Does dependency_audit require internet access?

Yes, for CVE checking. It queries the OSV (Open Source Vulnerability) database at osv.dev to look up known vulnerabilities. The manifest parsing itself is offline, but the CVE lookup requires an outbound connection.

Which package managers and ecosystems are supported?

Python (requirements.txt, pyproject.toml), Node.js (package.json), Go (go.mod), Java/Maven (pom.xml), Ruby (Gemfile.lock), and Rust (Cargo.toml). The tool auto-detects manifest files recursively in the given directory.

What is the OSV database?

OSV (Open Source Vulnerability) is an open vulnerability database maintained by Google. It's the same data source used by GitHub Dependabot, Google's OSS-Fuzz, and many other security tools. It covers CVEs, GHSA advisories, and ecosystem-specific advisories.

Can it audit a monorepo with multiple package managers?

Yes. dependency_audit scans recursively, so it will find and audit all supported manifest files within a directory — even if they're in different subdirectories and use different ecosystems.

What's the difference between a vulnerable and an outdated package?

A vulnerable package has a known CVE — you should update it immediately. An outdated package just has a newer version available but no known security issue — worth updating, but not urgent.

docs/tools/dependency_audit

AgenticCode

Dependency Vulnerability Scanner MCP Tool

CLI Tool Name: dependency_audit

Audits project dependencies across multiple ecosystems. Checks every package against the Open Source Vulnerability (OSV) database for known CVEs, and flags outdated versions. Supports Python, Node.js, Go, Java, Ruby, and Rust.

Parameters

Parameter	Type	Required	Description
directory	string	yes	Root directory of the project to audit. Scans recursively for known manifest files.

Supported manifest files

File	Ecosystem
requirements.txt	Python (pip)
pyproject.toml	Python (modern)
package.json	Node.js / npm
go.mod	Go
pom.xml	Java (Maven)
Gemfile.lock	Ruby (Bundler)
Cargo.toml	Rust

Example output

json

{
  "directory": "/path/to/project",
  "manifests_found": ["requirements.txt", "package.json"],
  "findings": [
    {
      "package": "requests",
      "current_version": "2.28.0",
      "latest_version": "2.31.0",
      "severity": "HIGH",
      "cve": "CVE-2023-32681",
      "description": "Unintended leak of Proxy-Authorization header"
    },
    {
      "package": "lodash",
      "current_version": "4.17.20",
      "latest_version": "4.17.21",
      "severity": "MEDIUM",
      "cve": "CVE-2021-23337",
      "description": "Command injection via template"
    }
  ],
  "summary": {
    "critical": 0,
    "high": 1,
    "medium": 1,
    "low": 0,
    "outdated": 3
  }
}

[info]

CVE data comes from the OSV database (osv.dev) — the same source used by GitHub Dependabot and Google's OSS-Fuzz.

Explore other AgenticStore MCP tools

→ Python Code Linter MCP Tool → Secret & Repo Scanner MCP Tool → Web Search & Scraper MCP Tool

← repo_scanner agentic_web_search →

Frequently asked questions