Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (aminet) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
aminet
aminet is a Node-executable CLI and GitHub Action for reviewing npm dependency risk.
It analyzes dependency graphs, vulnerabilities, licenses, security signals, trust, freshness, provenance, and version pinning, then renders the result as terminal output, machine-readable JSON, SBOMs, or PR review comments.
Status
- Early project, pre-
1.0 - License: MIT
- CLI and review output may still evolve
What aminet does
- Analyze a package or project dependency graph
- Review pull request dependency changes and post GitHub comments
- Flag vulnerability, license, and supply chain concerns
- Generate SPDX and CycloneDX SBOM output
- Produce third-party notices output
Feature overview
- Vulnerability scanning via OSV, GHSA, and npm audit
- License categorization, deny-list checks, compatibility checks, and deep tarball license verification
- Enhanced license intelligence via ClearlyDefined
- Trust scoring from packument data, downloads, and deps.dev metadata
- Freshness analysis for outdated or abandoned dependencies
- Provenance checks for npm attestations
- Phantom dependency detection
- Version pinning analysis
- PR review comments focused on changed direct dependencies
Requirements
- Node.js
>=20 - pnpm
>=10 - npm ecosystem input (
package.json,pnpm-lock.yaml, orpackage-lock.json)
Local setup
pnpm install
pnpm build
node dist/index.js --helpInstall
Official distribution is through npmjs.org.
npx aminet --help
npm install -g aminet
pnpm add -g aminetQuick start
Analyze a published package:
npx aminet analyze express@4.21.2 --security --trust-score --freshnessAnalyze a local project:
npx aminet analyze package.json --security --enhanced-license --jsonReview dependency changes in a branch:
npx aminet review package.json --base HEAD~1 --securityCache maintenance:
npx aminet cache stats
npx aminet cache pruneExample outputs
Representative analyze modes:
npx aminet analyze express@4.21.2 --json
npx aminet analyze express@4.21.2 --cyclonedx
npx aminet analyze express@4.21.2 --spdx
npx aminet analyze express@4.21.2 --noticesRepresentative review mode:
## aminet Dependency Review
| Metric | Count |
|--------|-------|
| Added | 1 |
| Removed | 0 |
| Updated | 1 |
| New Vulnerabilities | 2 |
| Resolved Vulnerabilities | 1 |
| New Security Signals | 1 |
| Resolved Security Signals | 0 |
| License Changes | 1 |
### New Vulnerabilities
| Package | Version | Severity | Advisory | Fixed | Source | Summary |
|---------|---------|----------|----------|-------|--------|---------|
| minimist | 1.2.8 | CRITICAL | GHSA-... | 1.2.6 | osv | Prototype Pollution |
### Updated Dependencies
| Package | Declared | Resolved | License |
|---------|----------|----------|---------|
| react | ^18.2.0 -> ^18.3.0 | 18.3.1 -> 18.3.2 | MIT |CLI commands
Top-level commands:
analyze: dependency graph analysis for packages or local manifestsci: JSON-oriented CI alias foranalyzereview: PR review mode for direct dependency changescache: local cache inspection and pruning
Use the built-in help for the complete option set:
node dist/index.js analyze --help
node dist/index.js review --helpGitHub Action
This repository includes a composite action in action.yml.
For repository-local usage during development:
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
- run: pnpm install --frozen-lockfile
- run: pnpm build
- uses: ./
with:
path: package.json
security: "true"For remote usage after tagged releases are published, replace uses: ./ with uses: gorira-tatsu/aminet@v0.1.1.
Releasing
The intended release flow is tag-driven with npm trusted publishing.
- Update
package.jsonto the release version - Commit and push
main - Create and push a
v<version>tag - GitHub Actions publishes the matching npm package and creates a GitHub Release
You can also run the publish workflow manually with workflow_dispatch against a branch or tag. When you provide tag_name, it must still match package.json.
One-time prerequisite: configure npm trusted publishing for gorira-tatsu/aminet and the publish workflow in npm package settings.
Distribution
- npmjs.org is the canonical package registry for
aminet - GitHub Releases are the canonical release log and link back to npm
- GitHub Packages is intentionally not used for now
Output modes
analyze can render:
- human-readable table output
- JSON
- dependency tree output
- Mermaid and Graphviz graphs
- CycloneDX 1.5 SBOM
- SPDX 2.3 SBOM
- third-party notices output
Development workflow
Run the main checks before opening a PR:
pnpm lint
pnpm testSee CONTRIBUTING.md for contributor workflow details.
Packaging notes
The published package exposes an aminet executable through dist/index.js with a Node shebang.
npx aminet ...is the recommended zero-install UXpnpm dlx aminet ...works, but may run with cache disabled when native SQLite bindings are unavailablepnpm add -g aminetexposesaminet ...globally- repository-local development can use
node dist/index.js ...afterpnpm build
Security reporting
Do not report vulnerabilities in public issues. See SECURITY.md.