I ran npm audit and DepGra on the same project — here's what each one caught
Source: Dev.to
npm audit
npm audit reported 10 vulnerabilities (3 moderate, 7 high) across 8 packages:
| Package | Version | Advisory | Severity |
|---|---|---|---|
| serialize‑javascript | 6.0.2 | RCE via RegExp.flags | high |
| next | 15.5.9 | 2 advisories | high |
| minimatch | 3.1.2, 9.0.5 | 3 ReDoS advisories each | high |
| flatted | 3.3.3 | Unbounded recursion DoS | high |
| rollup | 4.54.0 | Arbitrary file write via path traversal | high |
| ai | 4.3.19 | Filetype whitelist bypass | moderate |
| jsondiffpatch | 0.6.0 | XSS via HtmlFormatter | moderate |
| ajv | 6.12.6, 8.17.1 | ReDoS with $data option | moderate |
npm audit also indicates whether fixes are available and if they would require breaking changes—information that DepGra does not provide.
DepGra scan
DepGra scanned the same package-lock.json in 6.5 seconds, finding 12 unique advisories across 10 packages:
| Severity | GHSA ID | Affected package(s) |
|---|---|---|
| CRITICAL | GHSA-5c6j-r48x-rmvq | serialize-javascript@6.0.2 |
| HIGH | GHSA-23c5-xmqv-rm74 | minimatch@3.1.2, minimatch@9.0.5 |
| HIGH | GHSA-25h7-pfq9-p65f | flatted@3.3.3 |
| HIGH | GHSA-3ppc-4f35-3m26 | minimatch@3.1.2, minimatch@9.0.5 |
| HIGH | GHSA-7r86-cg39-jmmj | minimatch@3.1.2, minimatch@9.0.5 |
| HIGH | GHSA-h25m-26qc-wcjf | next@15.5.9 |
| HIGH | GHSA-mw96-cpmx-2vgc | rollup@4.54.0 |
| MEDIUM | GHSA-33vc-wfww-vjfv | jsondiffpatch@0.6.0 |
| MEDIUM | GHSA-5f7q-jpqc-wp7h | next@15.5.9 |
| MEDIUM | GHSA-9g9p-9gw9-jx7f | next@15.5.9 |
| MEDIUM | GHSA-rwvc-j5jr-mgvh | ai@4.3.19 |
| UNKNOWN | GHSA-2g4f-4pwh-qvx6 | ajv@6.12.6, ajv@8.17.1 |
All 11 advisories reported by npm audit appear in DepGra’s results, plus one extra advisory:
- GHSA-5f7q-jpqc-wp7h (CVE‑2025‑59472) – Next.js unbounded memory consumption via PPR resume endpoint (published 2026‑01‑28). This advisory is present in OSV.dev (DepGra’s source) but not yet in the GitHub Advisory Database used by
npm audit.
Why the difference?
- Data sources: DepGra queries OSV.dev, which aggregates multiple vulnerability feeds.
npm auditqueries the GitHub Advisory Database. Timing differences between these sources can cause discrepancies. - Severity scoring:
npm auditclassifiesserialize-javascriptas high, while DepGra pulls the full CVSS vector and rates it critical. - Counting methodology:
npm auditcounts each vulnerable package instance; DepGra counts unique CVE IDs.
Graph insights
When loading the DepGra scan into its graph view, two patterns become apparent:
Minimatch as a chokepoint
The flat list shows three high‑severity advisories forminimatch. The graph reveals thatminimatch@3.1.2is a transitive dependency of several widely used packages (@sentry/node,@typescript-eslint/typescript-estree,glob). Its blast radius is therefore larger than severity alone suggests.Multiple risk paths to
serialize-javascript
The flat list lists a single line item, but the graph shows two distinct dependency chains:copy-webpack-plugin → serialize-javascript@6.0.2terser-webpack-plugin → serialize-javascript@6.0.2
Both paths lead to a critical RCE vulnerability, highlighting the benefit of visualizing topology rather than relying on manual
npm lsanalysis.
Technical stack
- Parsers:
package-lock.json,Cargo.lock,poetry.lock,requirements.txt,go.mod - Vulnerability source: OSV.dev batch API (single request for all packages, followed by detailed fetches)
- Storage & analysis: SQLite + NetworkX (centrality scoring, path finding)
- API: Flask (REST)
- Frontend: Svelte + Cytoscape.js (graph rendering)
- Layout algorithm: Topological sort for DAG layout – O(V + E), handling > 1,300 nodes efficiently
- Python
requirements.txthandling: Resolves transitive dependencies via the PyPI API (since lockfiles are not available)
Installation & usage
# Clone the repository
git clone https://github.com/KPCOFGS/depgra
cd depgra
# Backend setup
cd backend
uv venv .venv
source .venv/bin/activate
uv pip install -r requirements.txt
cd ..
# Frontend setup
cd frontend
npm install
npm run build
cd ..
# Run the server
python run.py
# Open http://127.0.0.1:5000CLI alternative
# Scan a lockfile
python run.py scan path/to/package-lock.json
# Scan a requirements file and fail on HIGH severity or above
python run.py scan requirements.txt --fail-on HIGHLimitations
- No auto‑remediation: DepGra does not suggest version upgrades or create fix pull requests (unlike
npm audit fix). - Scope: Focused solely on dependency‑vulnerability visualization—no container scanning, license compliance, or secrets detection.
- Severity variance: Classifications come from OSV.dev and may differ from those reported by other tools (e.g., Snyk, npm audit).
- Large graphs: Visualizations for > 1,000 packages become dense; still functional but less tidy than smaller graphs.
Future directions
- SBOM export (CycloneDX / SPDX)
- Automated remediation suggestions (minimum version upgrades that resolve CVEs)
- GitHub Action for CI/CD integration
The project is MIT‑licensed and welcomes feedback.