Skip to main content
Back to Vibe Coder Toolkit
Codebase

Dependency Intel

npm audit with context

npx promptreports-cli deps

Runs npm audit for CVEs, npm outdated, unused packages, license compliance. Every dependency, explained.

deps is npm audit on steroids. Runs security scan for CVEs grouped by severity. Checks every package against latest version, flagging major updates separately (breaking changes). Scans your code to find dependencies that are installed but unused. Checks licenses of top 30 packages against a safe list (MIT, Apache-2.0, BSD, ISC) and flags anything else (GPL, AGPL, proprietary).

On this page

PrerequisitesFlags & OptionsExamplesOutputReads & WritesFree vs ProPro TipsRelated Tools

Prerequisites

  • npm installed
  • node_modules populated

Flags & Options

FlagDescriptionDefault
--auditSecurity audit (default if no flags)
--outdatedCheck for outdated packages
--unusedFind unused dependencies
--licensesLicense compliance
--jsonJSON output

Examples

Security scan

npx promptreports-cli deps

Default — CVE check.

Update candidates

npx promptreports-cli deps --outdated

What's behind?

Full audit

npx promptreports-cli deps --audit --outdated --unused --licenses

Everything at once.

Output

Four optional sections: security vulnerabilities (by severity), outdated packages table, possibly unused list, license flags.

  Security Audit
  5 vulnerabilities found:
    2 critical    — protobufjs (CVE-2024-12345), xlsx (CVE-2024-67890)
    1 high        — axios
    2 moderate    — lodash, react-dom

  Outdated Packages (19 of 127 behind latest)
  Package               Current   Latest    Type
  typescript            5.0.1     5.3.3     minor
  express               4.17.0    4.19.0    minor
  next                  14.2.0    15.0.0    MAJOR    ⚠
  prisma                5.0.0     6.0.0     MAJOR    ⚠

  Possibly Unused (3)
  - lodash-es           0 imports in src/
  - chart.js            0 imports in src/
  - marked              0 imports in src/

  License Flags (1)
  some-dep: GPL-3.0     (reconsider for commercial use)

What it reads and writes

Reads

  • package.json
  • node_modules/*/package.json

Writes

Nothing (read-only)

Free vs Pro usage

Free tier

  • Before every deploy — catch new CVEs
  • Quarterly license compliance check
  • Pre-acquisition due diligence

Pro tier

Upgrade
  • Auto-PR for patch-level security fixes
  • CVE alerts in Slack before your competitors know
  • License compliance history (prove you were compliant on date X)
  • Bundle size impact per package

Pro tips

  • Never ignore critical CVEs — fix same day
  • MAJOR updates deserve a dedicated PR, not a sweep
  • Unused packages = bundle size + maintenance cost — delete aggressively
Free to try

Install the whole toolkit.

One command unlocks all 23 tools.

Start FreeBack to all tools