pi-dep-audit

Audit npm dependencies for vulnerabilities, outdated packages, and license compliance — integrated into pi.dev workflow

Packages

Package details

extensionskill

Install pi-dep-audit from npm and Pi will load the resources declared by the package manifest.

npm repohome report
$ pi install npm:pi-dep-audit
Package
pi-dep-audit
Version
1.0.0
Published
Jun 25, 2026
Downloads
not available
Author
realvendex
License
MIT
Types
extension, skill
Size
30.2 KB
Dependencies
0 dependencies · 2 peers
Pi manifest JSON
{
  "extensions": [
    "./extensions"
  ],
  "skills": [
    "./skills"
  ]
}

Security note

Pi packages can execute code and influence agent behavior. Review the source before installing third-party packages.

README

pi-dep-audit

Audit npm dependencies for vulnerabilities, outdated packages, and license compliance — integrated into your pi.dev workflow.

Features

  • CVE Scanning — queries OSV.dev for known vulnerabilities (no API key needed)
  • Outdated Detection — semver-aware severity classification (major/minor/patch)
  • License Compliance — detects copyleft licenses in permissive projects
  • Auto-Fix — bump vulnerable packages to safe versions automatically
  • Structured Output — JSON report for CI integration + human-readable summary

Install

npx pi install pi-dep-audit

Or add to your pi project:

npm install pi-dep-audit

Usage

Slash Command

Type /audit in your pi.dev agent to run a full dependency audit:

> /audit

╔══════════════════════════════════════════════════════════════╗
║  📦 DEPENDENCY AUDIT REPORT
║  Project: my-awesome-app
║  2026-06-25T12:00:00.000Z
╚══════════════════════════════════════════════════════════════╝

🔒 VULNERABILITIES
────────────────────────────────────────
  ✅ No known vulnerabilities found

📊 OUTDATED PACKAGES
────────────────────────────────────────
  Total: 2 (1 major, 1 minor, 0 patch)

  🔴 lodash: 4.17.20 → 4.17.21 (patch)
  🟡 express: 4.18.0 → 4.18.2 (patch)

📜 LICENSES
────────────────────────────────────────
  Total packages: 42
  MIT: 38
  ISC: 3
  BSD-2-Clause: 1

Tools

The extension registers two tools for the LLM:

dep-audit

Run a full dependency audit:

// The LLM calls this when you ask about dependency health
"Check my dependencies for vulnerabilities"

dep-fix

Auto-fix vulnerabilities:

// The LLM calls this when you ask to fix issues
"Fix all dependency vulnerabilities"

Supports a dry_run parameter to preview changes without applying them.

How It Works

Vulnerability Detection

Uses the OSV.dev API — a free, open-source vulnerability database. Queries are made per-package-version, matching against the npm ecosystem.

Outdated Detection

Runs npm outdated --json and classifies version bumps:

  • Major (🔴) — breaking changes likely
  • Minor (🟡) — new features, backward compatible
  • Patch (🟢) — bug fixes only

License Compliance

Scans node_modules/*/package.json for license fields and flags:

  • Copyleft licenses (GPL, AGPL, LGPL) in permissive projects (MIT, BSD, ISC)
  • Unknown or unparseable licenses

Auto-Fix Strategy

  1. Security updates first — bump packages with known CVEs to their fix version
  2. Version updates second — apply non-breaking updates (wanted version)
  3. Reports successes and failures separately

Requirements

  • Node.js 18+
  • npm project with package.json
  • node_modules installed (for license scanning)

License

MIT