Scan all dependencies for known vulnerabilities (CVEs) - Check for end-of-life or unmaintained dependencies - Evaluate dependency health metrics (OpenSSF Scorecard) - Test for dependency confusion vulnerabilities - Assess typosquatting exposure for internal package names