惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
F
Fortinet All Blogs
阮一峰的网络日志
阮一峰的网络日志
Apple Machine Learning Research
Apple Machine Learning Research
爱范儿
爱范儿
WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
J
Java Code Geeks
罗磊的独立博客
S
SegmentFault 最新的问题
V
V2EX
V
Visual Studio Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
博客园 - 三生石上(FineUI控件)
Stack Overflow Blog
Stack Overflow Blog
Y
Y Combinator Blog
MyScale Blog
MyScale Blog
D
Docker
Google DeepMind News
Google DeepMind News
Blog — PlanetScale
Blog — PlanetScale
M
Microsoft Research Blog - Microsoft Research
Martin Fowler
Martin Fowler
S
Secure Thoughts
B
Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Recent Announcements
Recent Announcements
MongoDB | Blog
MongoDB | Blog
C
Cisco Blogs
C
CERT Recently Published Vulnerability Notes
T
True Tiger Recordings
GbyAI
GbyAI
P
Proofpoint News Feed
P
Privacy International News Feed
Jina AI
Jina AI
The Cloudflare Blog
I
Intezer
AWS News Blog
AWS News Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
S
Security Archives - TechRepublic
NISL@THU
NISL@THU
The Register - Security
The Register - Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
P
Palo Alto Networks Blog
S
Schneier on Security
L
LINUX DO - 热门话题
C
CXSECURITY Database RSS Feed - CXSecurity.com
Security Latest
Security Latest
C
Cybersecurity and Infrastructure Security Agency CISA

DEV Community

Unchaining the African Creator Economy The Treasure Hunt Engine Gotcha - A Lesson in Constrained Performance great_cto v2.17 - no more tambourine dance When Catalogs Are Embedded in Storage SafeMind AI: Instant Health & Safety Intelligence What Is PKCE, How It Works & Flow Examples AI Agent Failure Modes Beyond Hallucination Fastest Way to Understand Stryker Solana Accounts Explained to a Web2 Developer TV Yayın Akışı Sitesi Geliştirirken Öğrendiğim Teknik Dersler $500 Challenge Drop My First Look at Google's Gemma 4: A Quick Introduction How I use an LLM as a translation judge Best Calendar and Scheduling API for Developers — 2026 Comparison Agentic AI in Travel: Why UCP Isn't Travel-Ready Yet — and What We Measured I Finished Machine Learning. And Then Changed The Plan. The Five-Thousand-Line File The AI Whirlwind: Why Your Local Agent Matters More Than Ever I Built an Oracle DBA That Lives in Telegram. It Cut a 500K-Row Scan to 5 - After Asking Permission. The Day 2 Reality of Running a Kubernetes Lab on Your Mac: Stop/Start, CKS Scenarios, and What I Learned Building It. n8n for Airtable Power Users: 5 Automations That Take Your Base to the Next Level Validating Gemma 4 for Industrial IoT: A Governance Pattern VS Code Now Credits Copilot on Every Commit by Default Astro and Islands Architecture: Why Your Portfolio Doesn't Need React for Everything Booting from FAT12: How I added file reading to my x86 kernel Unity’s AI agent went public: the developers of a static analysis tool on what that means for code quality Anna's Archive publica un llms.txt para los LLMs que rastrean su catálogo CRDTs for Offline-First Mobile Sync Why I Built Mneme HQ: Preventing AI Agent Architectural Drift Google Antigravity 2.0 Is the I/O 2026 Announcement You Should Actually Care About I Built a Pay-Per-Call Crypto Signal API with x402 — Heres the Architecture JWT Token Refresh Patterns in React 19: Avoiding the Silent Auth Death Spiral 🚀 “From Prompts to Autonomous Agents: What Google I/O 2026 Changed” The Power of Distributed Consensus in Autonomous SOCs Sixteen TUI components, copy-paste, no dependency The Boring Reliability Layer Every Autonomous Agent Needs Nven - Secret manager Building Multi-Tenant Row-Level Security in PostgreSQL: A Production Pattern The Hardest Part of Being a Developer Isn't Coding Building Vylo — Looking for Collaborators, Partners & Early Support I Thought Memory Fades With Time. It Actually Fades With Information. ORA-00064 오류 원인과 해결 방법 완벽 가이드 I registered an AI agent at 1 AM and something cracked open in my head Pitch: Nven - Sync secrets. Ship faster. Why y=mx+b is the heart of AI From Routines to a Crew — Building a System That Plans Its Own Work & executes it 25 React Interview Questions 2026 (With Answers) — Hooks, React 19, Concurrent Mode An open source LLM eval tool with two independent quality signals Using Dashboard Filtering to Get Customer Usage in Seconds from TBs of Data Skills, Java 17, And Theme Accents 4 Hard Lessons on Optimizing AI Coding Agents Arctype: Cross-Platform Database GUI for LLM Artifacts Your robots.txt says GPTBot is welcome. Your server says 403. Organizing How to Use AWS Glue Workflow 5 n8n Automations Every Digital Agency Should Be Running (Bill More, Work Less) Getting Started with TorchGeo — Remote Sensing with PyTorch Designing a Scalable Cross-Platform Appium Framework Google Antigravity 2.0 & Slash Commands Building a Unified Adaptive Learning Intelligence with Gemma 4, Flutter, and Multi-Model Orchestration Looking for beta testers for a £60 server management application The Disk-Pressure Incident That Taught Me to Always Set LimitRanges and Other Lessons from Mirroring EKS Locally. Why AI Should Not Write SQL Against ERP Databases Vibe coding works until it doesn't. The debt is real. Shipping at the Edge: Migrating a Coffee Subscription Platform to Cloudflare Workers Stop Tab-Switching: A Developer's Guide to Color Tools That Actually Fit the Workflow DevOps vs MLOps vs AIOps: What Changes, What Stays, and a Simple Roadmap to Get Started Run Powerful AI Coding Locally on a Normal Laptop 5 n8n Automations Every WooCommerce Store Needs (Save 10+ Hours/Week) What I Learned Building My Own AI Harness Hytale Servers Will Fail Treasure Hunts Until We Fix Our Event Handling Redux in React: Managing Global State Like a Pro Unfreezing Your GitHub Actions: Troubleshooting Stuck Deployments and Protecting Your Git Repo Statistics Unlocking Project Discoverability on GHES: A Key to Software Engineering Productivity When the Cleanup Code Becomes the Project Rockpack 8.0 - A React Scaffolder Built for the Age of AI-Assisted Development Mismanaging the Treasure Hunt Engine in Hytale Servers Will Get You Killed Why Hardcoded Automations Fail AI Agents Stop Calling It an AI Assistant. It’s Already Managing Your Company Why I built a post-quantum signing API (and why JWT is on borrowed time) Weekend Thought: Frontend Build Tools Suffer From Work Amnesia A 10-Line Playwright Trick That Saved Me Hours on Every Sephora Run AI Is Changing Engineering Culture More Than We Realize Everyone Was Focused on Gemini, But Infinite Scaler Was the Real Twister "Gemma 4 Analyzed My Bank Statements – Apparently I 'Have a Problem' with Coffee and Late-Night Apps" #css #webdev #beginners #codenewbie The Hidden Layer Every AI Developer Must Learn AlphaEvolve: Google DeepMind's Gemini-Powered Evolutionary Coding Agent RDS Reserved Instance Pricing: Every Engine, Every Rule, Real Dollar Savings How To Build An AI-Powered MVP Without Burning Your Startup Budget In 2026 Reading a Psychrometric Chart Without Getting Lost LMR-BENCH: Can LLM Agents Reproduce NLP Research Code? (EMNLP 2025) How to turn text into colors (without AI) Building Real-Time Apps in Node.js with Rivalis: WebSockets, Rooms, Actors, and a Binary Wire This Week In React #282 : Security, Fate, TanStack, Redux, Jotai | Hermes-node, Expo, Rozenite, Harness | TC39, Bun, pnpm, npm, Yarn, Node AI Copilot vs AI Agent Architecture - What's Actually Different (And Why It Matters) Smart Contract Security: NEAR's Futures Surge and AI Token Risks Database Maintenance: Tracing Production Incidents to Their Root Cause Stop juggling AI SDKs in PHP — meet Prisma Google Quietly Changed What “Apps” Mean at I/O 2026 The Infrastructure Team Is the Real Single Point of Failure
audit-mcp-cli: Let AI Audit Your Node.js Dependencies
Piks · 2026-05-14 · via DEV Community

A lightweight dependency vulnerability audit tool that works as both a CLI and an MCP Server — so your AI coding assistant can find and fix security issues for you.

The Problem

You run npm audit. You get a wall of text. Some vulnerabilities are direct, some are buried five levels deep in your dependency tree. The output tells you what's vulnerable, but figuring out how it got there and what to do about it takes manual effort.

Now multiply that across every project you maintain.

What It Does

audit-mcp-cli runs a full dependency vulnerability audit and produces a clean, structured report with complete dependency chains — showing you the exact path from your package.json to each vulnerable package.

npx audit-mcp-cli

Enter fullscreen mode Exit fullscreen mode

That's it. It auto-detects your package manager (npm or pnpm), runs the audit, and generates a Markdown or HTML report.

But Here's the Interesting Part

It also runs as an MCP Server. That means AI coding assistants like Claude and Cursor can call it directly.

Instead of you reading an audit report, your AI assistant can:

  • Audit your project's dependencies in conversation
  • Show you exactly which vulnerabilities exist, their severity, and CVSS scores
  • Trace the full dependency chain for each issue
  • Suggest specific fixes with upgrade commands

Set It Up in 30 Seconds

Add this to your Claude Desktop config (claude_desktop_config.json):

{
  "mcpServers": {
    "audit-mcp-cli": {
      "command": "npx",
      "args": ["-y", "audit-mcp-cli", "--mcp"]
    }
  }
}

Enter fullscreen mode Exit fullscreen mode

Or for Cursor (.cursor/mcp.json):

{
  "mcpServers": {
    "audit-mcp-cli": {
      "command": "npx",
      "args": ["-y", "audit-mcp-cli", "--mcp"]
    }
  }
}

Enter fullscreen mode Exit fullscreen mode

Then just ask: "Audit this project for vulnerabilities."

What You Get

Full Dependency Chains

Not just "minimist has a vulnerability" — but:

my-project → jest → @jest/core → jest-config → minimist

Enter fullscreen mode Exit fullscreen mode

So you know exactly why it's in your project and how to remove it.

Structured Reports

Reports are sorted by severity (critical → high → moderate → low) with:

  • CVSS scores and vectors — how bad is it, really?
  • CWE classifications — what type of vulnerability?
  • Advisory links — full details from GitHub Advisory Database
  • Fix suggestions — specific upgrade commands and target versions
  • Transitive vulnerability attribution — when package A is vulnerable because it depends on vulnerable package B, you see both, clearly separated

Remote Repo Audit

Audit any public or private GitHub repo without cloning:

audit-mcp-cli --remote github:facebook/react --ref main
audit-mcp-cli --remote github:facebook/react --ref v18.2.0

Enter fullscreen mode Exit fullscreen mode

Works with branches, tags, and commit SHAs.

CI/CD Integration

Fail your pipeline when vulnerabilities exceed a threshold:

# GitHub Actions
- name: Security Audit
  run: npx audit-mcp-cli --fail-on high

Enter fullscreen mode Exit fullscreen mode 

# Generic CI
npx audit-mcp-cli --fail-on high && echo "pass" || echo "fail"

Enter fullscreen mode Exit fullscreen mode

Ignore Mechanism

Accept known risks and track them:

// .audit-mcp-cli-ignore.json
{
  "ignore": [
    {
      "packageName": "minimist",
      "advisorySource": 1179,
      "reason": "Accepted risk, limited impact in our usage",
      "expiresAt": "2025-12-31T00:00:00Z"
    }
  ]
}

Enter fullscreen mode Exit fullscreen mode

Ignored vulnerabilities appear in a separate report section and don't trigger --fail-on.

Quick Reference 

# Audit current directory
npx audit-mcp-cli

# Specific project
npx audit-mcp-cli --path /path/to/project

# Remote GitHub repo
npx audit-mcp-cli --remote github:owner/repo --ref main

# HTML report
npx audit-mcp-cli --format html --output report.html

# Only show high and critical
npx audit-mcp-cli --severity high

# CI: fail on high+
npx audit-mcp-cli --fail-on high

# MCP Server mode
npx audit-mcp-cli --mcp

Enter fullscreen mode Exit fullscreen mode

Tech Details

  • npm + pnpm support — auto-detects package manager by lockfile
  • Node.js >= 18 — no extra runtime requirements
  • Zero config — works out of the box
  • Lightweight — minimal dependencies (commander, execa, eta, zod, MCP SDK)
  • Bilingual — English and Chinese (auto-detects system language, override with --lang)
  • MIT License

Install 

# Run directly (no install needed)
npx audit-mcp-cli

# Or install globally
npm install -g audit-mcp-cli

Enter fullscreen mode Exit fullscreen mode

npm: https://www.npmjs.com/package/audit-mcp-cli
GitHub: https://github.com/double527/audit-mcp-cli

If you find this useful, a star on GitHub goes a long way. Issues and PRs welcome.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。