The average Node.js project has 1,500+ transitive dependencies. You audit your code. You don't audit the 1,500 packages you've never heard of that your code pulls in at runtime. Dependency-Auditor closes that gap — mapping your entire dependency graph, scoring risk, and alerting on known exploits.
10-Second Pitch
- Full Graph Analysis: Maps direct AND transitive dependencies — because the vulnerability is rarely in the package you chose.
- CVSS Risk Scoring: Prioritizes findings by actual exploitability, not just severity scores that can mislead.
- License Compliance: Flags GPL/AGPL dependencies that could create legal exposure for your product.
- Lockfile Integrity: Detects modifications to package-lock.json or yarn.lock that weren't part of your last install.
Setup Directions
- Install:
npm install -g dependency-auditor - Run a full scan:
dep-audit --full-graph --report json - Review the generated
dependency-report.htmlfor prioritized findings. - Set up continuous scanning:
dep-audit --watch --集成 ci - Subscribe to alerts for new CVEs affecting your graph.
Pros/Cons
| Pros | Cons |
|---|---|
| Comprehensive transitive dependency visibility | Large graphs can produce noisy reports initially |
| Catches typosquatting and dependency confusion attacks | Requires ongoing maintenance of exception lists |
| CI-friendly with clear pass/fail thresholds | Some features require paid tier for real-time CVE alerts |
Verdict: Essential for any team shipping to production. Supply chain attacks are only getting more sophisticated — auditing only your direct dependencies is a false sense of security. Run this in CI from day one.