Dependency Audit

Scan dependencies for vulnerabilities, check for outdated packages, and verify license compliance.

Vulnerability Scanning

Node.js (npm/pnpm)

# npm audit with summary
npm audit

# JSON output for processing
npm audit --json | jq '{total: .metadata.vulnerabilities, critical: .metadata.vulnerabilities.critical, high: .metadata.vulnerabilities.high}'

# Auto-fix where possible
npm audit fix

# pnpm
pnpm audit --json

Python (pip-audit)

# Scan installed packages
pip-audit

# Scan from requirements file
pip-audit -r requirements.txt

# JSON output
pip-audit --format json -r requirements.txt

# Fix by upgrading
pip-audit --fix -r requirements.txt

Go

# Check for known vulnerabilities
govulncheck ./...

# Verbose output with call stacks
govulncheck -show verbose ./...

Rust

# Install cargo-audit if needed: cargo install cargo-audit
cargo audit

# JSON output
cargo audit --json

Outdated Package Check

# Node.js
npm outdated --json | jq 'to_entries[] | {package: .key, current: .value.current, wanted: .value.wanted, latest: .value.latest}'

# pnpm
pnpm outdated --format json

# Python
pip list --outdated --format json | jq '.[] | {name, version, latest_version}'

# Go
go list -m -u all 2>/dev/null | grep '\['

# Rust
cargo outdated

License Compliance

Node.js

# Install: npm install -g license-checker
license-checker --json | jq 'to_entries[] | {package: .key, license: .value.licenses}' | head -100

# Check for specific problematic licenses
license-checker --failOn "GPL-3.0;AGPL-3.0" --json

# Summary by license type
license-checker --summary

Python

# Install: pip install pip-licenses
pip-licenses --format json | jq '.[] | {name: .Name, license: .License}'

# Check for copyleft licenses
pip-licenses --allow-only "MIT;BSD-3-Clause;Apache-2.0;ISC"

Dependency Tree

# Node.js — why is this package here?
npm explain <package-name>

# Full tree
npm ls --all --json | jq '.dependencies | keys'

# Python
pip show <package-name> | grep -E "^(Requires|Required-by)"

# Go
go mod graph | grep <module-name>

# Rust
cargo tree -p <crate-name>

Supply Chain Checks

# Check package provenance (npm)
npm audit signatures

# Check for typosquatting — compare against known packages
npm info <suspicious-package> | head -5

# Check publish date and download counts
npm view <package-name> time --json | jq 'to_entries | sort_by(.value) | last(3)'

Notes

• Run audits before merging dependency updates, not just on schedule.
• npm audit fix --force can introduce breaking changes — review before running.
• License compliance matters for commercial software. GPL/AGPL in dependencies can require open-sourcing your code.
• Zero-day vulnerabilities won't show in audits — keep dependencies minimal.
• Pin exact versions in production (package-lock.json, requirements.txt with ==).