dependency-auditlisted

You are performing a dependency update audit on the current project. The skill is **read-only by default**: it produces a decision report; it never modifies `package.json`, lockfiles, or any source. ## Step 0 — Stack detection + scope resolution Detect the project stack from the manifest file present at the project root: | Manifest | Stack | Inventory command | |---|---|---| | `package.json` | node-ts / node-js | `npm outdated --json` (or `pnpm outdated --format json` if `pnpm-lock.yaml` exists) | | `pyproject.toml` or `requirements.txt` | python | `pip list --outdated --format=json` (or `uv pip list --outdated --format json` if `uv.lock` exists) | | `Package.swift` | swift | `swift package show-dependencies --format json` + manual upstream check | | `Cargo.toml` | rust | `cargo outdated --format json` (requires `cargo-outdated`; fall back to `cargo update --dry-run` if absent) | | `go.mod` | go | `go list -u -m -json all` | | `Gemfile` | ruby | `bundle outdated --parseable` | | `pom.xml` or `build.gradle*` | java / kotlin | Maven `versions:display-dependency-updates` or Gradle `dependencyUpdates` | | `*.csproj` | dotnet | `dotnet list package --outdated --format json` | If the manifest is absent or unrecognized, STOP and report `not applicable: stack not detected`. If a sibling `PATTERNS.md` exists for the detected stack, load it for tier classification. Otherwise apply only the agnostic Tier rules in this body. Parse `$ARGUMENTS` for `tier:` and `pkg:` filters. | Fil