Package Exports

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@marshell/chifu) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

chifu

Make your AI coding agent dependency-security aware.

AI coding agents (Claude Code, Cursor, Codex, …) happily add, bump, and pin dependencies — and just as happily pull in ones with known CVEs, then move on. chifu is a tiny CLI your agent runs to find vulnerable dependencies, so it can fix what it introduced before you merge — not weeks later in a Dependabot PR.

It pairs with the chifu skill so the agent runs it automatically when it touches dependencies.

$ chifu check

  3 of 143 dependencies are vulnerable

  CRITICAL  lodash    4.17.4  → 4.18.0    (8 CVEs)
  HIGH      axios     0.21.0  → 0.32.0    (13 CVEs)
  MEDIUM    minimist  1.2.0   → 1.2.3     (1 CVE)

  Run with --verbose to list individual CVEs.

Each row collapses to the single upgrade that clears all of that package's CVEs.

Quick start (recommended)

The wizard installs the CLI and teaches your coding agent to run it on every dependency change — one command, no config:

bunx @marshell/chifu-wizard        # or: npx @marshell/chifu-wizard

It works with Claude Code, Cursor, and Windsurf. See chifu-wizard for what it sets up.

Install the CLI directly

Run it with no install:

bunx @marshell/chifu check         # Bun
npx @marshell/chifu check          # Node (>= 18)

Or install it globally:

npm i -g @marshell/chifu           # then: chifu check
# or
bun add -g @marshell/chifu

Prefer a standalone binary (no Node/Bun required)? Grab one for your platform from the latest release (Windows x64, macOS arm64/x64, Linux x64), make it executable, and put it on your PATH.

Usage

chifu check [path]              # check dependencies in cwd (or a given path)
chifu check --json              # machine-readable output (what the skill reads)
chifu check --verbose           # list every individual CVE
chifu check --fail-on-findings  # exit non-zero if vulns found (for CI)
chifu check --api-url <url>     # override the backend (or set CHIFU_API_URL)
chifu login [chf_xxx]           # optional — sync results to your dashboard
chifu --help | --version

check works without an account — it just doesn't save results. Sign in (chifu login, or set CHIFU_API_KEY) to see history per repo in your dashboard.

Exit codes: 0 clean, 1 vulnerabilities found (only with --fail-on-findings), 2 error.

How it works

chifu check reads your package.json + lockfile into a resolved dependency list (and your git remote to group results by repo).
It sends the list to the chifu backend, which matches it against a continuously-updated CVE corpus and returns the vulnerable packages + the fixed version + advisory.
With the chifu skill installed, your coding agent runs this on every dependency change, reads --json, upgrades the vulnerable packages, fixes any breaking changes from the advisory, and re-runs until clean.

The CLI only detects and reports — your own agent does the fixing. No LLM, no secrets, nothing proprietary baked in.

Configuration

Variable	Purpose	Default
`CHIFU_API_KEY`	Your `chf_` key (sync results to dashboard)	(none — anonymous)
`CHIFU_API_URL`	Backend origin	`https://api.marshell.dev`

Config is stored at ~/.config/chifu/config.json (mode 600; %APPDATA%\chifu on Windows).

Ecosystems

✅ npm (package.json + package-lock.json, or an installed node_modules)
⏳ Go modules, PyPI — planned

Development

Requires Bun.

bun install
bun run check            # run the CLI against this repo
bun run typecheck        # tsc --noEmit
bun run build            # bundle to dist/cli.js (node-runnable)
node dist/cli.js --help  # run the built bundle under Node

License

MIT