A powerful CLI tool that provides a clear, organized summary of NPM package vulnerabilities grouped by root dependencies. Track security issues, set thresholds, and monitor which packages need updates - all with beautiful, color-coded output.
While npm audit provides detailed vulnerability information, it can be overwhelming and difficult to prioritize. audit-summary solves this by:
- 📦 Grouping vulnerabilities by root dependency - See which top-level packages are causing issues
- 🎯 Deduplicating vulnerabilities - No more counting the same issue multiple times per package
- 📊 Clear severity breakdown - Instant overview of critical, high, moderate, and low severity issues
- 🚨 Threshold enforcement - Set limits and fail CI/CD builds when thresholds are exceeded
- 📈 Version tracking - See current vs. latest versions for all root packages
- 💅 Beautiful output - Color-coded tables and verbose modes for easy reading
npm install -g audit-summarynpm install --save-dev audit-summaryRun a security audit with a summary view:
audit-summaryThis displays a table showing vulnerability counts for each root dependency:
╭─────────────────────────────────────────────────────────────────────────────╮
│ NPM Packages Audit Summary (deduped by package per root dependency) │
├──────────────────┬─────────┬─────────┬──────────┬──────┬──────────┬─────────┤
│ Root Dependency │ Current │ Latest │ Critical │ High │ Moderate │ Low │...│
├──────────────────┼─────────┼─────────┼──────────┼──────┼──────────┼─────────┤
│ express │ 4.18.2 │ 4.19.0 │ 2 │ 3 │ 5 │ 1 │...│
│ lodash │ 4.17.20 │ 4.17.21 │ 0 │ 1 │ 0 │ 0 │...│
│ axios │ 0.21.1 │ 1.6.0 │ 1 │ 0 │ 2 │ 0 │...│
├──────────────────┼─────────┼─────────┼──────────┼──────┼──────────┼─────────┤
│ TOTAL │ │ │ 3 │ 4 │ 7 │ 1 │...│
╰──────────────────┴─────────┴─────────┴──────────┴──────┴──────────┴─────────╯
Show detailed vulnerability information for each package:
audit-summary --verboseOutput:
express (4.18.2 → latest: 4.19.0)
- send [critical] (affected: <0.18.0)
- serve-static [critical] (affected: <1.15.0)
- qs [high] (affected: <6.11.0)
Summary: 2 critical, 3 high, 5 moderate, 1 low
-----
lodash (4.17.20 → latest: 4.17.21)
- lodash [high] (affected: <4.17.21)
Summary: 1 high
-----
Output results in JSON format for programmatic use:
audit-summary --jsonOutput:
{
"roots": {
"express": {
"currentVersion": "4.18.2",
"latestVersion": "4.19.0",
"vulnerabilities": [
{
"name": "send",
"severity": "critical",
"range": "<0.18.0"
}
],
"summary": {
"critical": 2,
"high": 3,
"moderate": 5,
"low": 1,
"info": 0,
"total": 11
}
}
},
"global": {
"critical": 3,
"high": 4,
"moderate": 7,
"low": 1,
"info": 0,
"total": 15
}
}Create a .audit-summary.json configuration file with current vulnerability counts as baseline thresholds:
audit-summary --initThis creates a config file like:
{
"packages": {
"express": {
"severityThresholdCritical": 2,
"severityThresholdHigh": 3,
"severityThresholdModerate": 5,
"severityThresholdLow": 1
},
"lodash": {
"severityThresholdCritical": 0,
"severityThresholdHigh": 1,
"severityThresholdModerate": 0,
"severityThresholdLow": 0
},
"default": {
"severityThresholdCritical": 0,
"severityThresholdHigh": 0,
"severityThresholdModerate": 0,
"severityThresholdLow": 0
}
}
}Run audit for a specific workspace in an NPM monorepo:
audit-summary --workspace my-package-
Initialize the configuration file:
audit-summary --init
-
Edit
.audit-summary.jsonto set your desired thresholds:{ "packages": { "express": { "severityThresholdCritical": 0, "severityThresholdHigh": 2, "severityThresholdModerate": 5, "severityThresholdLow": 10 }, "default": { "severityThresholdCritical": 0, "severityThresholdHigh": 0, "severityThresholdModerate": 3, "severityThresholdLow": 5 } } } -
Run audit-summary - it will check against your thresholds:
audit-summary
- If a
.audit-summary.jsonfile exists, the tool automatically checks vulnerability counts against configured thresholds - Package-specific thresholds: If a package is listed in the config, its specific thresholds are used
- Default thresholds: Packages not listed use the
defaultthresholds - Violations: If any threshold is exceeded, the tool:
- Displays a detailed error message
- Lists all violations
- Exits with code 1 (fails CI/CD builds)
Example violation output:
✗ Vulnerability threshold exceeded!
The following packages have more vulnerabilities than allowed:
express - critical: 2 (threshold: 0)
lodash - high: 3 (threshold: 2)
axios - moderate: 8 (threshold: 5)
Please review and fix the vulnerabilities, or update the thresholds in .audit-summary.json
# Quick check of your project's security status
audit-summaryAdd to your CI/CD pipeline to enforce security standards:
# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
- run: npm install -g audit-summary
- run: audit-summary # Fails if thresholds exceededUse verbose mode to see which packages need updates:
audit-summary --verboseLook for packages where current version differs from latest version, especially those with high severity issues.
Generate JSON output for custom reporting or dashboards:
audit-summary --json > security-report.jsonIn monorepos, audit individual packages:
audit-summary --workspace @mycompany/api
audit-summary --workspace @mycompany/frontend$ audit-summary
╭───────────────────────────────────────────────────────────╮
│ NPM Packages Audit Summary │
├──────────────────┬─────────┬─────────┬──────────┬────────┤
│ Root Dependency │ Current │ Latest │ Critical │ High...│
├──────────────────┼─────────┼─────────┼──────────┼────────┤
│ express │ 4.18.2 │ 4.19.0 │ 0 │ 2...│
│ react │ 17.0.2 │ 18.2.0 │ 0 │ 0...│
├──────────────────┼─────────┼─────────┼──────────┼────────┤
│ TOTAL │ │ │ 0 │ 2...│
╰──────────────────┴─────────┴─────────┴──────────┴────────╯$ audit-summary --verbose
express (4.18.2 → latest: 4.19.0)
- qs [high] (affected: <6.11.0)
- send [high] (affected: <0.18.0)
- path-to-regexp [moderate] (affected: <0.1.10)
Summary: 2 high, 1 moderate
-----
react (17.0.2 → latest: 18.2.0)
Summary: 0
-----
╭───────────────────────────────────────────────────────────╮
│ NPM Packages Audit Summary │
│ ... │
╰───────────────────────────────────────────────────────────╯- Runs npm audit - Leverages npm's built-in security audit
- Analyzes dependency tree - Uses
npm lsto understand package relationships - Groups by root - Maps vulnerabilities to their root-level dependencies
- Deduplicates - Counts each unique vulnerable package once per root
- Checks thresholds - Validates against
.audit-summary.jsonif present - Formats output - Presents results in table, verbose, or JSON format
- Node.js >= 14
- npm >= 7
Contributions are welcome! Please feel free to submit a Pull Request.
Standard MIT licence.
If you encounter any issues or have questions, please file an issue on the GitHub repository.
Made with ❤️ for better npm security monitoring