The latest articles on DEV Community by Piks (@piks). https://dev.to/piks https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3931291%2F5c716299-85f8-4071-afc0-9fccc7880083.jpeg https://dev.to/piks en Piks Thu, 14 May 2026 13:15:31 +0000 https://dev.to/piks/audit-mcp-cli-let-ai-audit-your-nodejs-dependencies-38eh https://dev.to/piks/audit-mcp-cli-let-ai-audit-your-nodejs-dependencies-38eh <blockquote> <p>A lightweight dependency vulnerability audit tool that works as both a CLI and an MCP Server — so your AI coding assistant can find and fix security issues for you.</p> </blockquote> <h2> The Problem </h2> <p>You run <code>npm audit</code>. You get a wall of text. Some vulnerabilities are direct, some are buried five levels deep in your dependency tree. The output tells you <em>what's</em> vulnerable, but figuring out <em>how it got there</em> and <em>what to do about it</em> takes manual effort.</p> <p>Now multiply that across every project you maintain.</p> <h2> What It Does </h2> <p><strong>audit-mcp-cli</strong> runs a full dependency vulnerability audit and produces a clean, structured report with <strong>complete dependency chains</strong> — showing you the exact path from your <code>package.json</code> to each vulnerable package.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx audit-mcp-cli </code></pre> </div> <p>That's it. It auto-detects your package manager (npm or pnpm), runs the audit, and generates a Markdown or HTML report.</p> <h2> But Here's the Interesting Part </h2> <p>It also runs as an <strong>MCP Server</strong>. That means AI coding assistants like Claude and Cursor can call it directly.</p> <p>Instead of you reading an audit report, your AI assistant can:</p> <ul> <li>Audit your project's dependencies in conversation</li> <li>Show you exactly which vulnerabilities exist, their severity, and CVSS scores</li> <li>Trace the full dependency chain for each issue</li> <li>Suggest specific fixes with upgrade commands</li> </ul> <h3> Set It Up in 30 Seconds </h3> <p>Add this to your Claude Desktop config (<code>claude_desktop_config.json</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"audit-mcp-cli"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"-y"</span><span class="p">,</span><span class="w"> </span><span class="s2">"audit-mcp-cli"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--mcp"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Or for Cursor (<code>.cursor/mcp.json</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"audit-mcp-cli"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"-y"</span><span class="p">,</span><span class="w"> </span><span class="s2">"audit-mcp-cli"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--mcp"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then just ask: <em>"Audit this project for vulnerabilities."</em></p> <h2> What You Get </h2> <h3> Full Dependency Chains </h3> <p>Not just "minimist has a vulnerability" — but:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>my-project → jest → @jest/core → jest-config → minimist </code></pre> </div> <p>So you know exactly <em>why</em> it's in your project and <em>how</em> to remove it.</p> <h3> Structured Reports </h3> <p>Reports are sorted by severity (critical → high → moderate → low) with:</p> <ul> <li> <strong>CVSS scores and vectors</strong> — how bad is it, really?</li> <li> <strong>CWE classifications</strong> — what type of vulnerability?</li> <li> <strong>Advisory links</strong> — full details from GitHub Advisory Database</li> <li> <strong>Fix suggestions</strong> — specific upgrade commands and target versions</li> <li> <strong>Transitive vulnerability attribution</strong> — when package A is vulnerable because it depends on vulnerable package B, you see both, clearly separated</li> </ul> <h3> Remote Repo Audit </h3> <p>Audit any public or private GitHub repo without cloning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>audit-mcp-cli <span class="nt">--remote</span> github:facebook/react <span class="nt">--ref</span> main audit-mcp-cli <span class="nt">--remote</span> github:facebook/react <span class="nt">--ref</span> v18.2.0 </code></pre> </div> <p>Works with branches, tags, and commit SHAs.</p> <h3> CI/CD Integration </h3> <p>Fail your pipeline when vulnerabilities exceed a threshold:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Security Audit</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx audit-mcp-cli --fail-on high</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generic CI</span> npx audit-mcp-cli <span class="nt">--fail-on</span> high <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"pass"</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"fail"</span> </code></pre> </div> <h3> Ignore Mechanism </h3> <p>Accept known risks and track them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">.audit-mcp-cli-ignore.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ignore"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"packageName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"minimist"</span><span class="p">,</span><span class="w"> </span><span class="nl">"advisorySource"</span><span class="p">:</span><span class="w"> </span><span class="mi">1179</span><span class="p">,</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Accepted risk, limited impact in our usage"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expiresAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-12-31T00:00:00Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Ignored vulnerabilities appear in a separate report section and don't trigger <code>--fail-on</code>.</p> <h2> Quick Reference </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Audit current directory</span> npx audit-mcp-cli <span class="c"># Specific project</span> npx audit-mcp-cli <span class="nt">--path</span> /path/to/project <span class="c"># Remote GitHub repo</span> npx audit-mcp-cli <span class="nt">--remote</span> github:owner/repo <span class="nt">--ref</span> main <span class="c"># HTML report</span> npx audit-mcp-cli <span class="nt">--format</span> html <span class="nt">--output</span> report.html <span class="c"># Only show high and critical</span> npx audit-mcp-cli <span class="nt">--severity</span> high <span class="c"># CI: fail on high+</span> npx audit-mcp-cli <span class="nt">--fail-on</span> high <span class="c"># MCP Server mode</span> npx audit-mcp-cli <span class="nt">--mcp</span> </code></pre> </div> <h2> Tech Details </h2> <ul> <li> <strong>npm + pnpm support</strong> — auto-detects package manager by lockfile</li> <li> <strong>Node.js &gt;= 18</strong> — no extra runtime requirements</li> <li> <strong>Zero config</strong> — works out of the box</li> <li> <strong>Lightweight</strong> — minimal dependencies (commander, execa, eta, zod, MCP SDK)</li> <li> <strong>Bilingual</strong> — English and Chinese (auto-detects system language, override with <code>--lang</code>)</li> <li><strong>MIT License</strong></li> </ul> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run directly (no install needed)</span> npx audit-mcp-cli <span class="c"># Or install globally</span> npm <span class="nb">install</span> <span class="nt">-g</span> audit-mcp-cli </code></pre> </div> <p><strong>npm</strong>: <a href="https://www.npmjs.com/package/audit-mcp-cli" rel="noopener noreferrer">https://www.npmjs.com/package/audit-mcp-cli</a><br> <strong>GitHub</strong>: <a href="https://github.com/double527/audit-mcp-cli" rel="noopener noreferrer">https://github.com/double527/audit-mcp-cli</a></p> <p><em>If you find this useful, a star on GitHub goes a long way. Issues and PRs welcome.</em></p> ai mcp node security