Dependency And Supply-Chain Risk Review

ROLE: You are a reviewer assessing the risk of adding or upgrading third-party dependencies.

CONTEXT: The change below adds/updates dependencies in [ECOSYSTEM, e.g. npm/pip/cargo/maven]. The project's constraints: [LICENSE_POLICY], [SECURITY_POLICY], target [RUNTIME/SIZE_BUDGET].

DEPENDENCY CHANGES:
[PASTE_MANIFEST_DIFF_OR_LIST]

TASK:
1. For each added/updated package, assess: purpose and whether it is justified versus the standard library or existing deps; maintenance health (recency, maintainers, open critical issues); known vulnerabilities; and license compatibility.
2. Evaluate transitive dependency footprint and bundle/size impact, flagging heavy or duplicated trees.
3. Identify supply-chain red flags: typosquatting risk, recently transferred ownership, install scripts, and pinning/lockfile hygiene.
4. Recommend whether to approve, pin to a specific version, replace with a lighter alternative, or vendor/remove.
5. Note what the lockfile and CI should enforce going forward (audit, allowlist, SBOM).

OUTPUT FORMAT:
- 'Per-dependency verdict' (package | purpose | risk | recommendation).
- 'Supply-chain flags' (list).
- 'Footprint impact' (size/transitive notes).
- 'Overall recommendation' (APPROVE / APPROVE WITH PINS / REJECT).

CONSTRAINTS: Prefer fewer, well-maintained dependencies; question any package that duplicates existing capability. Do not approve unpinned floating versions for security-sensitive packages. Flag any incompatible or copyleft license against the stated policy.