npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@lbharath/depguard

v1.0.14

Published

Universal dependency health scanner CLI for JavaScript ecosystems

Downloads

53

Readme

DepGuard

Universal dependency health scanner CLI for JavaScript ecosystems.

npm version License: MIT Node.js

DepGuard scans any JavaScript or TypeScript project and gives you a complete dependency health picture in a single command — outdated packages, known vulnerabilities (via OSV.dev), deprecated libraries, and abandoned/stale packages — across npm, pnpm, yarn, bun, and partial deno support.


Features

| Check | How | |-------|-----| | Outdated versions | npm/pnpm/yarn/bun outdated + semver diff | | Vulnerabilities | npm/pnpm/yarn audit + OSV.dev batch API | | Deprecated packages | npm registry (deprecated field) | | Stale / unmaintained | npm registry publish timestamps (>24 months) | | Monorepo workspaces | npm / pnpm / yarn / bun workspace patterns | | CI failure mode | --fail-on-high exits with code 1 |


Requirements

  • Node.js >= 18 (uses native fetch and AbortSignal.timeout)

Installation

Global install (recommended for local use)

npm install -g @lbharath/depguard

One-off usage with npx (no install needed)

npx @lbharath/depguard

Project dev dependency

npm install --save-dev @lbharath/depguard
# then in package.json scripts:
# "health": "depguard"

Usage

Basic scan (current directory)

depguard

Scan a specific directory

depguard scan ./apps/web
depguard scan ./packages/api

Security-only scan

depguard audit

Deep scan (includes transitive dependencies)

depguard scan --deep

Monorepo workspace scan

depguard --workspace
depguard scan --workspace

Output Formats

Terminal (default)

Human-readable coloured report with severity badges.

  DepGuard  —  Dependency Health Report
  ────────────────────────────────────────────────────────────
  Project         my-app
  Package Manager npm
  ...

  🔴  Vulnerabilities
  [email protected]
     CRITICAL   Prototype Pollution
                Affected: >=0.0.0 <4.17.21

  ⚠   Deprecated Packages
  [email protected]
    request has been deprecated...

  📦  Outdated Dependencies
  ┌──────────────────┬──────────┬──────────┬───────┐
  │ Package          │ Current  │ Latest   │ Type  │
  ├──────────────────┼──────────┼──────────┼───────┤
  │ next             │ 14.2.0   │ 15.1.0   │ major │
  └──────────────────┴──────────┴──────────┴───────┘

JSON output

depguard --json
depguard --json > report.json

Markdown output

depguard --markdown
depguard --markdown > DEPENDENCY_REPORT.md

All CLI Flags

| Flag | Description | |------|-------------| | --json | Output as JSON | | --markdown | Output as Markdown | | --fail-on-high | Exit code 1 if critical/high vulnerabilities found | | --ignore <list> | Comma-separated packages to skip e.g. --ignore react,next | | --workspace | Scan all monorepo workspaces | | --deep | Include transitive dependencies (scan command only) | | --production | Only scan production deps (skip devDependencies) | | -v, --version | Print version | | -h, --help | Show help |


CI / CD Integration

GitHub Actions

# .github/workflows/dep-health.yml
name: Dependency Health

on: [push, pull_request]

jobs:
  depguard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - run: npx @lbharath/depguard --fail-on-high

GitLab CI

dep-health:
  image: node:20
  script:
    - npm ci
    - npx @lbharath/depguard --fail-on-high

JSON report as CI artifact

depguard --json > dep-report.json

Supported Package Managers

| Package Manager | Outdated | Audit | Workspaces | |-----------------|----------|-------|------------| | npm | ✅ | ✅ | ✅ | | pnpm | ✅ | ✅ | ✅ | | yarn v1 | ✅ | ✅ | ✅ | | yarn berry v2+ | partial | ✅ | ✅ | | bun | ✅ | via OSV | ✅ | | deno | — | via OSV | — |


Data Sources

  • npm registry — installed versions, deprecation status, publish history
  • OSV.dev — open-source vulnerability database (Google), free, no API key required
  • npm/pnpm/yarn audit — native package manager vulnerability reports

How to Publish to npm (CDN distribution)

Publishing to npm makes DepGuard available on:

  • npm registrynpm install -g depguard
  • unpkg CDNhttps://unpkg.com/depguard/
  • jsDelivr CDNhttps://cdn.jsdelivr.net/npm/depguard/
  • npx depguard — zero-install usage for anyone

Step-by-step publishing guide

1. Create an npm account

Go to https://www.npmjs.com and create a free account.

2. Log in from your terminal

npm login
# Enter your username, password, and email
# Complete any 2FA if enabled

3. Set your author info (optional but recommended)

Edit package.json:

{
  "author": "Your Name <[email protected]> (https://yoursite.com)",
  "repository": {
    "type": "git",
    "url": "https://github.com/YOUR_USERNAME/depguard"
  },
  "homepage": "https://github.com/YOUR_USERNAME/depguard#readme",
  "bugs": {
    "url": "https://github.com/YOUR_USERNAME/depguard/issues"
  }
}

4. Build the project

npm run build

This compiles TypeScript → dist/index.js with the shebang line prepended.

5. Verify what will be published

npm pack --dry-run

You should see dist/, README.md, and LICENSE listed.

6. Publish

npm publish

For scoped packages (e.g. @yourname/depguard):

npm publish --access public

7. Your package is now live!

Anyone can install it:

# Global install
npm install -g @lbharath/depguard

# Zero-install
npx @lbharath/depguard

# Project dependency
npm install --save-dev @lbharath/depguard

CDN URLs (available automatically after publishing):

https://unpkg.com/@lbharath/depguard@latest/dist/index.js
https://cdn.jsdelivr.net/npm/@lbharath/depguard@latest/dist/index.js

8. Publishing updates

# Bump the version (choose: patch | minor | major)
npm version patch   # 1.0.12 → 1.0.13
npm version minor   # 1.0.11 → 1.1.0
npm version major   # 1.0.11 → 2.0.0

# Then publish
npm publish

Development

# Clone the repo
git clone https://github.com/YOUR_USERNAME/depguard
cd depguard

# Install dependencies
npm install

# Run in development mode (no build step needed)
npm run dev

# Build for production
npm run build

# Type-check without building
npm run typecheck

Project Structure

depguard/
├── src/
│   ├── index.ts              # CLI entry point
│   ├── types/index.ts        # Shared TypeScript types
│   ├── cli/program.ts        # Commander.js setup
│   ├── detector/index.ts     # Package manager + monorepo detection
│   ├── scanner/              # Per-PM scanner engines
│   │   ├── index.ts
│   │   ├── npm.ts
│   │   ├── pnpm.ts
│   │   ├── yarn.ts
│   │   └── bun.ts
│   ├── normalizer/index.ts   # Raw output → DependencyInfo
│   ├── analyzers/            # Health enrichment
│   │   ├── index.ts
│   │   ├── vulnerability.ts  # OSV.dev API
│   │   ├── deprecation.ts    # npm registry deprecation
│   │   └── maintenance.ts    # npm registry publish dates
│   └── reporters/            # Output formatters
│       ├── index.ts
│       ├── terminal.ts
│       ├── json.ts
│       └── markdown.ts
├── dist/                     # Compiled output (git-ignored)
├── package.json
├── tsconfig.json
└── tsup.config.ts

Output JSON Schema

{
  "project": "my-app",
  "packageManager": "npm",
  "directory": "/path/to/project",
  "scanDate": "2024-01-15T10:30:00.000Z",
  "summary": {
    "total": 42,
    "outdated": 8,
    "vulnerable": 2,
    "deprecated": 1,
    "stale": 3,
    "critical": 1,
    "high": 1,
    "moderate": 0,
    "low": 0
  },
  "dependencies": [
    {
      "name": "lodash",
      "current": "4.17.15",
      "latest": "4.17.21",
      "wanted": "4.17.21",
      "severity": "critical",
      "deprecated": false,
      "stale": false,
      "archived": false,
      "riskLevel": "critical",
      "updateType": "patch",
      "isDev": false,
      "vulnerabilities": [
        {
          "id": "GHSA-...",
          "title": "Prototype Pollution",
          "severity": "critical",
          "affectedVersions": ">=0.0.0 <4.17.21",
          "url": "https://github.com/advisories/...",
          "source": "osv"
        }
      ]
    }
  ],
  "errors": []
}

License

MIT — free to use, modify, and distribute.