SUS
sus
get started

Quickstart

Get up and running with sus in just a few minutes

Installation

Install sus using the install script:

Bash
curl -fsSL https://sus-pm.com/install.sh | sh

Initialize Your Project

Run sus init to set up sus in your project:

Bash
sus init
Bash
  πŸ”§ initializing sus...
 
  Enable AGENTS.md docs index for AI coding agents? (Y/n) Y
 
  βœ“ created sus.json
  βœ“ created .sus-docs/
  βœ“ updated AGENTS.md with sus docs index
 
  βœ“ sus initialized successfully!

This creates:

  • sus.json - Project configuration
  • AGENTS.md - Instructions and docs index for AI agents

Use -y to skip prompts: sus init -y

Add Your First Package

Instead of using npm install, use sus add to install packages with safety checks:

Bash
sus add express
Bash
πŸ” checking express@4.21.0...
βœ… not sus
   β”œβ”€ publisher: expressjs (verified)
   β”œβ”€ downloads: 32M/week
   β”œβ”€ cves: 0
   └─ install scripts: none
πŸ“¦ installed
πŸ“ updated AGENTS.md docs index

If a package is suspicious, sus will warn you:

Bash
sus add event-stream@3.3.6
Bash
πŸ” checking event-stream@3.3.6...
🚨 MEGA SUS
   β”œβ”€ malware: flatmap-stream injection
   β”œβ”€ targets: cryptocurrency wallets
   └─ status: COMPROMISED
 
❌ not installed. use --yolo to force (don't)

Scan an Existing Project

Audit all dependencies in your current project:

Bash
sus scan
Bash
πŸ” scanning 847 packages...
 
πŸ“¦ lodash@4.17.20
   ⚠️  kinda sus β€” CVE-2021-23337 (prototype pollution)
   └─ fix: sus update lodash
 
πŸ“¦ node-ipc@10.1.0
   🚨 MEGA SUS β€” known sabotage (march 2022)
   └─ fix: sus remove node-ipc
 
───────────────────────────────────
summary: 845 clean, 1 warning, 1 critical

Check a Package

Look up a package without installing it:

Bash
sus check lodash
Bash
πŸ“¦ lodash
 
fetching security assessment...
βœ“ assessment found
 
βœ… not sus
   β”œβ”€ publisher: lodash (verified)
   β”œβ”€ downloads: 45M/week
   β”œβ”€ cves: 0
   └─ install scripts: none

Package Manager Auto-Detection

sus automatically detects your package manager based on lock files:

  • pnpm-lock.yaml β†’ pnpm
  • yarn.lock β†’ yarn
  • bun.lock β†’ bun
  • package-lock.json β†’ npm (default)

No configuration neededβ€”just run sus add and it works.

AGENTS.md Docs Index

When you install a package with sus add, it automatically:

  1. Saves package documentation to .sus-docs/
  2. Updates the docs index in AGENTS.md

This gives AI coding agents instant access to package documentation without requiring them to search for it. Based on Vercel's research, this passive context approach achieves 100% pass rate compared to 79% for active skill retrieval.

Learn more in the AGENTS.md documentation.

Common Flags

Bash
sus add express --strict    # Block on any warning
sus add express --yolo      # Skip checks (not recommended)
sus scan --json             # Machine-readable output

Other Commands

Bash
sus init               # Initialize sus in your project
sus remove <package>   # Uninstall a package
sus update             # Update dependencies and re-scan
sus why <package>      # Show why a package is in your tree

Next Steps