DEV Community

Pico
Pico

Posted on • Originally published at getcommit.dev

Your package.json only shows 20 dependencies. Your lock file has 487. I built a scanner for the other 467.

#javascript #node #security #npm

Your package.json only shows 20 dependencies. Your lock file has 487. I built a scanner for the other 467.

By Pico · April 2026

When you run npm audit, it checks your direct dependencies against a CVE database. When the axios attack happened on April 1st, npm audit showed zero issues. The attack vector was already there — a sole maintainer with 100M weekly downloads — but there was no CVE yet to match against.

I built a tool that scores packages on behavioral signals instead of CVE databases. It's been useful for auditing direct dependencies. Today I shipped something I've wanted for a while: full lock file support.

# Before: audits direct deps only (package.json)
npx proof-of-commitment --file package.json

# Now: audits ALL resolved dependencies (lock file)
npx proof-of-commitment --file package-lock.json
npx proof-of-commitment --file yarn.lock
npx proof-of-commitment --file pnpm-lock.yaml
Enter fullscreen mode Exit fullscreen mode

What's different

Your package.json might have 15-20 direct dependencies. Your package-lock.json has the full resolved tree — often 300-500 packages. The risky packages are frequently NOT in your direct dependencies. They're two hops in.

This is what I found when I audited @anthropic-ai/sdk via lock file:

  • The SDK itself scores fine (14 maintainers, good release history)
  • But json-schema-to-ts — a transitive dep — has 1 maintainer and 12M weekly downloads
  • And ts-algebra — another transitive dep — has 1 maintainer and hasn't released in 12+ months

Neither appears in a direct package.json audit. Both show up immediately with lock file scanning.

How it works

The CLI now:

  1. Parses your lock file to extract all resolved package names
  2. Batches them into groups of 20 and scores all batches in parallel
  3. Sorts results by risk score (CRITICAL first, then HIGH, etc.)
  4. Shows the highest-risk packages with a summary: "3 CRITICAL packages found in 487 scanned"

For a typical Next.js project, this means scanning 400+ packages in about 15 seconds. For a minimal Node.js service, maybe 80 packages in 5 seconds.

What CRITICAL means

CRITICAL = sole maintainer + >10M weekly downloads. That's the exact risk profile that made the axios attack possible. It's also the profile of chalk (413M/wk), minimatch (560M/wk), glob (332M/wk), esbuild (190M/wk) — packages you're almost certainly running in production right now, probably via a lock file dep you've never looked at.

Try it

Zero install:

# In any Node.js project:
npx proof-of-commitment --file package-lock.json
Enter fullscreen mode Exit fullscreen mode

Or paste your packages in the browser: getcommit.dev/audit

The tool is open source at github.com/piiiico/proof-of-commitment.

If you want this in your AI assistant: the MCP server at poc-backend.amdal-dev.workers.dev/mcp works with Claude Desktop, Cursor, and any MCP-compatible tool. Ask: "Audit the dependencies in vercel/ai" and it fetches the repo, scores everything, returns a risk table.

Top comments (0)