secure-deps-check
v1.0.0
Published
Actionable, developer-centric security insights for Node.js applications
Maintainers
Readme
🛡️ secure-deps-check
Actionable, developer-centric security insights for Node.js applications.
Replaces the noise of npm audit with a clear risk score, visual severity breakdown, and smart, copy-paste-ready recommendations — all from a single command.
Features
| Signal | Detection |
|--------|-----------|
| 🔴 Known CVEs | Matched against vulnerability DB (extensible mock by default) |
| 🚩 Abandonment | Packages not published in > 12 months |
| 👤 Bus-factor risk | Single-maintainer packages flagged |
| 🚨 Malware vectors | postinstall / preinstall script detection |
| 🎭 Typo-squatting | Levenshtein distance check against top-100 npm packages |
| ⚠️ Outdated versions | Compares installed vs latest from npm registry |
Quick Start
# In your project directory
npx secure-deps-check scan
# Or install globally
npm install -g secure-deps-check
secure-deps-check scanCommands
scan (default)
Full visual analysis with per-package risk scores and colored output.
secure-deps-check scan
secure-deps-check scan --dir /path/to/projectOutput:
🛡️ secure-deps-check — Security Scan
✔ Found 8 dependencies in my-app
✔ Metadata fetched for 8 packages
📦 [email protected] → 1.2.8
🔴 [CRITICAL] Prototype Pollution — CVE-2021-44906
Fix: upgrade to 1.2.6
⚠️ Outdated (latest: 1.2.8)
🚩 Abandoned — last published Feb 2023
Risk: 🔴 7.6 / 10 (High Risk)
Breakdown: Vuln ████████ Maint ██░░░░░░ Age ████████ Anomaly ░░░░░░░░
📦 [email protected] → 4.18.1
🔴 [HIGH] Command Injection via template — CVE-2021-23337
Fix: upgrade to 4.17.21
Risk: 🟡 4.6 / 10 (Medium Risk)
🧠 Overall Risk Score: MEDIUM RISK 4.9 / 10
💡 Recommendations:
→ minimist: npm install [email protected]
→ lodash: npm install [email protected]fix
Shows a prioritized fix plan with ready-to-run commands.
secure-deps-check fixOutput:
🔧 Fix Plan
Run these commands to remediate identified issues:
📦 lodash
Update to patch CVE-2021-23337
$ npm install [email protected]
📦 left-pad
Replace with String.prototype.padStart(): native JS method
$ npm uninstall left-padci
Non-interactive mode for CI/CD pipelines. Outputs JSON. Exits 1 if score exceeds threshold.
secure-deps-check ci
secure-deps-check ci --threshold 4.0JSON Output:
{
"overallScore": 4.9,
"riskLevel": "medium",
"passed": false,
"totalDependencies": 8,
"packages": [
{
"name": "minimist",
"riskScore": 7.6,
"riskLevel": "high",
"vulnerabilities": [{ "id": "CVE-2021-44906", "severity": "critical" }]
}
],
"recommendations": [...]
}Risk Scoring Algorithm
score = (vulnerabilityScore × 0.5)
+ (maintainerRisk × 0.2)
+ (activityRisk × 0.2)
+ (anomalyRisk × 0.1)| Component | Source |
|-----------|--------|
| vulnerabilityScore | Severity of worst CVE (critical=10, high=8, moderate=5, low=2) |
| maintainerRisk | 1 maintainer=9, 2=6, 3-4=3, 5+=0 |
| activityRisk | >3yr=10, >2yr=8, >1yr=6, >6mo=2, recent=0 |
| anomalyRisk | Typo-squat+6, install script+4 |
| Score | Risk Level | |-------|-----------| | ≥ 7.0 | 🔴 High Risk | | 4.0 – 6.9 | 🟡 Medium Risk | | < 4.0 | 🟢 Safe |
CI/CD Integration
Drop .github/workflows/security.yml (included in this repo) into your project for automatic PR scanning with GitHub Actions step summaries.
- name: Run security scan
run: npx secure-deps-check ci --threshold 5.0Architecture
src/
├── cli/
│ └── index.ts # Commander entry point (scan / fix / ci commands)
└── core/
├── parser.ts # Reads package.json + lockfiles (npm/pnpm)
├── analyzer.ts # Fetches npm metadata, runs detection signals
├── scorer.ts # Risk scoring algorithm
├── recommender.ts # Generates actionable fix suggestions
└── reporter.ts # Chalk-powered terminal formatterExtending the Vulnerability Database
Edit src/core/analyzer.ts — the VULN_DATABASE constant. In production, replace or augment with:
- OSV.dev —
https://api.osv.dev/v1/query - npm audit —
npm audit --jsonpipe into the analyzer - Snyk API — requires API key
Development
git clone <repo>
cd secure-deps-check
npm install
npm run build
npm link # Makes `secure-deps-check` available globally
# Test against demo vulnerable project
node dist/cli/index.js scan --dir ./demoLicense
MIT
