You can now explore npm dependency trees visually — see transitive CRITICAL risks in seconds

New feature live at getcommit.dev/audit: Dependency Tree Explorer.

Paste a package name, pick depth 1 or 2, click Explore. You get:

• A tree view showing every node with its risk score
• CRITICAL flags surfaced at every level (not just direct deps)
• A list of critical transitive paths

Why this matters

The batch audit tool shows direct dependency risk. But the real attack surface is deeper.

@anthropic-ai/sdk  [86/100] OK
+-- json-schema-to-ts  [71/100] 12.7M/wk 1 maintainer CRITICAL
    +-- @babel/runtime  [95/100] OK
    +-- ts-algebra  [64/100] 10.2M/wk 1 maintainer CRITICAL

@anthropic-ai/sdk itself scores fine. But it pulls in json-schema-to-ts, a sole-maintainer package with 12M weekly downloads. And ts-algebra, same profile. Neither shows up when you audit the top-level package.

This is the same pattern as the LiteLLM and axios attacks: the vulnerability wasn't in the package you were watching. It was one level down.

Try it

Web UI: getcommit.dev/audit — scroll to "The risks you don't see coming"

API:

curl -X POST https://poc-backend.amdal-dev.workers.dev/api/graph/npm \
  -H "Content-Type: application/json" \
  -d '{"package": "@anthropic-ai/sdk", "depth": 2}'

MCP (from your AI assistant): Add the MCP server, then ask: "Map the dependency tree risk for express at depth 2"

{
  "mcpServers": {
    "commit": {
      "type": "streamable-http",
      "url": "https://poc-backend.amdal-dev.workers.dev/mcp"
    }
  }
}

Some interesting depth-2 finds

• @anthropic-ai/sdk has 2 CRITICAL transitive deps
• vercel/ai pulls in husky CRITICAL (24.6M/wk, 1 maintainer)
• express has HIGH risk packages 2 levels deep

What packages are you curious about? Drop them in the comments.

---

Built as part of Commit - behavioral trust signals for software supply chains. Source on GitHub.