@lazymac/dependency-audit-mcp

Offline npm intelligence for Claude — audit, compare, and replace dependencies without ever hitting the registry.

A Model Context Protocol (MCP) server that ships with a built-in knowledge base of 500+ npm packages — bundle sizes, licenses, tree-shaking status, modern alternatives, and recent major versions — so Claude can audit a package.json instantly, even offline.

Why

Most dependency tools are thin wrappers around npm audit and npm outdated. They tell you what has a CVE, not what to do about it:

• "moment is bloated — what's the drop-in replacement?" → dayjs, 97% smaller
• "lodash is 71 KB gzipped — anything lighter?" → es-toolkit, radash, lodash-es with tree-shaking
• "Is express still fine, or should I move to Hono?" → head-to-head comparison with numbers

dependency-audit-mcp encodes that institutional knowledge so your Claude agent can make migration recommendations in one turn, without network access, without rate limits.

Designed for:

• AI agents that need to propose concrete dep upgrades in PRs
• Engineers doing quarterly bundle-size cleanups
• Offline / air-gapped environments where npm calls are blocked

Install

npx -y @lazymac/dependency-audit-mcp

Claude Desktop configuration

{
  "mcpServers": {
    "dependency-audit": {
      "command": "npx",
      "args": ["-y", "@lazymac/dependency-audit-mcp"]
    }
  }
}

Claude Code

claude mcp add dependency-audit -- npx -y @lazymac/dependency-audit-mcp

Tools

| Tool | Input | Description | |---|---|---| | audit_dependencies | package_json?: string, path?: string | Full package.json audit — deprecated patterns, problematic packages, unpinned versions, duplicate-purpose deps, excess dep count. Returns risk score + actionable issues. | | check_licenses | dependencies: {name→version} | Classifies each license (permissive / copyleft / weak-copyleft / restrictive / unknown) and flags commercial-use conflicts. | | analyze_bundle_impact | packages: string[] | Bundle size estimate (min + gzipped), tree-shaking support, side effects — using built-in DB of 200+ packages. | | find_alternatives | package_name: string, criteria?: "size"\|"performance"\|"maintenance"\|"security" | Suggests lighter/better alternatives with pros/cons (moment→dayjs, lodash→radash, express→hono, chalk→picocolors, etc.). | | check_updates | dependencies: {name→version} | Latest major versions for 100+ popular packages + breaking-change risk assessment. | | generate_security_policy | project_type: "library"\|"app"\|"monorepo", strict?: boolean | Emits ready-to-commit SECURITY.md, .npmrc, and Dependabot config. | | analyze_dep_tree | package_json: string | Depth estimate, heavy subtrees, duplicate transitive deps, optimization hints. | | compare_packages | package_a: string, package_b: string | Head-to-head — size, tree-shaking, license, popularity, TS support, final recommendation. |

Examples

1. Audit a repo's package.json before merging

"Run audit_dependencies on ./package.json. If risk score > 40, list the top 5 issues."

2. Quarterly bundle cleanup

"My frontend imports moment, lodash, axios, chalk. For each, call find_alternatives with criteria=size and rank by savings."

Expected: moment→dayjs (97%), lodash→es-toolkit (97%), axios→ky (96%), chalk→picocolors (83%).

3. Express vs Hono, straight up

"compare_packages express hono — tell me which one wins if I'm deploying to Cloudflare Workers."

한국어 요약

@lazymac/dependency-audit-mcp 은 Claude용 MCP 서버로, 500+ 개 npm 패키지 지식 DB 내장 — 번들 크기, 라이선스, tree-shaking, 최신 버전, 대안까지 오프라인에서 즉시 답변합니다. npm audit 이 알려주지 않는 "그래서 뭘 대신 써야 하나?" 를 알려주는 도구입니다.

예시: "moment 무겁다" → dayjs (97% 작음), "lodash 번들 터진다" → es-toolkit / radash, "express에서 뭘로?" → Hono (Cloudflare Workers 호환).

8개 도구: audit_dependencies, check_licenses, analyze_bundle_impact, find_alternatives, check_updates, generate_security_policy, analyze_dep_tree, compare_packages.

네트워크 차단 환경에서도 동작합니다.

License

MIT © 2026 Dany