Make your AI coding agent dependency-security aware.
AI coding agents (Claude Code, Cursor, Codex, …) happily add, bump, and pin
dependencies — and just as happily pull in ones with known CVEs, then move on.
chifu is a tiny CLI your agent runs to find vulnerable dependencies, so it can
fix what it introduced before you merge — not weeks later in a Dependabot PR.
It pairs with the chifu skill so the agent runs it automatically when it touches dependencies.
$ chifu check
3 of 143 dependencies are vulnerable
CRITICAL lodash 4.17.4 → 4.18.0 (8 CVEs)
HIGH axios 0.21.0 → 0.32.0 (13 CVEs)
MEDIUM minimist 1.2.0 → 1.2.3 (1 CVE)
Run with --verbose to list individual CVEs.
Each row collapses to the single upgrade that clears all of that package's CVEs.
The wizard installs the CLI and teaches your coding agent to run it on every dependency change — one command, no config:
bunx @marshell/chifu-wizard # or: npx @marshell/chifu-wizardIt works with Claude Code, Cursor, and Windsurf. See chifu-wizard for what it sets up.
Run it with no install:
bunx @marshell/chifu check # Bun
npx @marshell/chifu check # Node (>= 18)Or install it globally:
npm i -g @marshell/chifu # then: chifu check
# or
bun add -g @marshell/chifuPrefer a standalone binary (no Node/Bun required)? Grab one for your platform
from the latest release
(Windows x64, macOS arm64/x64, Linux x64), make it executable, and put it on your
PATH.
chifu check [path] # check dependencies in cwd (or a given path)
chifu check --json # machine-readable output (what the skill reads)
chifu check --verbose # list every individual CVE
chifu check --fail-on-findings # exit non-zero if vulns found (for CI)
chifu check --api-url <url> # override the backend (or set CHIFU_API_URL)
chifu login [chf_xxx] # sign in (required) — chifu needs an account
chifu --help | --versioncheck requires an account. Run chifu login (or set CHIFU_API_KEY)
before your first check — the backend rejects unauthenticated calls. Once signed
in, results sync to your dashboard with history per repo.
Exit codes: 0 clean, 1 vulnerabilities found (only with
--fail-on-findings), 2 error.
chifu checkreads yourpackage.json+ lockfile into a resolved dependency list (and yourgit remoteto group results by repo).- It sends the list to the chifu backend, which matches it against a continuously-updated CVE corpus and returns the vulnerable packages + the fixed version + advisory.
- With the chifu skill installed, your coding agent runs this on every
dependency change, reads
--json, upgrades the vulnerable packages, fixes any breaking changes from the advisory, and re-runs until clean.
The CLI only detects and reports — your own agent does the fixing. No LLM, no secrets, nothing proprietary baked in.
| Variable | Purpose | Default |
|---|---|---|
CHIFU_API_KEY |
Your chf_ key — required for chifu check (or run chifu login) |
(none) |
CHIFU_API_URL |
Backend origin | https://api.marshell.dev |
Config is stored at ~/.config/chifu/config.json (mode 600; %APPDATA%\chifu
on Windows).
- ✅ npm (
package.json+package-lock.json, or an installednode_modules) - ⏳ Go modules, PyPI — planned
Requires Bun.
bun install
bun run check # run the CLI against this repo
bun run typecheck # tsc --noEmit
bun run build # bundle to dist/cli.js (node-runnable)
node dist/cli.js --help # run the built bundle under NodeMIT