ABC Corp is a fictional company. Every name, number and date is invented. This is a reference artifact generated with an LLM coding agent; the brief that produces it is at the bottom of this page.
| Current → latest | Licence | |||
|---|---|---|---|---|
| corelib-httpclient | 4.2.9 → 5.1.0 | ADV-2026-0042ADV-2026-0057 | Permissive | HIGH · 14 modules |
| fastjson-parser | 2.8.1 → 3.0.4 | ADV-2026-0061 | Permissive | HIGH · 11 modules |
| yaml-config-lite | 1.4.0 → 1.6.2 | ADV-2026-0049 | Permissive | MED · 6 modules |
| pdfforge-lite | 0.9.4 → 1.2.0 | none | strong copyleft · legal review | LOW · 1 module |
| quartzite-scheduler | 3.3.7 → 4.0.1 | none | Permissive | HIGH · 9 modules |
| sqlbridge-pool | 5.0.2 → 5.4.0 | none | Permissive | MED · 7 modules |
| authtoken-kit | 2.1.3 → 2.3.0 | none | Permissive | MED · 5 modules |
| metrica-collector | 1.9.0 → 2.1.1 | none | Permissive | MED · 5 modules |
| retryflow | 0.7.2 → 0.8.0 | none | Permissive | LOW · 3 modules |
| tracelog-appender | 2.2.0 → 2.2.5 | none | Permissive | LOW · 3 modules |
| csvstream-io | 1.1.8 → 1.2.0 | none | Permissive | LOW · 2 modules |
| xmlbind-runtime | 3.0.1 → 3.0.6 | none | Permissive | LOW · 2 modules |
Severity is not just the package: it is reachability. CVSS is the inherent score, EPSS the 30-day exploitation probability, and the columns that decide priority are whether the vulnerable code is on a live request path and which business service it sits behind. Scores are fictional, illustrative of the shape of the judgement.
| Package · advisory | CVSS | EPSS | Exploitability | Runtime exposure | Business service impacted |
|---|---|---|---|---|---|
| corelib-httpclient ADV-2026-0042 · header parsing |
8.1 HIGH | 42% | PoC public | Yes · on the order-intake request path | Order intake API (customer-facing) |
| corelib-httpclient ADV-2026-0057 · connection reuse |
6.5 MED | 9% | Theoretical | Yes · same client, lower likelihood | Order intake API (customer-facing) |
| fastjson-parser ADV-2026-0061 · deep-nesting DoS |
7.5 HIGH | 18% | PoC public | Yes · parses external order payloads | Order payload ingestion (customer-facing) |
| yaml-config-lite ADV-2026-0049 · anchor expansion |
5.3 MED | 3% | Needs local config access | No · read once at startup only | Deploy / config (internal) |
Three dependencies in this service compile against the corelib-httpclient 4.x API. Until it moves to 5.x, their own latest versions cannot be adopted without throwaway shims.
From this dependency scan output [paste], produce a single-file HTML quarterly dependency review for order-gateway: a sortable table (package, current, latest, advisories, licence, blast radius), filters, licence flags, and a recommended upgrade order with reasoning and a small diagram of why the order matters. No external requests: it must open inside the secure zone.
Paste the brief into any capable LLM: GPT, Claude, Gemini, Grok, DeepSeek, or the assistant your company
provides. Iterate a few rounds on layout and content until it reads well. Save the final answer as a
.html file and open it in any browser. Expect similar output, not identical: every model has its
own taste, and that is fine.
This reference artifact was built with Claude Code, an LLM coding agent, over several iterations. Treat it as the bar to aim for, not as a guaranteed first answer. All data on this page is fictional.