@meterian/cli
v0.1.3
Published
Meterian security audit CLI — check open-source dependencies for vulnerabilities
Readme
@meterian/cli
Command-line tool for checking open-source dependencies against the Meterian vulnerability database. Works without a Meterian account.
Installation
# Zero-install (no global install required)
npx @meterian/cli <command>
# Global install
npm install -g @meterian/cliCommands
check — Batch dependency audit
Reads a JSON array of {language, name, version} objects from stdin and returns a compact vulnerability summary.
echo '[
{"language":"nodejs","name":"lodash","version":"4.17.15"},
{"language":"python","name":"requests","version":"2.25.0"}
]' | npx @meterian/cli checkOutput:
{
"vulnerable": [
{
"language": "nodejs",
"name": "lodash",
"version": "4.17.15",
"severity": "HIGH",
"id": "CVE-2021-23337",
"safeVersions": ["4.17.21"],
"advisories": [
{
"id": "a1b2c3d4-...",
"description": "Prototype pollution in lodash's zipObjectDeep via...",
"severity": "HIGH",
"cvss": 7.2,
"cwe": "CWE-1321",
"cve": "CVE-2021-23337",
"identifiers": ["CVE-2021-23337", "GHSA-35jh-r3h4-6jhm"],
"versionRange": "[0,4.17.21)",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337"
}
]
}
],
"summary": { "total": 2, "vulnerable": 1, "clean": 1 }
}Only vulnerable packages appear in the vulnerable array. safeVersions is ordered patch → minor → major (nulls excluded). Each entry's advisories array contains one object per advisory found, with the best available link resolved in priority order: ANNOUNCE type → NVD type → CVE type → first link whose URL contains github.com/advisories → first link whose URL contains osv.dev → first link available.
advisories get — Single-package advisory lookup
npx @meterian/cli advisories get <language> <name> <version>Returns the full advisory list for one package as a JSON array.
npx @meterian/cli advisories get nodejs lodash 4.17.15nextsafe — Safe upgrade versions
npx @meterian/cli nextsafe <language> <name> <version>Returns the next safe version available at each semver level:
{ "latestPatch": "4.17.21", "latestMinor": null, "latestMajor": null }Supported languages
| Language value | Package manager |
|---|---|
| nodejs (alias: npm, javascript) | npm / yarn / pnpm |
| python (alias: pypi) | pip / poetry / uv |
| java (alias: maven) | Maven / Gradle |
| rust (alias: cargo) | Cargo |
| php (alias: packagist) | Composer |
| ruby (alias: gem) | Bundler |
| golang (alias: go) | Go modules |
| dotnet (alias: nuget, csharp) | NuGet |
| cpp (alias: conan, c, c++) | Conan |
| dart (alias: pub, flutter) | pub |
| clojure (alias: leiningen) | Leiningen / deps.edn |
| swift (alias: spm) | Swift Package Manager |
Environment variables
| Variable | Default | Description |
|---|---|---|
| KIWI_BASE_URL | https://services3.www.meterian.io | Override the Kiwi API endpoint (e.g. for QA) |
Use with AI assistants
Install the companion Claude Code skill plugin for automated dependency auditing directly from your AI coding assistant:
/plugin install meterian-security-audit@claude-plugins-officialThe skill reads your manifest files, pipes dependencies to npx @meterian/cli check, and presents a vulnerability report with remediation suggestions.
Changelog
0.1.3 — 2026-06-07
checkcommand: each vulnerable entry now includes anadvisoriesarray with per-advisory detail (id, description, severity, cvss, cwe, cve, identifiers, versionRange, link). Fully backward compatible — existing fields are unchanged.- Advisory descriptions are stripped of markdown before truncation, so consumers receive plain text.
0.1.2 — 2026-05-22
- Unified canonical user ID: the CLI now shares a persistent analytics fingerprint with the VS Code extension and MCP server (
~/.meterian/heidi/config/user.json)
0.1.1 — 2026-05-20
- Set
User-Agent: meterian-cli/<version>on all outbound HTTP requests - Added readable
--helpoutput - Fixed silent output swallowing in the bin script
0.1.0 — 2026-05-05
- Initial release:
check,advisories get, andnextsafecommands
License
MIT