Audit npm dependencies for vulnerabilities, outdated packages, and license compliance — integrated into your pi.dev workflow.
- CVE Scanning — queries OSV.dev for known vulnerabilities (no API key needed)
- Outdated Detection — semver-aware severity classification (major/minor/patch)
- License Compliance — detects copyleft licenses in permissive projects
- Auto-Fix — bump vulnerable packages to safe versions automatically
- Structured Output — JSON report for CI integration + human-readable summary
npx pi install pi-dep-auditOr add to your pi project:
npm install pi-dep-auditType /audit in your pi.dev agent to run a full dependency audit:
> /audit
╔══════════════════════════════════════════════════════════════╗
║ 📦 DEPENDENCY AUDIT REPORT
║ Project: my-awesome-app
║ 2026-06-25T12:00:00.000Z
╚══════════════════════════════════════════════════════════════╝
🔒 VULNERABILITIES
────────────────────────────────────────
✅ No known vulnerabilities found
📊 OUTDATED PACKAGES
────────────────────────────────────────
Total: 2 (1 major, 1 minor, 0 patch)
🔴 lodash: 4.17.20 → 4.17.21 (patch)
🟡 express: 4.18.0 → 4.18.2 (patch)
📜 LICENSES
────────────────────────────────────────
Total packages: 42
MIT: 38
ISC: 3
BSD-2-Clause: 1
The extension registers two tools for the LLM:
Run a full dependency audit:
// The LLM calls this when you ask about dependency health
"Check my dependencies for vulnerabilities"Auto-fix vulnerabilities:
// The LLM calls this when you ask to fix issues
"Fix all dependency vulnerabilities"Supports a dry_run parameter to preview changes without applying them.
Uses the OSV.dev API — a free, open-source vulnerability database. Queries are made per-package-version, matching against the npm ecosystem.
Runs npm outdated --json and classifies version bumps:
- Major (🔴) — breaking changes likely
- Minor (🟡) — new features, backward compatible
- Patch (🟢) — bug fixes only
Scans node_modules/*/package.json for license fields and flags:
- Copyleft licenses (GPL, AGPL, LGPL) in permissive projects (MIT, BSD, ISC)
- Unknown or unparseable licenses
- Security updates first — bump packages with known CVEs to their fix version
- Version updates second — apply non-breaking updates (wanted version)
- Reports successes and failures separately
- Node.js 18+
- npm project with
package.json node_modulesinstalled (for license scanning)
MIT