audit-trace
Advanced tools
audit-trace is a local-first CLI for npm / pnpm / Yarn projects. It combines lockfile-aware dependency graphs with audit output so you can see which top-level dependencies introduce a vulnerable package, short remediation hints, and CI-friendly diagnostics (structured CiDiagnostic codes for logs, job summaries, or PR comments).
npm install -g audit-trace
# or use npx
npx audit-trace report
From source:
git clone <repo>
cd audit-trace
npm install
npm run build
node dist/cli.js --help
cd your-project
audit-trace report
audit-trace report --json
audit-trace report --ci --fail-on high --prod-only
audit-trace report --interactive
Use ↑/↓ to browse findings, q to quit.
| Command | Description |
|---|---|
report (default) | Run package-manager audit + lockfile graph; print ownership paths & remediation hints |
why <pkg> | Shortest path(s) from workspace root(s) to a package in the lockfile graph |
graph <pkg> | Enumerate paths (capped) between roots and the package |
impact <pkg> | Transitive consumers (reverse reachability in the graph) |
diff <before> <after> | Compare two lockfiles (--kind npm|pnpm) — added/removed package keys |
--json / --markdown / --html — output modes--ci — apply exit-code policy and print structured CI diagnostics to stderr--ci-verbose — more explanatory CI text--fail-on <level> — critical | high | moderate | low | info | none (default: high in CI contexts; in local runs without --ci, exit code stays 0 unless --ci is passed)--prod-only — drop findings whose traced paths are dev-only (best-effort; requires dev flags in the lockfile)--audit-file <path> — parse audit JSON instead of invoking npm|pnpm|yarn audit--pm npm\|pnpm\|yarn — force audit runner--entry <file> — optional entry for madge-based reachability heuristic (tags titles)Stable codes emitted in JSON (diagnostics[]) and echoed in human CI summaries:
| Code | Meaning |
|---|---|
NO_LOCKFILE | No supported lockfile at project root — graph/ownership is degraded |
AUDIT_SOURCE_FALLBACK | Audit subprocess failed or returned empty — verify tool versions |
FILTER_CONTEXT | Some items excluded by --prod-only / future filters |
FAIL_HIGH_PROD | High/critical findings matched the failure threshold |
FAIL_POLICY | Generic policy failure (--fail-on and severity counts) |
GRAPH_BUILD_WARN | Reserved for graph/parser warnings |
See examples/github-actions/ci.yml for a sample workflow posting JSON + human-readable sections.
Plugins can implement hooks such as afterGraphBuilt, afterAuditNormalized, onCiDiagnostics, and formatReport. Register via the internal plugins/registry API (local imports) — a config file loader can be added later.
npm test
npm run build
yarn.lock + yarn audit --json are the primary targets.madge is heuristic (static graph); dynamic require is not modeled.overrides / resolutions when audit provides patched ranges; otherwise a manual upgrade path is suggested.MIT
FAQs
Dependency vulnerability analysis with ownership tracing and actionable remediation
The npm package audit-trace receives a total of 22 weekly downloads. As such, audit-trace popularity was classified as not popular.
We found that audit-trace demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
TrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.
Research
/Security News
Laravel Lang packages were compromised with an RCE backdoor across hundreds of versions, exposing cloud, CI/CD, and developer secrets.
Security News
Socket found a malicious postinstall hook across 700+ GitHub repos, including PHP packages on Packagist and Node.js project repositories.