-g|\s+--global)/) && !c.match(/npm\s+ci\b/)) {
+          findings.push({ ruleId: 'DEPS-018', category: 'dependencies', severity: 'high', title: 'CI uses npm install instead of npm ci — lockfile not enforced', description: 'Use npm ci in CI. It installs exact versions from package-lock.json and fails if lockfile is out of sync.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-019: Duplicate packages with different major versions
+  { id: 'DEPS-019', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Peer Dependency Conflicts',
+    check({ stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const reactVersion = allDeps['react'];
+      const reactDomVersion = allDeps['react-dom'];
+      if (reactVersion && reactDomVersion && reactVersion !== reactDomVersion) {
+        findings.push({ ruleId: 'DEPS-019', category: 'dependencies', severity: 'low', title: `react@${reactVersion} and react-dom@${reactDomVersion} version mismatch`, description: 'react and react-dom must be the same version. Mismatches cause cryptic runtime errors.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-020: Test libraries in production dependencies
+  { id: 'DEPS-020', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Testing Library in Production Dependencies',
+    check({ stack }) {
+      const findings = [];
+      const testLibs = ['jest', 'mocha', 'chai', 'sinon', 'supertest', 'nock', 'vitest', '@testing-library/react', 'cypress', 'playwright', 'ava', 'tape'];
+      for (const lib of testLibs) {
+        if (lib in (stack.dependencies || {})) {
+          findings.push({ ruleId: 'DEPS-020', category: 'dependencies', severity: 'medium', title: `Test library '${lib}' in production dependencies`, description: `Move '${lib}' to devDependencies. Test libraries in production bloat the bundle and increase attack surface.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-021: No license check in CI
+  { id: 'DEPS-021', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'No Automated License Compliance Check',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasLicenseCheck = [...files.values()].some(c => c.match(/license-checker|licensee|fossa|snyk.*license|license.*audit/i));
+      if (Object.keys(allDeps).length > 20 && !hasLicenseCheck) {
+        findings.push({ ruleId: 'DEPS-021', category: 'dependencies', severity: 'medium', title: 'No license compliance scanning — GPL/AGPL dependencies may create legal obligations', description: 'Add license-checker to CI: npx license-checker --failOn GPL. GPL/AGPL in production code requires open-sourcing your application.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-022: node_modules committed to git
+  { id: 'DEPS-022', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'node_modules May Be Committed to Git',
+    check({ files }) {
+      const findings = [];
+      const hasNodeModules = [...files.keys()].some(f => f.includes('node_modules/'));
+      const hasGitignore = [...files.keys()].some(f => f.endsWith('.gitignore'));
+      if (hasNodeModules) {
+        findings.push({ ruleId: 'DEPS-022', category: 'dependencies', severity: 'high', title: 'node_modules directory committed to git repository', description: 'Add node_modules to .gitignore immediately. Committed node_modules bloat repo size and prevent automatic updates via Dependabot.', fix: null });
+      } else if (!hasGitignore) {
+        findings.push({ ruleId: 'DEPS-022', category: 'dependencies', severity: 'medium', title: 'No .gitignore file — node_modules may be accidentally committed', description: 'Add .gitignore with node_modules/ entry. Without it, npm install output could be committed.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-023: Requiring entire package instead of submodule
+  { id: 'DEPS-023', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Importing Entire Library Instead of Submodule',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const heavyImports = [
+          { pattern: /require\(['"]lodash['"]\)|import\s+\w+\s+from\s+['"]lodash['"]/, fix: "import get from 'lodash/get'" },
+          { pattern: /require\(['"]rxjs['"]\)|import\s+\*\s+from\s+['"]rxjs['"]/, fix: "import { map } from 'rxjs/operators'" },
+          { pattern: /require\(['"]date-fns['"]\)|import\s+\*\s+from\s+['"]date-fns['"]/, fix: "import { format } from 'date-fns'" },
+        ];
+        for (const { pattern, fix } of heavyImports) {
+          if (c.match(pattern)) {
+            findings.push({ ruleId: 'DEPS-023', category: 'dependencies', severity: 'medium', title: 'Full library imported instead of specific function', description: `Import only what you need: ${fix}. Full imports include unused code, increasing bundle size.`, file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-024: No automated vulnerability scanning in CI
+  { id: 'DEPS-024', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'No Vulnerability Scanning in CI Pipeline',
+    check({ files }) {
+      const findings = [];
+      const hasScan = [...files.values()].some(c => c.match(/npm\s+audit|snyk\s+test|yarn\s+audit|trivy\s+fs|grype/i));
+      if (!hasScan) {
+        findings.push({ ruleId: 'DEPS-024', category: 'dependencies', severity: 'high', title: 'No dependency vulnerability scan in CI', description: 'Add npm audit --audit-level=high or snyk test to CI pipeline. Unscanned dependencies may have known CVEs.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-025: Using node: protocol missing for built-in modules
+  { id: 'DEPS-025', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Node Built-ins Without node: Protocol',
+    check({ files }) {
+      const findings = [];
+      const builtins = ['fs', 'path', 'crypto', 'http', 'https', 'os', 'util', 'stream', 'buffer', 'child_process', 'events', 'net', 'readline'];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        for (const mod of builtins) {
+          if (c.match(new RegExp(`require\\(['"]${mod}['"]\\)|from\\s+['"]${mod}['"]`)) && !c.match(new RegExp(`require\\(['"]node:${mod}['"]\\)|from\\s+['"]node:${mod}['"]`))) {
+            findings.push({ ruleId: 'DEPS-025', category: 'dependencies', severity: 'low', title: `Importing '${mod}' without node: protocol prefix`, description: `Use 'node:${mod}' to unambiguously identify built-in modules. Prevents shadowing by npm packages with the same name.`, file: fp, fix: null });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-026: AGPL licensed package in commercial code
+  { id: 'DEPS-026', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'AGPL Package in Commercial Project',
+    check({ stack }) {
+      const findings = [];
+      const agplPackages = { 'uplot': 'LGPL/GPL', 'ghostscript': 'AGPL', 'mongodb': 'SSPL', 'elasticsearch': 'SSPL/Elastic License' };
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      for (const [dep, license] of Object.entries(agplPackages)) {
+        if (dep in allDeps) {
+          findings.push({ ruleId: 'DEPS-026', category: 'dependencies', severity: 'high', title: `${dep} uses ${license} — may require open-sourcing your application`, description: `Review ${dep} license terms. AGPL/SSPL may require publishing your source code if you offer the software as a service.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-027: engines field missing in package.json
+  { id: 'DEPS-027', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'No Node.js Engine Version Specified',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('package.json') || fp.includes('node_modules')) continue;
+        try {
+          const pkg = JSON.parse(c);
+          if (!pkg.engines || !pkg.engines.node) {
+            findings.push({ ruleId: 'DEPS-027', category: 'dependencies', severity: 'low', title: 'package.json missing "engines" field — Node.js version not specified', description: 'Add "engines": { "node": ">=20.0.0" } to package.json. This prevents accidental deployment to incompatible Node versions.', file: fp, fix: null });
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-028: Peer dependency not installed
+  { id: 'DEPS-028', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Missing Peer Dependencies',
+    check({ stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const peerMap = { '@testing-library/react': 'react', '@apollo/client': 'graphql', 'react-redux': 'redux', 'formik': 'react', 'react-hook-form': 'react', 'styled-components': 'react' };
+      for (const [lib, peer] of Object.entries(peerMap)) {
+        if (lib in allDeps && !(peer in allDeps)) {
+          findings.push({ ruleId: 'DEPS-028', category: 'dependencies', severity: 'medium', title: `${lib} installed but peer dependency '${peer}' is missing`, description: `Install '${peer}': it is a required peer dependency for ${lib}.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-029: package.json with no description or author
+  { id: 'DEPS-029', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'package.json Missing Metadata',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('package.json') || fp.includes('node_modules')) continue;
+        try {
+          const pkg = JSON.parse(c);
+          if (!pkg.description || !pkg.author) {
+            findings.push({ ruleId: 'DEPS-029', category: 'dependencies', severity: 'low', title: 'package.json missing description or author fields', description: 'Add description and author. These are required for npm publishing and help developers understand the package purpose.', file: fp, fix: null });
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-030: No .nvmrc or .node-version file
+  { id: 'DEPS-030', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'No Node.js Version File (.nvmrc)',
+    check({ files }) {
+      const findings = [];
+      const hasNvmrc = [...files.keys()].some(f => f.endsWith('.nvmrc') || f.endsWith('.node-version'));
+      if (!hasNvmrc) {
+        findings.push({ ruleId: 'DEPS-030', category: 'dependencies', severity: 'low', title: 'No .nvmrc or .node-version file — Node.js version not pinned for local development', description: 'Add .nvmrc with exact Node.js version (e.g., 20.11.0). Ensures all developers and CI use the same Node version.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-031: Inconsistent package manager lockfiles
+  { id: 'DEPS-031', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Multiple Package Manager Lockfiles',
+    check({ files }) {
+      const findings = [];
+      const lockfiles = [...files.keys()].filter(f => f.match(/package-lock\.json|yarn\.lock|pnpm-lock\.yaml/));
+      if (lockfiles.length > 1) {
+        findings.push({ ruleId: 'DEPS-031', category: 'dependencies', severity: 'medium', title: `Multiple lockfiles found: ${lockfiles.join(', ')} — use only one package manager`, description: 'Commit to one package manager. Multiple lockfiles cause inconsistent installs. Add .npmrc with engine-strict=true to enforce.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-032: Using require() in ES module context
+  { id: 'DEPS-032', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Mixed CommonJS and ES Modules',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.mjs$|\.cjs$/) && !fp.includes('.')) continue;
+        if (fp.endsWith('.mjs') && c.match(/require\(/)) {
+          findings.push({ ruleId: 'DEPS-032', category: 'dependencies', severity: 'medium', title: 'require() used in .mjs ES module file', description: 'Use import/export in .mjs files. require() is not available in ES modules — this causes a ReferenceError at runtime.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-033: package.json with no main/exports field
+  { id: 'DEPS-033', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Package Missing "exports" Field',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('package.json') || fp.includes('node_modules')) continue;
+        try {
+          const pkg = JSON.parse(c);
+          if (pkg.name && !pkg.private && !pkg.exports && !pkg.main) {
+            findings.push({ ruleId: 'DEPS-033', category: 'dependencies', severity: 'low', title: 'Published package missing "exports" field — consumers access internals', description: 'Add "exports" to package.json to define public API. Without it, consumers can import internal modules you may refactor.', file: fp, fix: null });
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-034: Nested node_modules risk (phantom dependencies)
+  { id: 'DEPS-034', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Using Phantom (Implicit) Dependency',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const matches = c.matchAll(/require\(['"]([a-z@][^'"./]+)['"]\)|from\s+['"]([a-z@][^'"./]+)['"]/g);
+        for (const m of matches) {
+          const pkg = m[1] || m[2];
+          if (pkg && !pkg.startsWith('node:') && !(pkg in allDeps)) {
+            const isBuiltin = ['fs', 'path', 'http', 'https', 'crypto', 'os', 'util', 'stream', 'buffer', 'events', 'net', 'url', 'child_process', 'readline'].includes(pkg);
+            if (!isBuiltin) {
+              findings.push({ ruleId: 'DEPS-034', category: 'dependencies', severity: 'medium', title: `'${pkg}' imported but not in package.json — phantom dependency`, description: `Add '${pkg}' to dependencies. Phantom dependencies work accidentally via hoisting but break on clean installs or in monorepos.`, file: fp, fix: null });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-035: Security package pinned to exact version (no patches)
+  { id: 'DEPS-035', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Security Package Pinned to Exact Version',
+    check({ stack }) {
+      const findings = [];
+      const securityPackages = ['helmet', 'express-rate-limit', 'bcrypt', 'argon2', 'jsonwebtoken', 'passport', 'csrf'];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      for (const pkg of securityPackages) {
+        if (pkg in allDeps && /^\d/.test(allDeps[pkg])) {
+          findings.push({ ruleId: 'DEPS-035', category: 'dependencies', severity: 'medium', title: `Security package '${pkg}' pinned to exact version — won't receive patches`, description: `Use '~${allDeps[pkg]}' to allow patch updates. Security packages should receive patch updates automatically via Dependabot.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-036: Development dependency used in production code
+  { id: 'DEPS-036', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Development Dependency Used in Production Code',
+    check({ files, stack }) {
+      const findings = [];
+      const devOnlyPkgs = Object.keys(stack.devDependencies || {}).filter(d => !['typescript', '@types', 'ts-node'].some(p => d.startsWith(p)));
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        for (const pkg of devOnlyPkgs) {
+          if (pkg.length > 3 && c.match(new RegExp(`require\\(['"]${pkg.replace(/[-@/]/g, '.')}['"]\\)|from\\s+['"]${pkg.replace(/[-@/]/g, '.')}['"]`))) {
+            findings.push({ ruleId: 'DEPS-036', category: 'dependencies', severity: 'medium', title: `devDependency '${pkg}' imported in production file`, description: `Move '${pkg}' to dependencies if used in production. devDependencies are not installed in production (npm install --production).`, file: fp, fix: null });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-037: Missing peerDependencies in published package
+  { id: 'DEPS-037', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Published Package Missing peerDependencies',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('package.json') || fp.includes('node_modules')) continue;
+        try {
+          const pkg = JSON.parse(c);
+          if (!pkg.private && pkg.dependencies) {
+            const peers = ['react', 'vue', 'angular', 'svelte'];
+            for (const peer of peers) {
+              if (peer in pkg.dependencies && !pkg.peerDependencies?.[peer]) {
+                findings.push({ ruleId: 'DEPS-037', category: 'dependencies', severity: 'low', title: `Published package includes '${peer}' in dependencies instead of peerDependencies`, description: `Move '${peer}' to peerDependencies. Bundling framework dependencies causes duplicate instances and version conflicts.`, file: fp, fix: null });
+              }
+            }
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-038: Source maps published to npm
+  { id: 'DEPS-038', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Source Maps Published to npm',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('package.json') || fp.includes('node_modules')) continue;
+        try {
+          const pkg = JSON.parse(c);
+          const files_list = pkg.files || [];
+          if (files_list.some(f => f.match(/\.map$|maps\//))) {
+            findings.push({ ruleId: 'DEPS-038', category: 'dependencies', severity: 'medium', title: 'Source maps included in npm publish — exposes original source code', description: 'Remove .map files from package.json "files" array. Published source maps expose your original TypeScript/minified source to anyone.', file: fp, fix: null });
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-039: Using forked/patched package without audit
+  { id: 'DEPS-039', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Forked Package Without Security Note',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('package.json') || fp.includes('node_modules')) continue;
+        try {
+          const pkg = JSON.parse(c);
+          const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+          for (const [dep, version] of Object.entries(allDeps)) {
+            if (typeof version === 'string' && version.match(/github:|bitbucket:|gitlab:/)) {
+              findings.push({ ruleId: 'DEPS-039', category: 'dependencies', severity: 'medium', title: `Package '${dep}' installed from git source — no integrity guarantee`, description: `Pin to a specific commit hash: "${dep}": "github:owner/repo#abc1234". Floating git refs can change without notice.`, file: fp, fix: null });
+            }
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-040: High severity npm audit findings
+  { id: 'DEPS-040', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'Known High Severity CVE in Dependency',
+    check({ stack }) {
+      const findings = [];
+      const knownVulnerable = {
+        'node-serialize': { versions: '*', cve: 'CVE-2017-5941', desc: 'Remote code execution via serialized object' },
+        'serialize-javascript': { versions: '<3.1.0', cve: 'CVE-2020-7660', desc: 'XSS via serialized regex' },
+        'lodash': { versions: '<4.17.21', cve: 'CVE-2021-23337', desc: 'Command injection and prototype pollution' },
+        'axios': { versions: '<0.21.1', cve: 'CVE-2020-28168', desc: 'SSRF via redirects' },
+        'jsonwebtoken': { versions: '<9.0.0', cve: 'CVE-2022-23529', desc: 'Arbitrary file write via crafted JWT' },
+        'qs': { versions: '<6.7.3', cve: 'CVE-2022-24999', desc: 'Prototype pollution' },
+        'semver': { versions: '<7.5.2', cve: 'CVE-2022-25883', desc: 'Regular expression denial of service' },
+      };
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      for (const [pkg, info] of Object.entries(knownVulnerable)) {
+        if (pkg in allDeps) {
+          findings.push({ ruleId: 'DEPS-040', category: 'dependencies', severity: 'critical', title: `${pkg} has known CVE: ${info.cve} — ${info.desc}`, description: `Update ${pkg} immediately. Run: npm audit fix. This vulnerability is actively exploited.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-041: Using old Node crypto instead of webcrypto
+  { id: 'DEPS-041', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Using Legacy Node.js crypto API',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/require\(['"]crypto['"]\)|from\s+['"]crypto['"]/) && c.match(/createCipher\b|createDecipher\b/)) {
+          findings.push({ ruleId: 'DEPS-041', category: 'dependencies', severity: 'low', title: 'Using deprecated crypto.createCipher/createDecipher', description: 'Use crypto.createCipheriv/createDecipheriv with explicit IV. createCipher is deprecated and uses a weak key derivation. Migrate to the WebCrypto API or crypto.subtle.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-042: Production app without lockfile
+  { id: 'DEPS-042', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'No Lockfile in Repository',
+    check({ files }) {
+      const findings = [];
+      const hasPackageJson = [...files.keys()].some(f => f.endsWith('package.json') && !f.includes('node_modules'));
+      const hasLockfile = [...files.keys()].some(f => f.match(/package-lock\.json|yarn\.lock|pnpm-lock\.yaml/));
+      if (hasPackageJson && !hasLockfile) {
+        findings.push({ ruleId: 'DEPS-042', category: 'dependencies', severity: 'critical', title: 'No lockfile committed to repository — non-deterministic installs', description: 'Commit package-lock.json (or yarn.lock/pnpm-lock.yaml). Without a lockfile, npm install can install different versions on different machines and in CI.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-043: Using http instead of https for package registry
+  { id: 'DEPS-043', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'Package Registry Using HTTP (Not HTTPS)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('.npmrc') && !fp.endsWith('.yarnrc') && !fp.endsWith('.yarnrc.yml')) continue;
+        if (c.match(/registry=http:\/\/(?!localhost)/i)) {
+          findings.push({ ruleId: 'DEPS-043', category: 'dependencies', severity: 'high', title: 'Package registry configured with HTTP — packages served without TLS', description: 'Change registry URL to HTTPS. HTTP registries allow MITM attacks to serve malicious packages. Use https://registry.npmjs.org.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-044: Using deprecated xmlhttprequest in modern code
+  { id: 'DEPS-044', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Using XMLHttpRequest Instead of Fetch',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/new XMLHttpRequest\(\)|\.XMLHttpRequest/)) {
+          findings.push({ ruleId: 'DEPS-044', category: 'dependencies', severity: 'low', title: 'Using XMLHttpRequest — migrate to fetch() or axios', description: 'Replace XHR with fetch() or axios. XMLHttpRequest has a verbose API and lacks async/await support. fetch is available in all modern browsers and Node 18+.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-045: Deprecated Node.js version in Dockerfile
+  { id: 'DEPS-045', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'End-of-Life Node.js Version in Docker Image',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\./)) continue;
+        const match = c.match(/FROM\s+node:(\d+)/i);
+        if (match) {
+          const version = parseInt(match[1]);
+          const eol = [10, 12, 14, 16, 17, 19, 21];
+          if (eol.includes(version)) {
+            findings.push({ ruleId: 'DEPS-045', category: 'dependencies', severity: 'high', title: `Node.js ${version} is end-of-life — no longer receives security patches`, description: `Upgrade to Node.js 20 LTS (latest LTS) or Node.js 22. EOL versions have known unpatched CVEs.`, file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // DEPS-046: Package score too low (maintenance risk)
+  { id: 'DEPS-046', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Abandoned Package Dependency',
+    check({ stack }) {
+      const findings = [];
+      const abandonedPackages = ['request', 'request-promise', 'node-uuid', 'jade', 'grunt', 'bower', 'left-pad', 'coffee-script', 'gulp-cli'];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      for (const pkg of abandonedPackages) {
+        if (pkg in allDeps) {
+          findings.push({ ruleId: 'DEPS-046', category: 'dependencies', severity: 'medium', title: `Abandoned package '${pkg}' — no longer maintained`, description: `Replace '${pkg}' with a maintained alternative. Unmaintained packages never receive security patches.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-047: Multiple similar packages for same purpose
+  { id: 'DEPS-047', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Duplicate Functionality Packages',
+    check({ stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const httpClients = ['axios', 'got', 'node-fetch', 'superagent', 'request', 'undici', 'ky'].filter(d => d in allDeps);
+      const dateLibs = ['moment', 'dayjs', 'date-fns', 'luxon'].filter(d => d in allDeps);
+      const testRunners = ['jest', 'mocha', 'vitest', 'jasmine', 'ava', 'tape'].filter(d => d in allDeps);
+      if (httpClients.length > 1) findings.push({ ruleId: 'DEPS-047', category: 'dependencies', severity: 'low', title: `Multiple HTTP client libraries: ${httpClients.join(', ')} — choose one`, description: 'Standardize on one HTTP client library. Multiple clients with overlapping functionality increase bundle size and maintenance burden.', fix: null });
+      if (dateLibs.length > 1) findings.push({ ruleId: 'DEPS-047', category: 'dependencies', severity: 'low', title: `Multiple date libraries: ${dateLibs.join(', ')} — choose one`, description: 'Standardize on one date library. Date-fns is preferred for tree-shaking. Moment.js adds 230KB and is in maintenance mode.', fix: null });
+      if (testRunners.length > 1) findings.push({ ruleId: 'DEPS-047', category: 'dependencies', severity: 'low', title: `Multiple test runners: ${testRunners.join(', ')} — choose one`, description: 'Use a single test runner to avoid configuration complexity and incompatible mocking systems.', fix: null });
+      return findings;
+    },
+  },
+  // DEPS-048: No audit of new dependencies
+  { id: 'DEPS-048', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'No Automated Dependency Audit in CI',
+    check({ files }) {
+      const findings = [];
+      const hasAudit = [...files.values()].some(c => c.match(/npm\s+audit|yarn\s+audit|pnpm\s+audit|snyk\s+test/i));
+      if (!hasAudit) {
+        findings.push({ ruleId: 'DEPS-048', category: 'dependencies', severity: 'medium', title: 'No automated dependency audit in CI pipeline', description: 'Add npm audit --audit-level=high to CI. Catches known vulnerabilities in dependencies before deployment.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPS-049: Webpack without externals for large packages
+  { id: 'DEPS-049', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Webpack Bundle Includes Large Peer Dependencies',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasWebpack = 'webpack' in allDeps;
+      const largeDeps = ['lodash', 'moment', 'rxjs', 'jquery'].filter(d => d in allDeps);
+      if (hasWebpack && largeDeps.length > 0) {
+        for (const [fp, c] of files) {
+          if (fp.match(/webpack\.config\./)) {
+            if (!c.match(/externals:/i)) {
+              findings.push({ ruleId: 'DEPS-049', category: 'dependencies', severity: 'low', title: `Large packages bundled: ${largeDeps.join(', ')} — consider externals`, description: 'Mark large packages as webpack externals if served via CDN. Reduces bundle size for library authors by not duplicating large deps.', file: fp, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-050: workspace package version drift
+  { id: 'DEPS-050', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Monorepo Package Version Inconsistencies',
+    check({ files }) {
+      const findings = [];
+      const packageFiles = [...files.entries()].filter(([fp]) => fp.endsWith('package.json') && !fp.includes('node_modules'));
+      if (packageFiles.length < 2) return findings;
+      const versions = new Map();
+      for (const [fp, c] of packageFiles) {
+        try {
+          const pkg = JSON.parse(c);
+          for (const [dep, ver] of Object.entries({ ...pkg.dependencies, ...pkg.devDependencies })) {
+            if (!versions.has(dep)) versions.set(dep, []);
+            versions.get(dep).push({ file: fp, version: ver });
+          }
+        } catch {}
+      }
+      for (const [dep, entries] of versions) {
+        const uniqueVersions = new Set(entries.map(e => e.version));
+        if (uniqueVersions.size > 1 && ['react', 'typescript', 'webpack', '@nestjs/core'].includes(dep)) {
+          findings.push({ ruleId: 'DEPS-050', category: 'dependencies', severity: 'medium', title: `Monorepo: '${dep}' has ${uniqueVersions.size} different versions`, description: `Align ${dep} version across all packages. Version drift causes subtle compatibility bugs and duplicated bundle code.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-051: Using require() for ES module packages
+  { id: 'DEPS-051', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'require() Used to Import ESM-Only Package',
+    check({ files, stack }) {
+      const findings = [];
+      const esmOnlyPackages = ['chalk', 'ora', 'p-limit', 'execa', 'node-fetch', 'got', 'sindresorhus'];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          for (const pkg of esmOnlyPackages) {
+            if (lines[i].match(new RegExp(`require\\s*\\(['"\`]${pkg}['"\`]\\)`))) {
+              if (pkg in (stack.dependencies || {}) || pkg in (stack.devDependencies || {})) {
+                findings.push({ ruleId: 'DEPS-051', category: 'dependencies', severity: 'medium', title: `require('${pkg}') — this package is ESM-only from v5+`, description: `Use dynamic import() instead of require() for ${pkg}. ESM-only packages cannot be loaded via CommonJS require().`, file: fp, line: i + 1, fix: null });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-052: No .npmrc with security settings
+  { id: 'DEPS-052', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'No .npmrc With Security Hardening',
+    check({ files }) {
+      const findings = [];
+      const npmrc = [...files.entries()].find(([f]) => f.match(/\.npmrc$/));
+      if (!npmrc) {
+        findings.push({ ruleId: 'DEPS-052', category: 'dependencies', severity: 'medium', title: 'No .npmrc file — missing npm security hardening', description: 'Create .npmrc with: ignore-scripts=false, audit=true, fund=false, save-exact=true. These settings prevent malicious postinstall scripts and enforce exact version pinning.', fix: null });
+      } else {
+        const content = npmrc[1];
+        if (!content.match(/save-exact\s*=\s*true/)) {
+          findings.push({ ruleId: 'DEPS-052', category: 'dependencies', severity: 'medium', title: '.npmrc without save-exact=true — installed versions may differ across environments', description: 'Add save-exact=true to .npmrc to pin all newly installed packages to exact versions. This prevents accidental minor version upgrades that introduce breaking changes.', file: npmrc[0], fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-053: Installing packages with --unsafe-perm
+  { id: 'DEPS-053', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'npm Install with --unsafe-perm Flag',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/Dockerfile[^/]*$/) && !isCIFile(fp) && !fp.match(/Makefile|\.sh$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/npm.*install.*--unsafe-perm|--unsafe-perm.*npm.*install/i)) {
+            findings.push({ ruleId: 'DEPS-053', category: 'dependencies', severity: 'high', title: 'npm install with --unsafe-perm — allows scripts to run as root', description: 'Remove --unsafe-perm. This flag allows npm lifecycle scripts to run with root privileges, enabling malicious packages to take full system control.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-054: Dependency with known malicious version
+  { id: 'DEPS-054', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'Known Malicious Package Version in Dependencies',
+    check({ stack }) {
+      const findings = [];
+      const malicious = { 'event-stream': '3.3.6', 'bootstrap-sass': '3.4.1', 'eslint-scope': '3.7.2', 'getcookies': '1.0.0', 'crossenv': '*' };
+      for (const [pkg, ver] of Object.entries(malicious)) {
+        const installedVer = stack.dependencies?.[pkg] || stack.devDependencies?.[pkg];
+        if (installedVer) {
+          findings.push({ ruleId: 'DEPS-054', category: 'dependencies', severity: 'critical', title: `'${pkg}' was involved in a supply chain attack`, description: `${pkg} (${installedVer}) has a version history involving supply chain compromise. Audit your dependency tree and consider using a different package.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-055: No package integrity verification
+  { id: 'DEPS-055', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Missing Package Integrity Verification (No Lockfile or Integrity Checks)',
+    check({ files }) {
+      const findings = [];
+      const hasLockfile = [...files.keys()].some(f => f.match(/package-lock\.json|yarn\.lock|pnpm-lock\.yaml$/));
+      const hasPackageJson = [...files.keys()].some(f => f.match(/^package\.json$/));
+      if (hasPackageJson && !hasLockfile) {
+        findings.push({ ruleId: 'DEPS-055', category: 'dependencies', severity: 'medium', title: 'No lockfile committed — package integrity cannot be verified', description: 'Commit your lockfile (package-lock.json or yarn.lock). Without a lockfile, npm install resolves different versions each time, breaking reproducibility and making supply chain attacks easier.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPS-056: Package with install hooks and no verification
+  { id: 'DEPS-056', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'Package with postinstall Script Not Audited',
+    check({ files, stack }) {
+      const findings = [];
+      const riskyPkgsWithHooks = ['node-gyp', 'fsevents', 'canvas', 'sharp', 'bcrypt', 'puppeteer', 'cypress', 'electron'];
+      for (const pkg of riskyPkgsWithHooks) {
+        if (pkg in (stack.dependencies || {})) {
+          const npmrcHasIgnoreScripts = [...files.values()].some(c => c.match(/ignore-scripts\s*=\s*true/));
+          if (!npmrcHasIgnoreScripts) {
+            findings.push({ ruleId: 'DEPS-056', category: 'dependencies', severity: 'high', title: `'${pkg}' runs install scripts — review postinstall hooks`, description: `${pkg} runs native build scripts during installation. Ensure you trust this package's integrity. Consider adding ignore-scripts=true and only enabling per-package overrides.`, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-057: No Software Bill of Materials (SBOM) generation
+  { id: 'DEPS-057', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'No SBOM Generation in Build Process',
+    check({ files }) {
+      const findings = [];
+      const hasSBOM = [...files.values()].some(c => c.match(/cyclonedx|sbom|syft|spdx|software.*bill.*materials/i));
+      const hasCICD = [...files.keys()].some(f => f.match(/\.github\/workflows|\.gitlab-ci/));
+      if (hasCICD && !hasSBOM) {
+        findings.push({ ruleId: 'DEPS-057', category: 'dependencies', severity: 'low', title: 'No Software Bill of Materials (SBOM) generated in CI', description: 'Generate an SBOM using @cyclonedx/cyclonedx-npm or syft. Executive Order 14028 and many enterprise customers require an SBOM for security transparency.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // DEPS-058: Direct import of sub-path without checking exports map
+  { id: 'DEPS-058', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Deep Package Imports Without Checking Exports Map',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/from\s+['"`]lodash\/|require\s*\(\s*['"`]lodash\//)) {
+            findings.push({ ruleId: 'DEPS-058', category: 'dependencies', severity: 'low', title: 'Deep import from lodash — consider lodash-es or per-method packages', description: 'Use lodash-es for tree-shaking or import specific methods (import cloneDeep from "lodash/cloneDeep"). Importing all of lodash bundles ~70KB unnecessarily.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // DEPS-059: Missing resolutions for vulnerable transitive dependency
+  { id: 'DEPS-059', category: 'dependencies', severity: 'medium', confidence: 'definite', title: 'No resolutions/overrides for Known Vulnerable Transitive Dependency',
+    check({ files, stack }) {
+      const findings = [];
+      const packageJsonFile = [...files.entries()].find(([f]) => f.match(/^package\.json$/));
+      if (!packageJsonFile) return findings;
+      try {
+        const pkg = JSON.parse(packageJsonFile[1]);
+        if (!pkg.resolutions && !pkg.overrides) {
+          const vulnerableTransitive = ['minimist', 'glob-parent', 'nth-check', 'loader-utils'];
+          for (const dep of vulnerableTransitive) {
+            if (dep in (stack.devDependencies || {})) {
+              findings.push({ ruleId: 'DEPS-059', category: 'dependencies', severity: 'medium', title: `No overrides/resolutions for '${dep}' — vulnerable transitive versions may be installed`, description: 'Use "overrides" (npm) or "resolutions" (yarn) to force a patched version of vulnerable transitive dependencies when direct update is not possible.', fix: null });
+              break;
+            }
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+  // DEPS-060: Using pre-release versions in production
+  { id: 'DEPS-060', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Pre-Release Package Versions in Production Dependencies',
+    check({ stack }) {
+      const findings = [];
+      for (const [pkg, ver] of Object.entries(stack.dependencies || {})) {
+        if (ver.match(/alpha|beta|rc\.|canary|next|preview|-0\.\d/) && !pkg.match(/^@types\//)) {
+          findings.push({ ruleId: 'DEPS-060', category: 'dependencies', severity: 'medium', title: `Production dependency '${pkg}' is a pre-release version (${ver})`, description: `Replace ${pkg}@${ver} with a stable release. Pre-release packages may have breaking changes, incomplete documentation, and are not supported by package maintainers.`, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// DEPS-061: Using deprecated moment.js
+rules.push({
+  id: 'DEPS-061', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'moment.js dependency — deprecated, use date-fns or dayjs',
+  check({ stack }) {
+    const findings = [];
+    if (stack.dependencies?.moment || stack.devDependencies?.moment) {
+      findings.push({ ruleId: 'DEPS-061', category: 'dependencies', severity: 'medium', title: 'moment.js is deprecated and should be replaced with date-fns or dayjs', description: 'moment.js is in maintenance mode and marked as a legacy project. Replace with date-fns (tree-shakeable) or dayjs (2kB, same API) for new code.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-062: Using deprecated request package
+rules.push({
+  id: 'DEPS-062', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'request package deprecated — use node-fetch, got, or axios',
+  check({ stack }) {
+    const findings = [];
+    if (stack.dependencies?.request || stack.devDependencies?.request) {
+      findings.push({ ruleId: 'DEPS-062', category: 'dependencies', severity: 'medium', title: '"request" package is deprecated and unmaintained', description: 'The "request" package was deprecated in 2020. Replace with got (Node.js), node-fetch, or axios which are actively maintained and support modern features.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-063: Using vulnerable version pattern of lodash
+rules.push({
+  id: 'DEPS-063', category: 'dependencies', severity: 'medium', confidence: 'definite', title: 'lodash < 4.17.21 — prototype pollution vulnerability',
+  check({ stack }) {
+    const findings = [];
+    const lodashVer = stack.dependencies?.lodash || stack.devDependencies?.lodash;
+    if (lodashVer) {
+      const match = lodashVer.match(/^[\^~]?(\d+)\.(\d+)\.(\d+)/);
+      if (match) {
+        const [, major, minor, patch] = match.map(Number);
+        if (major < 4 || (major === 4 && minor < 17) || (major === 4 && minor === 17 && patch < 21)) {
+          findings.push({ ruleId: 'DEPS-063', category: 'dependencies', severity: 'medium', title: `lodash@${lodashVer} has known prototype pollution vulnerabilities`, description: 'Upgrade lodash to >= 4.17.21. Older versions are vulnerable to prototype pollution (CVE-2020-8203, CVE-2019-10744).', fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-064: Using log4j or vulnerable log libraries
+rules.push({
+  id: 'DEPS-064', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'Vulnerable logging library version detected',
+  check({ stack }) {
+    const findings = [];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    // Check for log4j (Java via node build tools is unusual, but check)
+    if (allDeps['log4js']) {
+      const ver = allDeps['log4js'];
+      const m = ver.match(/^[\^~]?(\d+)/);
+      if (m && parseInt(m[1]) < 6) {
+        findings.push({ ruleId: 'DEPS-064', category: 'dependencies', severity: 'high', title: `log4js@${ver} — upgrade to >= 6.4.1 for security fixes`, description: 'Older versions of log4js have known vulnerabilities. Upgrade to the latest stable version.', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-065: Too many dependencies (bundle bloat)
+rules.push({
+  id: 'DEPS-065', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Very large number of direct production dependencies',
+  check({ stack }) {
+    const findings = [];
+    const depCount = Object.keys(stack.dependencies || {}).length;
+    if (depCount > 100) {
+      findings.push({ ruleId: 'DEPS-065', category: 'dependencies', severity: 'low', title: `${depCount} direct production dependencies — consider consolidation`, description: 'A large number of direct dependencies increases supply chain risk, bundle size, and maintenance burden. Audit with npm ls --depth=0 and remove unused packages.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-066: Missing package-lock.json or yarn.lock
+rules.push({
+  id: 'DEPS-066', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'No lockfile found — non-deterministic installs',
+  check({ files, stack }) {
+    const findings = [];
+    const hasPackageJson = [...files.keys()].some(f => f.match(/^package\.json$|\/package\.json$/));
+    const hasLockfile = [...files.keys()].some(f => f.match(/package-lock\.json$|yarn\.lock$|pnpm-lock\.yaml$/));
+    if (hasPackageJson && !hasLockfile) {
+      findings.push({ ruleId: 'DEPS-066', category: 'dependencies', severity: 'high', title: 'No lockfile (package-lock.json/yarn.lock) — installs are non-deterministic', description: 'Without a lockfile, npm install may resolve different package versions across environments. Commit your lockfile to ensure reproducible builds.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-067: Using node_modules in Dockerfile COPY
+rules.push({
+  id: 'DEPS-067', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'node_modules copied into Docker image — not rebuilt from lockfile',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/Dockerfile/i)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*#/.test(lines[i])) continue;
+        if (/^COPY\s+node_modules/.test(lines[i])) {
+          findings.push({ ruleId: 'DEPS-067', category: 'dependencies', severity: 'medium', title: 'Dockerfile copies node_modules from host — use npm ci instead', description: 'COPY node_modules copies your local dev dependencies into the image. Use COPY package*.json ./ && RUN npm ci --only=production for clean production installs.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-068: Using npm install instead of npm ci in CI
+rules.push({
+  id: 'DEPS-068', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'CI pipeline uses npm install instead of npm ci',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.ya?ml$|Makefile|Jenkinsfile/)) continue;
+      if (!fp.match(/\.github|\.gitlab|circleci|jenkins|travis|ci\//i) && !fp.match(/Makefile|Jenkinsfile/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*#/.test(lines[i])) continue;
+        if (/\bnpm\s+install\b/.test(lines[i]) && !/npm\s+install\s+\w+/.test(lines[i])) {
+          findings.push({ ruleId: 'DEPS-068', category: 'dependencies', severity: 'medium', title: 'CI uses "npm install" — use "npm ci" for reproducible installs', description: 'npm ci installs exact versions from package-lock.json and is faster in CI. npm install may upgrade packages and modify the lockfile.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-069: Peer dependency version mismatch risk
+rules.push({
+  id: 'DEPS-069', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'peerDependencies not pinned — silent version mismatch risk',
+  check({ stack }) {
+    const findings = [];
+    const peers = stack.peerDependencies || {};
+    for (const [pkg, ver] of Object.entries(peers)) {
+      if (/^\*$|^>=\d|^>/.test(ver)) {
+        findings.push({ ruleId: 'DEPS-069', category: 'dependencies', severity: 'low', title: `peerDependency "${pkg}": "${ver}" — overly permissive range`, description: 'Overly permissive peer dependency ranges may result in incompatible versions being installed silently. Specify a precise range like "^18.0.0" instead of ">=14".', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-070: Using rimraf < 4 (security update)
+rules.push({
+  id: 'DEPS-070', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Using outdated build tool with known issues',
+  check({ stack }) {
+    const findings = [];
+    const outdatedTools = {
+      'node-uuid': 'Use the "uuid" package instead — node-uuid is deprecated',
+      'jade': 'jade was renamed to pug — replace with pug package',
+      'grunt': 'Consider migrating from grunt to npm scripts or a modern bundler',
+    };
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    for (const [pkg, msg] of Object.entries(outdatedTools)) {
+      if (allDeps[pkg]) {
+        findings.push({ ruleId: 'DEPS-070', category: 'dependencies', severity: 'low', title: `Deprecated package "${pkg}" found`, description: msg, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-071: Using known-vulnerable serialize-javascript version
+rules.push({
+  id: 'DEPS-071', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'serialize-javascript < 3.1.0 — XSS vulnerability (CVE-2020-7660)',
+  check({ stack }) {
+    const findings = [];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    const ver = allDeps['serialize-javascript'];
+    if (ver) {
+      const m = ver.match(/^[\^~]?(\d+)\.(\d+)/);
+      if (m && (parseInt(m[1]) < 3 || (parseInt(m[1]) === 3 && parseInt(m[2]) < 1))) {
+        findings.push({ ruleId: 'DEPS-071', category: 'dependencies', severity: 'high', title: `serialize-javascript@${ver} has XSS vulnerability (CVE-2020-7660)`, description: 'Upgrade serialize-javascript to >= 3.1.0 to fix a vulnerability where malicious HTML characters were not escaped.', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-072: No dependency vulnerability scanning in CI
+rules.push({
+  id: 'DEPS-072', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'No dependency vulnerability scan in CI pipeline',
+  check({ files }) {
+    const findings = [];
+    const hasCIFile = [...files.keys()].some(f => f.match(/\.github\/workflows|\.gitlab-ci|\.circleci|Jenkinsfile/i));
+    const hasAudit = [...files.values()].some(c => /npm\s+audit|yarn\s+audit|snyk\s+test|grype|trivy|ossindex/i.test(c));
+    if (hasCIFile && !hasAudit) {
+      findings.push({ ruleId: 'DEPS-072', category: 'dependencies', severity: 'high', title: 'CI pipeline without dependency vulnerability scanning', description: 'Add npm audit, Snyk, or Trivy to your CI pipeline to automatically detect known vulnerabilities in dependencies before deployment.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-073 through DEPS-100: Additional dependency rules
+
+// DEPS-073: Using deprecated crypto module APIs
+rules.push({
+  id: 'DEPS-073', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Dependency using deprecated Node.js crypto APIs',
+  check({ stack }) {
+    const findings = [];
+    const deprecatedPackages = ['node-uuid', 'csprng', 'secure-random'];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    for (const pkg of deprecatedPackages) {
+      if (allDeps[pkg]) {
+        findings.push({ ruleId: 'DEPS-073', category: 'dependencies', severity: 'medium', title: `Package "${pkg}" is deprecated`, description: `${pkg} is deprecated. Use crypto.randomBytes() or crypto.randomUUID() from Node.js built-in crypto module instead.`, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-074: Transitive dependency on insecure crypto
+rules.push({
+  id: 'DEPS-074', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Package known to depend on deprecated or weak crypto',
+  check({ stack }) {
+    const findings = [];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    const weakCryptoDeps = ['md5', 'sha1', 'sha.js', 'des', 'rc4'];
+    for (const pkg of weakCryptoDeps) {
+      if (allDeps[pkg]) {
+        findings.push({ ruleId: 'DEPS-074', category: 'dependencies', severity: 'medium', title: `Direct dependency on weak crypto package "${pkg}"`, description: `${pkg} implements a cryptographically broken algorithm. Remove this dependency and use Node.js built-in crypto module with AES-256-GCM or SHA-256+.`, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-075: Using eval-based templating engines
+rules.push({
+  id: 'DEPS-075', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Template engine that uses eval() — code injection risk',
+  check({ stack }) {
+    const findings = [];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    const evalEngines = ['jade', 'doT', 'underscore.template'];
+    for (const pkg of evalEngines) {
+      if (allDeps[pkg]) {
+        findings.push({ ruleId: 'DEPS-075', category: 'dependencies', severity: 'medium', title: `Template engine "${pkg}" uses eval() — template injection risk`, description: `${pkg} uses eval() which can execute arbitrary code if template strings contain user input. Consider safer alternatives or ensure templates are never constructed from user input.`, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-076: Using known-vulnerable version of minimist
+rules.push({
+  id: 'DEPS-076', category: 'dependencies', severity: 'medium', confidence: 'definite', title: 'minimist < 1.2.6 — prototype pollution vulnerability',
+  check({ stack }) {
+    const findings = [];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    const ver = allDeps['minimist'];
+    if (ver) {
+      const m = ver.match(/^[\^~]?(\d+)\.(\d+)\.(\d+)/);
+      if (m) {
+        const [, major, minor, patch] = m.map(Number);
+        if (major < 1 || (major === 1 && minor < 2) || (major === 1 && minor === 2 && patch < 6)) {
+          findings.push({ ruleId: 'DEPS-076', category: 'dependencies', severity: 'medium', title: `minimist@${ver} has prototype pollution vulnerability`, description: 'Upgrade minimist to >= 1.2.6 to fix CVE-2021-44906 (prototype pollution).', fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-077: Package.json engines field missing
+rules.push({
+  id: 'DEPS-077', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'No engines field in package.json — any Node version may be used',
+  check({ files, stack }) {
+    const findings = [];
+    if (!stack.engines?.node) {
+      const hasPackageJson = [...files.keys()].some(f => f.match(/^package\.json$|\/package\.json$/));
+      if (hasPackageJson) {
+        findings.push({ ruleId: 'DEPS-077', category: 'dependencies', severity: 'low', title: 'package.json without engines.node — no Node.js version constraint', description: 'Specify the required Node.js version in package.json "engines": { "node": ">=18.0.0" } to prevent running on incompatible versions.', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-078: Using sync-only library in async context
+rules.push({
+  id: 'DEPS-078', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Synchronous-only library used in async/server context',
+  check({ stack, files }) {
+    const findings = [];
+    const syncLibs = ['sync-request', 'xmlhttprequest'];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    const hasServer = [...files.values()].some(c => /express|fastify|koa|hapi/i.test(c));
+    for (const pkg of syncLibs) {
+      if (allDeps[pkg] && hasServer) {
+        findings.push({ ruleId: 'DEPS-078', category: 'dependencies', severity: 'medium', title: `"${pkg}" makes synchronous HTTP requests — blocks Node.js event loop`, description: `${pkg} performs synchronous I/O which blocks the event loop. Use an async HTTP client (fetch, axios, got) instead.`, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-079: Using test framework in production dependencies
+rules.push({
+  id: 'DEPS-079', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Test framework installed as production dependency',
+  check({ stack }) {
+    const findings = [];
+    const testLibs = ['jest', 'mocha', 'jasmine', 'chai', 'sinon', 'supertest', 'nock', 'enzyme'];
+    for (const pkg of testLibs) {
+      if (stack.dependencies?.[pkg]) {
+        findings.push({ ruleId: 'DEPS-079', category: 'dependencies', severity: 'medium', title: `Test framework "${pkg}" in production dependencies`, description: `Move ${pkg} to devDependencies. Test frameworks should not be included in production builds as they increase bundle size and attack surface.`, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-080: Using multiple HTTP client libraries
+rules.push({
+  id: 'DEPS-080', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Multiple HTTP client libraries installed — unnecessary duplication',
+  check({ stack }) {
+    const findings = [];
+    const httpClients = ['axios', 'node-fetch', 'got', 'superagent', 'request', 'ky', 'undici'];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    const usedClients = httpClients.filter(c => allDeps[c]);
+    if (usedClients.length > 2) {
+      findings.push({ ruleId: 'DEPS-080', category: 'dependencies', severity: 'low', title: `${usedClients.length} HTTP clients installed: ${usedClients.join(', ')} — standardize on one`, description: 'Multiple HTTP client libraries increase bundle size and maintenance overhead. Choose one (axios or node-fetch) and remove the rest.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-081: Using deprecated helmet middleware version
+rules.push({
+  id: 'DEPS-081', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'helmet.js < 4.0.0 — legacy version with different defaults',
+  check({ stack }) {
+    const findings = [];
+    const ver = stack.dependencies?.helmet || stack.devDependencies?.helmet;
+    if (ver) {
+      const m = ver.match(/^[\^~]?(\d+)/);
+      if (m && parseInt(m[1]) < 4) {
+        findings.push({ ruleId: 'DEPS-081', category: 'dependencies', severity: 'medium', title: `helmet@${ver} is a legacy version — upgrade to helmet@7+`, description: 'helmet 4+ has much stricter security defaults including Content-Security-Policy. Upgrade and review the new defaults for your application.', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-082: Using body-parser instead of express built-in
+rules.push({
+  id: 'DEPS-082', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'body-parser installed — use express.json() built-in instead',
+  check({ stack }) {
+    const findings = [];
+    if (stack.dependencies?.['body-parser'] && stack.dependencies?.express) {
+      const expressVer = stack.dependencies.express;
+      const m = expressVer.match(/^[\^~]?(\d+)/);
+      if (m && parseInt(m[1]) >= 4) {
+        findings.push({ ruleId: 'DEPS-082', category: 'dependencies', severity: 'low', title: 'body-parser is a separate dependency — express.json() is built in since Express 4.16+', description: 'Remove the body-parser package and use app.use(express.json()) and app.use(express.urlencoded()) directly. body-parser is now built into Express.', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-083 through DEPS-100
+
+// DEPS-083: Using unsafe-regex in code
+rules.push({
+  id: 'DEPS-083', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'No safe-regex or validator for user-provided patterns',
+  check({ stack }) {
+    const findings = [];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    const hasUserRegex = Object.keys(allDeps).some(d => d.match(/validator|express-validator|joi|zod/));
+    const hasSafeRegex = Object.keys(allDeps).some(d => d.match(/safe-regex|re2|regexp-tree/));
+    // Only flag if there's a web framework (meaning user input) without safe regex tools
+    const hasWebFramework = Object.keys(allDeps).some(d => d.match(/^express$|^fastify$|^koa$/));
+    if (hasWebFramework && !hasSafeRegex) {
+      findings.push({ ruleId: 'DEPS-083', category: 'dependencies', severity: 'medium', title: 'No safe-regex or RE2 library — ReDoS attacks possible with user-provided patterns', description: 'If users can provide regex patterns, use the "safe-regex" package to check patterns or "re2" for linear-time regex evaluation.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-084: Using nodemon in production
+rules.push({
+  id: 'DEPS-084', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'nodemon installed as production dependency',
+  check({ stack }) {
+    const findings = [];
+    if (stack.dependencies?.nodemon) {
+      findings.push({ ruleId: 'DEPS-084', category: 'dependencies', severity: 'high', title: 'nodemon in production dependencies — restarts server on any file change', description: 'nodemon is a development tool. Move it to devDependencies and use pm2, forever, or systemd for production process management.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-085: Using outdated major version of Express
+rules.push({
+  id: 'DEPS-085', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Express.js version 3.x — end of life',
+  check({ stack }) {
+    const findings = [];
+    const ver = stack.dependencies?.express;
+    if (ver) {
+      const m = ver.match(/^[\^~]?(\d+)/);
+      if (m && parseInt(m[1]) < 4) {
+        findings.push({ ruleId: 'DEPS-085', category: 'dependencies', severity: 'medium', title: `express@${ver} is end-of-life — upgrade to Express 4.x or 5.x`, description: 'Express 3.x is end-of-life and receives no security patches. Upgrade to Express 4.x (stable) or 5.x (latest).', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-086: Using passport.js without session store
+rules.push({
+  id: 'DEPS-086', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'passport.js without explicit session store — using insecure MemoryStore',
+  check({ stack, files }) {
+    const findings = [];
+    if ((stack.dependencies?.passport || stack.dependencies?.['passport-local']) &&
+        !Object.keys({ ...stack.dependencies, ...stack.devDependencies }).some(d => d.match(/connect-redis|connect-mongo|express-session.*store|session-store/i))) {
+      const hasMemoryStoreWarning = [...files.values()].some(c => /MemoryStore|connect-redis|connect-mongo|session.*store/i.test(c));
+      if (!hasMemoryStoreWarning) {
+        findings.push({ ruleId: 'DEPS-086', category: 'dependencies', severity: 'medium', title: 'passport.js without persistent session store — MemoryStore leaks on restart', description: 'The default MemoryStore is not suitable for production — it leaks memory and sessions are lost on restart. Use connect-redis or connect-mongo.', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-087: Multiple versions of same package type
+rules.push({
+  id: 'DEPS-087', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'Duplicate utility libraries of same category',
+  check({ stack }) {
+    const findings = [];
+    const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+    const loggers = ['winston', 'pino', 'bunyan', 'morgan', 'log4js'].filter(d => allDeps[d]);
+    if (loggers.length > 2) {
+      findings.push({ ruleId: 'DEPS-087', category: 'dependencies', severity: 'low', title: `Multiple logging libraries: ${loggers.join(', ')} — standardize on one`, description: 'Using multiple logging libraries creates inconsistent log formatting and increases bundle size. Standardize on one: pino (fastest) or winston (most features).', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-088: Missing integrity subresource check
+rules.push({
+  id: 'DEPS-088', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'External CDN script without Subresource Integrity (SRI) hash',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.html$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*<!--/.test(lines[i])) continue;
+        if (/<script[^>]+src\s*=\s*["']https?:\/\//.test(lines[i]) && !/integrity\s*=/.test(lines[i])) {
+          findings.push({ ruleId: 'DEPS-088', category: 'dependencies', severity: 'medium', title: 'CDN script without integrity attribute — supply chain attack possible', description: 'Add integrity and crossorigin attributes to CDN scripts: <script integrity="sha384-..." crossorigin="anonymous">. This prevents execution of tampered files.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-089: Using dev dependencies in Docker build
+rules.push({
+  id: 'DEPS-089', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Dockerfile installs all dependencies including devDependencies',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/Dockerfile/i)) continue;
+      if (c.match(/npm\s+(?:ci|install)\b/) && !c.match(/npm\s+ci.*--omit=dev|npm\s+ci.*--production|npm\s+install.*--production/)) {
+        findings.push({ ruleId: 'DEPS-089', category: 'dependencies', severity: 'medium', title: 'Dockerfile installs devDependencies — increases image size and attack surface', description: 'Use npm ci --omit=dev (or NODE_ENV=production npm ci) in your production Dockerfile to exclude development dependencies.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-090: Missing license compliance check
+rules.push({
+  id: 'DEPS-090', category: 'dependencies', severity: 'low', confidence: 'likely', title: 'No license compliance check in CI/CD',
+  check({ files }) {
+    const findings = [];
+    const hasCIFile = [...files.keys()].some(f => f.match(/\.github\/workflows|\.gitlab-ci|\.circleci/i));
+    const hasLicenseCheck = [...files.values()].some(c => /license-checker|licensee|fossa|snyk.*license|license.*audit/i.test(c));
+    if (hasCIFile && !hasLicenseCheck) {
+      findings.push({ ruleId: 'DEPS-090', category: 'dependencies', severity: 'low', title: 'No license compliance check — copyleft licenses may affect IP', description: 'Add license-checker to CI to detect dependencies with restrictive licenses (GPL, AGPL) that could affect your IP or distribution rights.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-091: Using npm shrinkwrap instead of package-lock.json
+rules.push({
+  id: 'DEPS-091', category: 'dependencies', severity: 'low', confidence: 'suggestion', title: 'npm-shrinkwrap.json used instead of package-lock.json',
+  check({ files }) {
+    const findings = [];
+    const hasShrinkwrap = [...files.keys()].some(f => f.endsWith('npm-shrinkwrap.json'));
+    if (hasShrinkwrap) findings.push({ ruleId: 'DEPS-091', category: 'dependencies', severity: 'low', title: 'npm-shrinkwrap.json is obsolete — use package-lock.json instead', description: 'package-lock.json is the modern standard for lock files. npm-shrinkwrap.json is only needed for published packages.', file: 'npm-shrinkwrap.json', fix: null });
+    return findings;
+  },
+});
+
+// DEPS-092: Sharp/canvas without pre-built binaries
+rules.push({
+  id: 'DEPS-092', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'sharp or canvas dependency without native binary considerations',
+  check({ files, stack }) {
+    const findings = [];
+    if (stack.dependencies?.['sharp'] || stack.dependencies?.['canvas']) {
+      const hasBuildStep = [...files.keys()].some(f => f.endsWith('Dockerfile') || f.endsWith('.dockerfile'));
+      if (hasBuildStep) {
+        const pkg = stack.dependencies?.['sharp'] ? 'sharp' : 'canvas';
+        const dockerFile = [...files.keys()].find(f => f.endsWith('Dockerfile'));
+        if (dockerFile) {
+          const dc = files.get(dockerFile) || '';
+          if (!/build-essential|python3|node-gyp/.test(dc)) findings.push({ ruleId: 'DEPS-092', category: 'dependencies', severity: 'medium', title: `${pkg} requires native build tools in Docker image`, description: `Add build-essential, python3, and node-gyp to your Dockerfile when building ${pkg} from source.`, file: dockerFile, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-093: express-validator not used with express
+rules.push({
+  id: 'DEPS-093', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'Express used without input validation library',
+  check({ files, stack }) {
+    const findings = [];
+    if (!stack.dependencies?.['express']) return findings;
+    const hasValidator = stack.dependencies?.['express-validator'] || stack.dependencies?.['joi'] || stack.dependencies?.['zod'] || stack.dependencies?.['yup'];
+    if (!hasValidator) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'DEPS-093', category: 'dependencies', severity: 'medium', title: 'Express application without a validation library', description: 'Add express-validator, joi, or zod to validate and sanitize request data.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-094: Vulnerable version of axios
+rules.push({
+  id: 'DEPS-094', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'axios version below 0.28.0 — SSRF vulnerability (CVE-2023-45857)',
+  check({ files, stack }) {
+    const findings = [];
+    const ver = stack.dependencies?.['axios'];
+    if (ver) {
+      const match = ver.match(/^[~^]?(\d+)\.(\d+)\.(\d+)/);
+      if (match) {
+        const [, major, minor] = match.map(Number);
+        if (major === 0 && minor < 28) {
+          const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+          if (pkgJson) findings.push({ ruleId: 'DEPS-094', category: 'dependencies', severity: 'high', title: 'axios < 0.28.0 has SSRF vulnerability (CVE-2023-45857)', description: 'Upgrade axios to 0.28.0 or 1.x to fix CSRF header exposure vulnerability.', file: pkgJson, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-095: vm2 package (abandoned, RCE vulnerabilities)
+rules.push({
+  id: 'DEPS-095', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'vm2 package is abandoned and has multiple RCE vulnerabilities',
+  check({ files, stack }) {
+    const findings = [];
+    if (stack.dependencies?.['vm2']) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'DEPS-095', category: 'dependencies', severity: 'critical', title: 'vm2 is abandoned (CVE-2023-29017, CVE-2023-37466) — multiple sandbox escape RCEs', description: 'Replace vm2 with isolated-vm or a separate process for sandboxing. vm2 is no longer maintained.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-096: jsonwebtoken < 9.0.0
+rules.push({
+  id: 'DEPS-096', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'jsonwebtoken < 9.0.0 — CVE-2022-23529 vulnerability',
+  check({ files, stack }) {
+    const findings = [];
+    const ver = stack.dependencies?.['jsonwebtoken'];
+    if (ver) {
+      const match = ver.match(/^[~^]?(\d+)/);
+      if (match && parseInt(match[1]) < 9) {
+        const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+        if (pkgJson) findings.push({ ruleId: 'DEPS-096', category: 'dependencies', severity: 'critical', title: 'jsonwebtoken < 9.0.0 has critical vulnerability (CVE-2022-23529)', description: 'Upgrade jsonwebtoken to >= 9.0.0 to fix the vulnerability.', file: pkgJson, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-097: @actions/core before 1.10.0 (log injection)
+rules.push({
+  id: 'DEPS-097', category: 'dependencies', severity: 'high', confidence: 'definite', title: '@actions/core < 1.10.0 — GitHub Actions log injection vulnerability',
+  check({ files, stack }) {
+    const findings = [];
+    const ver = stack.dependencies?.['@actions/core'] || stack.devDependencies?.['@actions/core'];
+    if (ver) {
+      const match = ver.match(/^[~^]?(\d+)\.(\d+)/);
+      if (match) {
+        const [, major, minor] = match.map(Number);
+        if (major === 1 && minor < 10) {
+          const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+          if (pkgJson) findings.push({ ruleId: 'DEPS-097', category: 'dependencies', severity: 'high', title: '@actions/core < 1.10.0 — log injection vulnerability', description: 'Upgrade @actions/core to >= 1.10.0 to fix log injection vulnerability.', file: pkgJson, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// DEPS-098: Using deprecated xmldom package
+rules.push({
+  id: 'DEPS-098', category: 'dependencies', severity: 'high', confidence: 'likely', title: 'xmldom package has multiple XXE vulnerabilities',
+  check({ files, stack }) {
+    const findings = [];
+    if (stack.dependencies?.['xmldom']) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'DEPS-098', category: 'dependencies', severity: 'high', title: 'xmldom has known XXE vulnerabilities — use @xmldom/xmldom instead', description: 'Replace xmldom with @xmldom/xmldom which has security fixes applied.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-099: No .npmrc with package integrity settings
+rules.push({
+  id: 'DEPS-099', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'No .npmrc with audit settings configured',
+  check({ files }) {
+    const findings = [];
+    const hasNpmrc = [...files.keys()].some(f => f.endsWith('.npmrc'));
+    if (!hasNpmrc) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'DEPS-099', category: 'dependencies', severity: 'medium', title: 'No .npmrc file — audit-level and save-exact not configured', description: 'Create .npmrc with: audit-level=moderate and save-exact=true to enforce security standards.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// DEPS-100: Cookie library without secure defaults
+rules.push({
+  id: 'DEPS-100', category: 'dependencies', severity: 'medium', confidence: 'likely', title: 'cookie package used without Secure/HttpOnly defaults',
+  check({ files, stack }) {
+    const findings = [];
+    if (!stack.dependencies?.['cookie'] && !stack.dependencies?.['cookies']) return findings;
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      if (/cookie\.serialize\s*\(|cookies\.set\s*\(/.test(c) && !/secure\s*:\s*true|httpOnly\s*:\s*true/.test(c)) {
+        findings.push({ ruleId: 'DEPS-100', category: 'dependencies', severity: 'medium', title: 'Cookie set without secure/httpOnly options', description: 'Always set secure: true and httpOnly: true when setting cookies to prevent MITM and XSS theft.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});