npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

audit-mcp-cli

v1.2.4

Published

Lightweight dependency vulnerability audit tool with CLI and MCP Server support

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

lbq527lbq527

Keywords

auditvulnerabilitysecuritydependencynpmpnpmmcpmcp-servercli

Readme

audit-mcp-cli

npm version license audit-mcp-cli MCP server

English | 中文

A lightweight dependency vulnerability audit tool for Node.js projects. Supports CLI and MCP Server modes, covers npm and pnpm projects, and generates structured Markdown/HTML reports with full dependency chains.

Features

  • Full dependency chains — traces the complete path from your package.json to each vulnerable package
  • npm + pnpm support — auto-detects package manager by lockfile
  • Remote GitHub audit — audit any public or private repo without cloning
  • MCP Server — integrates with AI coding assistants (Claude, Cursor, etc.)
  • Markdown / HTML reports — clean, structured reports sorted by severity
  • CI gate--fail-on exit code for CI/CD pipelines
  • Ignore mechanism — suppress accepted vulnerabilities with expiration dates
  • Severity filtering — show only vulnerabilities above a threshold

Install

# Run directly
npx audit-mcp-cli

# Or install globally
npm install -g audit-mcp-cli

Requires Node.js >= 18.

Usage

# Audit current directory
audit-mcp-cli

# Specific project path
audit-mcp-cli --path /path/to/project

# Remote GitHub repo (branch)
audit-mcp-cli --remote github:facebook/react --ref main

# Remote GitHub repo (tag)
audit-mcp-cli --remote github:facebook/react --ref v18.2.0

# Remote GitHub repo (commit SHA)
audit-mcp-cli --remote github:facebook/react --ref abc123def

# HTML report
audit-mcp-cli --format html --output report.html

# CI: fail if high+ severity vulnerabilities found
audit-mcp-cli --fail-on high

# Severity filtering (only show high and critical)
audit-mcp-cli --severity high

CLI Options

| Option | Description | Default | |--------|-------------|---------| | --path <path> | Local project path | process.cwd() | | --remote <repo> | Remote repo: github:owner/repo or https://github.com/owner/repo | — | | --ref <ref> | Git ref (branch name / tag / commit SHA) | main | | --token <token> | GitHub personal access token (for private repos) | GITHUB_TOKEN env | | --format <fmt> | Report format: md or html | md | | --output <path> | Output file path | audit-report.md or .html | | --severity <level> | Minimum severity to display: low / moderate / high / critical | low | | --fail-on <level> | CI fail threshold — exit 1 if vulnerabilities at this level or above exist | — | | --mcp | Start as MCP Server | — | | --lang <lang> | Language: en or zh-CN | Auto-detect from system |

--fail-on exit codes

| Value | Exits 1 when | |-------|-------------| | critical | Any critical vulnerability found | | high | Any high or critical found | | moderate | Any moderate, high, or critical found | | low | Any vulnerability found | | (not set) | Always exits 0 |

MCP Server

Run as an MCP stdio server for AI assistants:

audit-mcp-cli --mcp

Claude Desktop

Basic (local projects & public repos):

{
  "mcpServers": {
    "audit-mcp-cli": {
      "command": "npx",
      "args": ["-y", "audit-mcp-cli", "--mcp"]
    }
  }
}

With GitHub token (private repos / avoid rate limits):

{
  "mcpServers": {
    "audit-mcp-cli": {
      "command": "npx",
      "args": ["-y", "audit-mcp-cli", "--mcp"],
      "env": {
        "GITHUB_TOKEN": "ghp_xxxx"
      }
    }
  }
}

Cursor

Add to .cursor/mcp.json:

Basic (local projects & public repos):

{
  "mcpServers": {
    "audit-mcp-cli": {
      "command": "npx",
      "args": ["-y", "audit-mcp-cli", "--mcp"]
    }
  }
}

With GitHub token (private repos / avoid rate limits):

{
  "mcpServers": {
    "audit-mcp-cli": {
      "command": "npx",
      "args": ["-y", "audit-mcp-cli", "--mcp"],
      "env": {
        "GITHUB_TOKEN": "ghp_xxxx"
      }
    }
  }
}

Tool: audit_dependencies

The MCP server exposes one tool that supports both local and remote auditing:

| Parameter | Description | |-----------|-------------| | projectPath | Local project path | | remoteRepo | Remote repo: github:owner/repo | | ref | Git ref (branch / tag / SHA) | | token | GitHub token (for private repos, or use GITHUB_TOKEN env) | | format | md or html | | severity | Minimum severity filter | | outputPath | Custom output file path |

Returns: report file path + structured vulnerability details (CVSS, dependency chains, fix suggestions).

Token is optional. Local project auditing never requires a token. Remote public repos work without a token (60 requests/hour). Only private repos require a GitHub token.

Ignore Mechanism

Create .audit-mcp-cli-ignore.json in your project root to suppress accepted vulnerabilities:

{
  "ignore": [
    {
      "packageName": "minimist",
      "advisorySource": 1179,
      "reason": "Accepted risk, limited impact in our usage",
      "expiresAt": "2025-12-31T00:00:00Z"
    }
  ]
}
  • packageName — match all advisories for this package, or combine with advisorySource for exact match
  • expiresAt — optional, ignore auto-expires after this date
  • Ignored vulnerabilities are shown in a separate section of the report and excluded from --fail-on checks

CI Integration

# GitHub Actions example
- name: Security Audit
  run: npx audit-mcp-cli --fail-on high
# Generic CI
npx audit-mcp-cli --fail-on high && echo "pass" || echo "fail"

License

MIT