npm audit without the noise. depmedic triages instead.
Stuck on a dependency upgrade chain?
The Senior Dev System Prompt is the exact prompt I paste into Cursor when a CVE chain crosses three majors. It does not pretend; it tells the model how to plan the bump. $3, one-time.
Get the system prompt
npm audit reports every CVE in every transitive dependency,
regardless of whether your code path actually reaches it. Half the
output is noise: a vulnerability in a dev-only tool, a CVE that needs
attacker-controlled input you never provide, an advisory with no
available patch.
The honest version of "fix this CVE" is three questions:
- Does my code actually reach the vulnerable function?
- Is there a fix I can apply right now?
- Will applying the fix break anything?
depmedic
asks those three questions, in that order, and prints a plan you can
read in ten seconds.
One command
npx depmedic
It runs npm audit --json, parses the advisory tree, and
groups findings by:
- direct vs transitive - direct deps you control. Transitive deps need a parent bump.
- fix available now - a non-breaking patch path exists in your version range.
- fix requires a major bump - flagged separately because the upgrade may break callers.
- no fix yet - upstream hasn't released a patch.
The output is a list of concrete next actions sorted by severity, not a
wall of advisory IDs. CI-friendly exit codes: 0 if nothing
needs your attention, 1 if there are reachable findings.
Why not just npm audit fix?
npm audit fix is too aggressive. It applies whatever
upgrades the resolver thinks satisfy the advisory tree, including
transitive bumps that reshape your package-lock.json.
Sometimes that's fine; sometimes it silently swaps the major version of
a transitive dep that actually mattered.
depmedic never modifies your tree. It tells you what to do.
You apply the changes you agree with.
Output format
Three formats: human-readable text (the default), --json
for tooling, and --markdown for PR comments. The markdown
output groups findings into fix now, review, and
monitor tables so the PR reviewer sees what needs action
immediately.
What it does NOT do
- It does not run static reachability analysis. The "reachability" hint is heuristic - direct vs transitive, dev vs prod, plus the advisory's own metadata. For real call-graph reachability, use a paid SCA tool.
- It does not modify your
package.jsonorpackage-lock.json. Read-only by design. - It does not phone home. No telemetry. No signup.
The companion tools
Once you've handled the application deps, the CI side is worth the same ten minutes:
npx depmedic # triage npm vulnerabilities
npx ci-doctor # audit GitHub Actions for waste + security gaps
npx pin-actions # pin every action ref to a SHA
npx gha-budget # estimate the dollar cost of each workflowFour CLIs, each under two seconds, all MIT.
Try it
npx depmedicSource on GitHub.