External NPM Supply-Chain Audit Index

Generated: 2026-05-23

Parent: #1443

This directory tracks external npm package audit evidence for the current dependency-audit wave:

#1444: root runtime dependencies
#1445: optional native and peer dependencies
#1446: root dev-tooling dependencies
#1447: shipped nested npm manifests
#1448: reusable template, commands, and upstream issue draft

Package	Version	Tracking	Native/Binary/Lifecycle Surface	Status	Report
`@modelcontextprotocol/sdk`	`1.24.3`	#1444, #1447	no	complete	report
`chalk`	`4.1.2`	#1444	no	complete	report
`chokidar`	`3.6.0`	#1444	no	complete	report
`commander`	`12.1.0`	#1444, #1447	no	complete	report
`glob`	`13.0.1`	#1444	no	complete	report
`graceful-fs`	`4.2.11`	#1444	no	complete	report
`js-yaml`	`4.1.1`	#1444, #1447	no	complete	report
`listr2`	`8.3.3`	#1444	no	complete	report
`ora`	`5.4.1`	#1444	no	complete	report
`yaml`	`2.8.2`	#1444	no	complete	report
`zod`	`3.25.76`	#1444	no	complete	report
`@hono/node-server`	`1.19.14`	#1445	no	complete	report
`hnswlib-node`	`3.0.0`	#1445	yes	complete	report
`hono`	`4.12.18`	#1445	no	complete	report
`node-pty`	`1.1.0`	#1445	yes	complete	report
`ws`	`8.20.0`	#1445	no	complete	report
`@xenova/transformers`	`2.17.2`	#1445	yes	complete	report
`better-sqlite3`	`12.8.0`	#1445	yes	complete	report
`@matric/eval-client`	`0.1.0`	#1447	no	complete	report
`tsx`	`4.21.0`	#1446, #1447	yes	complete	report
`typescript`	`5.9.3`	#1446, #1447	no	complete	report
`@types/js-yaml`	`4.0.9`	#1446, #1447	no	complete	report
`@types/node`	`22.19.2`	#1446, #1447	no	complete	report
`@types/semver`	`7.7.1`	#1446	no	complete	report
`@vitest/coverage-v8`	`2.1.9`	#1446	no	complete	report
`@vitest/ui`	`2.1.9`	#1446	no	complete	report
`@xterm/headless`	`6.0.0`	#1446	no	complete	report
`cli-table3`	`0.6.5`	#1446	no	complete	report
`graphology`	`0.26.0`	#1446	no	complete	report
`graphology-operators`	`1.6.1`	#1446	no	complete	report
`graphology-shortest-path`	`2.1.0`	#1446	no	complete	report
`graphology-traversal`	`0.3.1`	#1446	no	complete	report
`graphology-types`	`0.24.8`	#1446	no	complete	report
`simple-statistics`	`7.8.8`	#1446	no	complete	report
`vitest`	`2.1.9`	#1446	no	complete	report

Evidence Utilities

Per-package report template: _template.md
Standard audit commands: _commands.md
Upstream issue/PR draft template: _upstream-issue-template.md

Shared Verification

Lockfile and manifest evidence came from `package.json`, `package-lock.json`, `agentic/code/addons/droid-bridge/package-lock.json`, and `tools/eval/package-lock.json`.
Registry evidence came from `npm view <pkg>@<version> ... --json` on 2026-05-23.
Commands in _commands.md avoid running untrusted lifecycle scripts during metadata inspection.
Provenance expectation: every report records manifest usage context, lockfile version, repository URL, audited ref or `gitHead` where exposed, lifecycle/native behavior, dependency-source findings, registry signature evidence, findings, clean checks, and follow-up routing.