Login

u/cond_cond

audit-trace — trace npm audit vulnerabilities through the dependency tree
▲ 1 r/node+1 crossposts

audit-trace — trace npm audit vulnerabilities through the dependency tree

Built a small CLI tool called audit-trace.

It takes npm audit results and maps vulnerable packages back through the dependency tree, so you can actually see how a vulnerability reaches your project.

Useful when dealing with large transitive dependency chains and trying to figure out whether the issue is direct, upstream, or ignorable.

https://npmx.dev/package/audit-trace

Typical npm audit output:

semver  7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/semver

But which package is actually pulling it in?

With audit-trace:

@svgr/prollup
  @babel/core
    └── @babel/helper-compilation-targets
        └── semver
    └── @babel/helpers
    └── semver

  @babel/preset-env
    └── @babel/plugin-syntax-unicode-sets-regex
        └── @babel/helper-create-regexp-features-plugin
            └── semver
    └── @babel/plugin-transform-modules-systemjs
    └── babel-plugin-polyfill-corejs2
        └── semver
    └── semver
u/cond_cond — 1 day ago
▲ 1 r/npm

audit-trace - Dependency vulnerability analysis with ownership tracing and actionable remediation

npmjs.com
u/cond_cond — 2 days ago