npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@sulthonzh/depwalk

v1.8.0

Published

Trace why a dependency exists in your node_modules — find the path from your package.json to any package

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

sulthonzhsulthonzh

Keywords

dependencytreetracenpmwhynode-modules

Readme

@sulthonzh/depwalk

Why is this package in my node_modules?

npm version

depwalk traces dependency paths — it tells you exactly how a package ended up in your node_modules. No more guessing which of your 200+ transitive dependencies pulled in that mystery package.

Features

  • 🔍 Trace dependency paths: See the exact chain from your package.json to any package
  • 📊 Explain dependencies: Find out which packages depend on a specific package
  • 📈 Package size analysis: Visual breakdown of your node_modules
  • 🔄 Dedupe detection: Find packages with multiple versions in your tree
  • 📜 License audit: Check all dependency licenses and flag copyleft/unlicensed
  • 🌳 Dependency tree: See what a single package brings with it (deps)
  • 📊 Project summary: Quick health overview of your dependency tree
  • 📋 CI/CD integration: JSON output + exit codes for automation
  • 📝 Multiple output formats: Human-friendly, JSON, Markdown, and Graphviz DOT
  • 📊 Visual dependency graphs: Generate DOT files for Graphviz visualization
  • 🔒 Lockfile analysis: Inspect package-lock.json v1/v2/v3 for security and health

Visual Dependency Graphs

Generate Graphviz DOT output to visualize your dependency tree:

# Full dependency graph
npx @sulthonzh/depwalk dot | dot -Tpng -o deps.png

# Trace paths to a specific package
npx @sulthonzh/depwalk why body-parser --dot | dot -Tpng -o trace.png

# Dependency tree of a single package
npx @sulthonzh/depwalk deps express --dot | dot -Tpng -o express-tree.png

# Project summary as a graph
npx @sulthonzh/depwalk summary --dot | dot -Tpng -o summary.png

You can also pipe to any Graphviz renderer — dot, neato, fdp, or use online tools like Graphviz Online.

Install

npm install -g @sulthonzh/depwalk

Or use without installing:

npx @sulthonzh/depwalk body-parser

Usage

Trace a dependency path

depwalk body-parser
Dependency paths to body-parser:

  Root (dependencies)
  └─┬ [email protected]
    └── [email protected]

Found 1 path

Who depends on this package?

depwalk explain lodash
[email protected]
3 dependants

  [email protected] (dependencies) requires ^4.17.0
  [email protected] (dependencies) requires ^4.17.21
  (root)@1.0.0 (dependencies) requires ^4.17.0

Find duplicate versions

depwalk dedupe

Finds packages installed at multiple versions across your dependency tree — a common source of bloated node_modules and subtle bugs. Exits with code 1 if duplicates are found (great for CI).

3 packages with multiple versions:

  lodash (4.17.21, 4.17.15)
  debug (4.3.4, 3.2.7)
  ms (2.1.3, 2.0.0)

Total packages: 247

Audit dependency licenses

depwalk licenses

Shows a breakdown of all dependency licenses and flags potentially problematic ones (copyleft, unlicensed). Exits with code 1 if any are flagged.

247 packages analyzed

  MIT                        198 packages
  Apache-2.0                  23 packages
  ISC                         12 packages
  BSD-3-Clause                 8 packages
  UNLICENSED                   3 packages
  GPL-3.0                      2 packages

⚠  Flagged licenses:
  GPL-3.0 (copyleft) — some-gpl-lib, another-gpl
  UNLICENSED (unknown) — unlicensed-pkg, mystery-dep, internal-tool

List all packages

depwalk list

Size breakdown

depwalk size

Shows the biggest packages in your node_modules with a visual bar chart.

What does this package bring with it?

depwalk deps express

Shows the full dependency tree of a specific package — useful for understanding what a single package pulls in before you add it.

[email protected] (MIT)
2 transitive dependencies

  └── [email protected]
      └── [email protected]

Project health summary

depwalk summary

Quick overview of your project's dependency health: direct deps count, total packages, size, duplicates, and license issues in one command.

[email protected]

Direct deps: 2 prod + 1 dev
Total packages: 8
node_modules size: 12.4 KB

✓ No duplicate versions

Licenses: 8 packages
  MIT                            6
  GPL-3.0                        1
  UNLICENSED                     1
  ⚠ 2 flagged licenses

Health: ⚠ Issues found

Lockfile analysis

depwalk lockfile

Inspects your package-lock.json (v1, v2, v3) for security and health issues: registry sources, integrity algorithms, dependency depth, and packages without integrity hashes.

Lockfile Analysis (v3)
──────────────────────────────────────────────────

  Packages:        136
  Registries:      1 sources

  Top registries:
    registry.npmjs.org             135

  Source types:
    registry:  135

  Integrity algorithms:
    sha512          135

  Dependency depth:
    depth 1:   130  ████████████████████████████████████████
    depth 2:     5  ███

  ✅ No issues found

Exit code 1 if any packages lack integrity hashes.

depwalk lockfile --json    # JSON for CI

Output formats

depwalk dedupe --json        # JSON output
depwalk licenses --markdown  # Markdown output
depwalk explain lodash --json

CI/CD Integration

# GitHub Actions example
- name: Check for duplicate deps
  run: npx @sulthonzh/depwalk dedupe --json

- name: License audit
  run: npx @sulthonzh/depwalk licenses

Both dedupe and licenses exit with code 1 when issues are found, making them drop-in CI checks.

Why depwalk?

npm ls exists but it's slow, verbose, and doesn't give you the "why" quickly. depwalk focuses on answering the question you actually have: "why is this thing in my node_modules and is it supposed to be there?"

License

MIT