depmedic

Surgical npm vulnerability triage. Reads npm audit --json, prints the smallest set of package bumps that close the reported vulnerabilities, ranks them by severity and reachability, and exits with a CI-friendly code.

npm audit fix is too aggressive. Dependabot floods the inbox. Snyk wants an enterprise contract. depmedic does one thing: tell me the minimum bump that fixes the real issues, in one screenful, with no breaking surprises.

Install

npm install -g depmedic
# or run on demand
npx depmedic

Node.js 18+.

Use

In any project with a package.json:

depmedic                      # human report
depmedic --prod-only          # ignore dev-only vulns
depmedic --severity=high      # only high + critical
depmedic --no-major           # hide fixes that need a semver-major bump
depmedic --json               # machine output for CI
depmedic --input=audit.json   # from a saved 'npm audit --json'

Exit codes: 0 clean, 1 vulns present, 2 error. Wire it into CI as a gate.

Sample output

depmedic  2026-04-26T14:00:00.000Z

Found 3 vulnerabilities  [crit 2  high 1  mod 0  low 0]
  fixable: 3   major-bumps: 1   prod-direct: 2

 CRITICAL  mkdirp  (prod-direct)
  affected: 0.4.0 - 0.5.5
  fix: upgrade mkdirp -> 3.0.1 (MAJOR)
  Prototype Pollution in minimist
  https://github.com/advisories/GHSA-xvch-5gv4-984h

 CRITICAL  minimist  (transitive, depth 2)
  affected: <1.2.6
  pulled in via: mkdirp -> minimist
  fix: upgrade mkdirp -> 3.0.1 (MAJOR)

 HIGH  lodash  (prod-direct)
  affected: <4.17.21
  fix: upgrade lodash -> 4.17.21 (patch)
  https://github.com/advisories/GHSA-jf85-cpcp-j695

What it does

• Minimum-bump first. Patch beats minor beats major. Major bumps are flagged loudly, never auto-applied.
• Prod vs dev split. --prod-only filters dev-only noise.
• Transitive context. Shows which top-level package pulls a vulnerable transitive in.
• Single binary. Two runtime deps (semver, picocolors). No telemetry, no dashboards, no account.

CI

- run: npm ci
- run: npm audit --json > audit.json || true
- run: npx depmedic --input=audit.json --severity=high

The non-zero exit on findings fails the job.

Pro

A paid Pro tier is in development:

• Reachability check. Does your code import or call the vulnerable function?
• Monorepo support: pnpm, npm, yarn berry workspaces.
• CI policy file: thresholds, allowlists, expiring suppressions.
• HTML / PDF report.

License via Polar at https://polar.sh/depmedicdev. Free CLI stays free.

Companion tools

• ci-doctor - audit GitHub Actions workflows for waste and security gaps.

Honesty

Built with AI assistance. Every change reviewed. Open an issue if anything breaks.

License

MIT. See LICENSE.

Sponsor / support depmedic

If this saved you 10 minutes of CI debugging, consider one of these. All of them keep the free CLIs free:

• Tip what you want — pay-what-you-want, $0 minimum: https://buy.polar.sh/polar_cl_tipjar?utm_source=npm&utm_medium=readme&utm_campaign=depmedic
• depmedic Pro $5/mo — one license, unlocks Pro tier in every depmedic CLI + the VS Code / Cursor extension, free access to every paid playbook for as long as you stay subscribed: https://buy.polar.sh/polar_cl_SUzmX5RCQCV8MJV3dDEBFMu3MGWu2WQhzZ1s02ZhK09?utm_source=npm&utm_medium=readme&utm_campaign=depmedic
• Everything Bundle $59 once — every paid playbook (current and future): https://buy.polar.sh/polar_cl_everything_bundle?utm_source=npm&utm_medium=readme&utm_campaign=depmedic
• Sponsor on GitHub — https://github.com/sponsors/depmedicdev-byte

More from depmedic

In-browser scanners (no install): GitHub · GitLab · Bitbucket · Azure · CircleCI.

Newsletter (weekly, low-volume): https://depmedicdev-byte.github.io/newsletter.html?utm_source=npm&utm_medium=readme&utm_campaign=depmedic.