npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

depsafe

v1.0.0

Published

Know what your dependencies actually do to your code. Usage-level CVE scoping, dead-weight detection, and health scoring for any GitHub repo across 11+ ecosystems.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

fazal_ur_rehman4310fazal_ur_rehman4310

Keywords

securityvulnerabilitycvedependenciesdependency-analysissbomsupply-chainnpmpythonrustgojavarubydartswiftdotnetclidevopsdevsecopsscaosvgithub

Readme

depsafe

Know what your dependencies actually do to your code.

Most security scanners tell you "lodash has a CVE." depsafe tells you "lodash has a CVE in cloneDeep, but you only use debounce — you're safe."

$ npx depsafe pallets/flask
  depsafe
  ───────────────────────────────────────────────────────
  Repository   pallets/flask (main)
  Ecosystems   pypi
  Health       D (65/100)
  Dependencies 24
  Files        35 analyzed
  CVEs         15 (13 in usage path!)

  Production Dependencies (21)
  ───────────────────────────────────────────────────────
  flask@*                   F  █████████░ 90%  7 CVEs
  [email protected]              F  ███░░░░░░░ 25%  5 CVEs
  [email protected]            F  ██████████ 100% 3 CVEs
  [email protected]              C  ██░░░░░░░░ 20%
  [email protected]               A  ██████████ 100%

  Vulnerabilities (15)
  ───────────────────────────────────────────────────────
   CRIT  GHSA-xxxx  IN PATH
    Remote code execution in Jinja2 template rendering
    Fix: upgrade to 3.1.6

Why depsafe?

| Feature | depsafe | Dependabot | Snyk | npm audit | |---|---|---|---|---| | Usage-path CVE scoping | Yes | No | No | No | | Dead-weight detection | Yes | No | No | No | | 11 ecosystems | Yes | Yes | Yes | npm only | | Health scoring | Yes | No | Yes | No | | Zero dependencies | Yes | N/A | No | N/A | | Free | Yes | Yes | Freemium | Yes |

Install

# Run instantly (no install needed)
npx depsafe facebook/react

# Or install globally
npm install -g depsafe
depsafe facebook/react

Usage

# Analyze any GitHub repository
depsafe facebook/react
depsafe pallets/flask
depsafe rust-lang/cargo
depsafe golang/go

# Full GitHub URL
depsafe https://github.com/torvalds/linux

# Auto-detect from current git repo
depsafe .

# With GitHub token (higher rate limits + private repos)
depsafe facebook/react --token ghp_xxx
# Or set the env var
export GITHUB_TOKEN=ghp_xxx
depsafe facebook/react

# JSON output (for CI pipelines)
depsafe facebook/react --json

CI/CD Integration

depsafe exits with code 1 when CVEs are found in your usage path — perfect for CI gates.

# GitHub Actions
- run: npx depsafe ${{ github.repository }}
# GitLab CI
dependency-check:
  script: npx depsafe $CI_PROJECT_PATH

What It Analyzes

For every dependency, depsafe determines:

  • Which exports you actually use — traced from your import/require/use statements
  • Whether CVEs affect your code — mapped to your specific usage path
  • How much is dead weight — percentage of the package you never touch
  • Health score (0-100) — combining usage ratio, CVE exposure, and maintenance signals

Supported Ecosystems

| Ecosystem | Manifest | Import Parsing | CVE Source | |---|---|---|---| | Node.js / TypeScript | package.json | ES imports, require() | OSV (npm) | | Python | requirements.txt, pyproject.toml, Pipfile | import, from...import | OSV (PyPI) | | Dart / Flutter | pubspec.yaml | package: imports | OSV (Pub) | | Ruby | Gemfile | require | OSV (RubyGems) | | PHP | composer.json | use statements | OSV (Packagist) | | Java / Kotlin | pom.xml, build.gradle | import statements | OSV (Maven) | | Go | go.mod | import paths | OSV (Go) | | Rust | Cargo.toml | use, extern crate | OSV (crates.io) | | Swift | Package.swift | import | OSV (SwiftURL) | | .NET / C# | *.csproj | using statements | OSV (NuGet) | | C / C++ | CMakeLists.txt, conanfile.txt | #include | OSV (ConanCenter) |

How It Works

Your repo ──> GitHub API ──> Parse manifests ──> Parse source imports
                                                        │
   CVE report <── Health scoring <── OSV queries <──────┘
   with usage    per dependency      per ecosystem
   path mapping
  1. Fetches the repository file tree via GitHub API
  2. Auto-detects all ecosystems (supports monorepos with multiple)
  3. Parses every manifest file to extract dependencies
  4. Analyzes up to 200 source files to trace actual import usage
  5. Queries OSV.dev for known vulnerabilities per ecosystem
  6. Maps CVEs to your specific usage path — not just "package has CVE" but "you call the affected function"
  7. Computes health scores and generates actionable suggestions

Also Available As

License

MIT