npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@v0idd0/depcheck

v2.0.2

Published

depcheck — dependency scanner. 47-entry offline CVE database (incl. 2024 and supply-chain), unused/missing deps via static import analysis, transitive deps via package-lock.json, Python support (requirements.txt / pyproject.toml). Free forever from vøiddo

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

v0iddov0iddo

Keywords

securityauditvulnerabilitiescvedependenciesunusedmissingnpmpippythonsupply-chainclivoiddo

Readme

depcheck

npm version npm downloads License: MIT Node ≥14

Dependency scanner for humans. Find known CVEs, unused packages wasting install time, and missing imports that'll crash production — all offline, no network, no API keys.

Free forever gift from vøiddo.

$ depcheck all

  depcheck — full scan (my-app)
  ────────────────────

  Found 2 vulnerabilities:

  ✗ [email protected]
    Severity: HIGH
    CVE:      CVE-2021-23337
    Issue:    Command Injection
    Fix:      upgrade to >=4.17.21

  ✗ [email protected]
    Severity: CRITICAL
    CVE:      CVE-2021-44906
    Issue:    Prototype Pollution
    Fix:      upgrade to >=1.2.6

  UNUSED (2): commander, chalk
  MISSING (1): moment

Why depcheck

npm audit requires a network call, needs a lockfile, and (when it works) throws a wall of JSON at you. depcheck (the classic one) only checks unused. pip-audit only checks Python vulns. You end up running three tools and still don't know if you have unused Express deps dragging install time.

This depcheck is one binary that does the three things that matter:

  1. Offline CVE scan — 47 curated entries through 2025 (Express, Axios, WS, follow-redirects, supply-chain sabotage like node-ipc / colors / faker).
  2. Unused / missing — static import analysis across .js/.mjs/.cjs/.jsx/.ts/.tsx.
  3. Python support — same game for requirements.txt / pyproject.toml + .py sources.

No network calls. No API keys. No npm registry lookup. Runs in CI, Docker builds, even offline containers.

Install

npm install -g @v0idd0/depcheck

Ad-hoc via npx:

npx -y @v0idd0/depcheck check --fail-on high

Quickstart

# Vuln scan (default, walks package-lock.json for transitives)
depcheck

# Focused check
depcheck check --package axios
depcheck check --critical

# CI gate: fail on any high or worse
depcheck check --fail-on high

# Unused / missing static analysis
depcheck unused
depcheck missing

# All three reports together
depcheck all

# Python (requirements.txt or pyproject.toml)
depcheck python

# Dump the curated CVE database
depcheck list
depcheck list --json | jq length

# Machine-readable envelope for CI
depcheck check --json | jq .vulnerabilities

Commands

| Command | Aliases | Description | |---------|---------|-------------| | check | c | Scan for known CVEs in package.json / package-lock.json (default) | | unused | u | Find declared deps that aren't imported anywhere | | missing | m | Find imports that aren't declared | | all | a | Roll up: vulns + unused + missing | | python | py| Same unused/missing analysis for Python | | list | l | Dump the curated CVE database (47 entries) |

Options

| Flag | Description | |------|-------------| | -p, --path <dir> | Project root (default: cwd) | | --package <name> | Restrict vuln check to a single package | | --critical | Only show critical-severity issues | | --fail-on <sev> | Exit non-zero if any issue ≥ severity (critical/high/medium/low) | | --json | JSON envelope output | | --no-lock | Skip package-lock.json, direct deps only | | -h, --help | Show help | | --version | Show version |

What's in the CVE database

47 entries hand-curated from the npm ecosystem, 2017–2025:

  • Prototype pollution: minimist, async, y18n, set-value, ansi, json5, postcss, highlight.js, xml2js
  • ReDoS: node-fetch, glob-parent, trim-newlines, path-parse, hosted-git-info, normalize-url, debug, marked, semver, moment, fast-xml-parser
  • Command / code injection: lodash, ejs, pug, handlebars, simple-git, yaml
  • Auth / HTTP issues: axios (XSRF), jsonwebtoken, cookie, express (open redirect), body-parser, serve-static, send, ws
  • Supply-chain sabotage: node-ipc (wiped RU/BY disks), colors (intentionally broken), faker (renamed to @faker-js/faker)
  • 2024 freshness: puppeteer, esbuild, webpack, cookie, follow-redirects, serve-static

Run depcheck list to see everything. The DB ships in the package — no network call at runtime.

Exit codes

| Code | Meaning | |------|---------| | 0 | Clean (no vulns / --fail-on threshold not met) | | 1 | Vulnerabilities found, file missing, or unknown command |

Programmatic use

const {
  scanPackageJson, readLockfile, walkLockfilePackages,
  checkVulnerabilities, findUnusedAndMissingJs, findUnusedAndMissingPy,
  extractJsImports, extractPyImports, KNOWN_VULNS,
} = require('@v0idd0/depcheck/src/scanner');

// Direct CVE scan
const deps = scanPackageJson('./my-project');
const vulns = checkVulnerabilities(deps);

// Transitive scan
const lock = readLockfile('./my-project');
const entries = walkLockfilePackages(lock);
const allVulns = checkVulnerabilities(entries);

// Unused / missing
const { unused, missing } = findUnusedAndMissingJs('./my-project');

// Parse imports
const imports = extractJsImports(`const x = require('foo');`);
// Set { 'foo' }

From the same studio

vøiddo builds sharp, free-forever CLIs for devs who are tired of paywalls:

Full catalog: voiddo.com/tools.

License

MIT © vøiddo — free forever, no asterisks.

Links

  • Docs: https://voiddo.com/tools/depcheck/
  • Source: https://github.com/voidd0/depcheck
  • npm: https://npmjs.com/package/@v0idd0/depcheck
  • Studio: https://voiddo.com
  • Issues: https://github.com/voidd0/depcheck/issues
  • Support: [email protected]

Built by vøiddo — a small studio shipping AI-flavoured products, free dev tools, Chrome extensions and weird browser games.