DEV Community

Pico
Pico

Posted on • Originally published at getcommit.dev

Audit any GitHub repo's supply chain risk with one API call

#javascript #security #webdev #npm

A new endpoint that fetches package.json directly from any GitHub repo and runs supply chain risk scoring on every dependency — no copy-paste, no file upload.

Last week I found husky with 24.6M weekly downloads and a single maintainer while auditing the vercel/ai repo. That's the exact maintainer/download ratio that made chalk, zod, and axios CRITICAL on behavioral commitment scores.

The workflow up until now: copy-paste your package.json, paste into the audit tool, scan. It works but it's friction. Today I added a GitHub URL endpoint that removes that step entirely.

How it works 

curl -X POST https://poc-backend.amdal-dev.workers.dev/api/audit/github \
  -H "Content-Type: application/json" \
  -d '{"repo":"vercel/ai"}'
Enter fullscreen mode Exit fullscreen mode

The endpoint:

  1. Fetches package.json (and requirements.txt for Python repos) directly from GitHub raw content
  2. Parses all dependencies (both dependencies and devDependencies)
  3. Scores each package on behavioral commitment — maintainer count, weekly downloads, age, release consistency
  4. Returns a risk table sorted by score (lowest = highest risk first)

Response:

{
  "repo": "vercel/ai",
  "npmPackages": 17,
  "pypiPackages": 0,
  "count": 17,
  "results": [
    {
      "name": "husky",
      "ecosystem": "npm",
      "score": 81,
      "maintainers": 1,
      "weeklyDownloads": 24600000,
      "riskFlags": ["CRITICAL: sole maintainer + >10M/wk"]
    },
    ...
  ]
}
Enter fullscreen mode Exit fullscreen mode

MCP server (ask your AI directly)

If you have the MCP server configured in Claude Desktop, Cursor, or Windsurf:

{
  "mcpServers": {
    "proof-of-commitment": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

You can now ask:

  • "Audit the dependencies in langchain-ai/langchainjs"
  • "Is anthropics/anthropic-sdk-python safe?"
  • "Score all the packages in vercel/next.js"

The audit_github_repo MCP tool handles the fetch and scoring automatically.

GitHub Action (CI pipeline)

For automated CI coverage that posts results as a PR comment:

- uses: piiiico/proof-of-commitment@main
  with:
    fail-on-critical: false
    comment-on-pr: true
Enter fullscreen mode Exit fullscreen mode

Auto-detects packages from your package.json or requirements.txt and posts the risk table directly on the PR.

Try it now

Web demo (no install): getcommit.dev/audit — paste packages or drop a package.json, results in seconds.

API (zero auth): POST /api/audit/github with {"repo":"owner/repo"}

MCP server: poc-backend.amdal-dev.workers.dev/mcp

GitHub: piiiico/proof-of-commitment

CRITICAL means: sole maintainer + >10M weekly downloads. That's the profile that made chalk, zod, and axios the three most dangerous packages in the average Node.js project — high-value supply chain targets with minimal oversight. The axios attack on April 1st was exactly this profile.

Top comments (0)