npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

lockpick-cli

v0.8.4

Published

Blazing-fast JS/TS dependency analyzer CLI, built with Rust

Downloads

722

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

deantu0060deantu0060

Keywords

pnpmnpmyarndependencyanalyzersecurityaudit

Readme

lockpick

Blazing-fast JS/TS dependency analyzer CLI, built with Rust.

Analyze your JS/TS project's dependencies in milliseconds — detect unused packages, scan for vulnerabilities, find duplicates, and measure dependency sizes.

Features

  • Unused dependency detection — Parses JS/TS/Vue source files with oxc to find packages you declared but never imported
  • Vue SFC support — Extracts and parses <script> tags from .vue single-file components
  • Config file awareness — Scans ESLint, Babel, PostCSS, Vite, Next.js, Webpack, Tailwind config files to detect plugin references (supports JSONC comments)
  • Scripts awareness — Parses package.json scripts to detect CLI tools (e.g. tsctypescript), supports chained commands (&&, ||, ;, |)
  • Monorepo support — Detects pnpm/npm/yarn workspaces and analyzes each package independently
  • Config package protection — Auto-excludes eslint-config, prettier-config, stylelint-config packages from fix command
  • Project config (.lockpickrc) — JSON/YAML config file for persistent ignore rules, language, and extra config paths
  • Vulnerability scanning — Queries OSV.dev for known CVEs, computes CVSS 3.x Base Score from vector strings, with local file cache and progress bar
  • Duplicate detection — Finds packages with multiple versions installed in your lockfile
  • Size analysis — Measures the disk size of each dependency in node_modules
  • License compliance — Extracts license info from node_modules, normalizes SPDX aliases, supports allow/deny policy via .lockpickrc
  • Auto-fixlockpick-cli fix removes unused dependencies via your package manager, supports monorepo workspaces and --dry-run
  • Outdated detectionlockpick-cli outdated checks npm registry for newer versions with progress bar, correlates with vulnerability data for upgrade priority
  • Supply chain securitylockpick-cli supply-chain detects typosquatting, scope confusion, and version anomaly attacks; High/Critical risks affect exit code
  • Multi-lockfile support — Auto-detects pnpm-lock.yaml, bun.lock, package-lock.json, and yarn.lock (including yarn Berry v2/v3/v4)
  • ESM + CJS + dynamic import — Handles import, require(), require.resolve(), and import() syntax with deep AST traversal (if/try/class/arrow functions), supports array expressions and nested call patterns like Promise.all([import('pkg')])
  • CI-friendly — Exits with code 1 when unused deps or vulnerabilities are found; supports --fail-on threshold and .lockpickrc thresholds for fine-grained CI gating
  • Smart @types association@types/react won't be flagged as unused if react is imported
  • Dependency treelockpick tree visualizes the full dependency graph (terminal, DOT, JSON, Mermaid), with --focus and --depth
  • Diff comparisonlockpick diff <baseline.json> compares current state against a baseline, showing new and resolved issues
  • Fast — Native Rust binary, no Node.js runtime needed
  • Bilingual — English and Chinese output (--lang zh)
  • Multiple output formats — Terminal (colored tables), JSON, or Markdown (--output <file> to write to file)

Installation

npm / pnpm / yarn

npm install -D lockpick-cli
pnpm add -D lockpick-cli
yarn add -D lockpick-cli

# Or run directly
npx lockpick-cli

Build from source

git clone https://github.com/Dean0801/lockpick.git
cd lockpick
cargo build --release

Usage

TUI Mode (Default)

Run lockpick-cli without arguments to launch the interactive TUI:

lockpick-cli

Features:

  • 🎨 Beautiful terminal UI with real-time progress
  • ⌨️ Keyboard navigation: ↑/↓ or j/k to select, Enter to confirm, Esc or q to quit
  • 📊 Color-coded results (🟢 Green = OK, 🟡 Yellow = Warning, 🔴 Red = Critical)
  • 🔍 8 analysis modes: Full Scan, Unused Deps, Security Audit, Auto Fix, Outdated Check, Supply Chain, Settings, Exit

CLI Mode

Use --cli flag for traditional command-line interface:

# Full scan (unused deps + vulnerability audit)
lockpick-cli --cli

# Scan a specific project
lockpick-cli --cli --path /path/to/project

# Unused dependencies only
lockpick-cli --cli unused

# Vulnerability audit only
lockpick-cli --cli audit

# Chinese output
lockpick-cli --cli --lang zh

# JSON output
lockpick-cli --cli --format json

# Skip devDependencies
lockpick-cli --cli --no-dev

# Ignore specific packages
lockpick-cli --cli --ignore react --ignore lodash

# Auto-remove unused dependencies
lockpick-cli --cli fix

# Dry run (preview what would be removed)
lockpick-cli --cli fix --dry-run

# Disable vulnerability cache
lockpick-cli --cli audit --no-cache

# Markdown report to file
lockpick-cli --cli --format markdown --output report.md

# Dependency tree visualization
lockpick-cli --cli tree
lockpick-cli --cli tree --format dot          # Graphviz DOT
lockpick-cli --cli tree --format mermaid      # Mermaid diagram
lockpick-cli --cli tree --focus react         # Focus on a package
lockpick-cli --cli tree --depth 2             # Limit depth

# Diff against baseline
lockpick-cli --cli --format json --output baseline.json   # Save baseline
lockpick-cli --cli diff baseline.json                      # Compare later
lockpick-cli --cli diff baseline.json --format markdown    # Markdown diff

# Outdated dependency check
lockpick-cli --cli outdated
lockpick-cli --cli outdated --level patch        # Filter by semver level
lockpick-cli --cli outdated --no-audit           # Skip vulnerability correlation
lockpick-cli --cli outdated --registry https://registry.npmmirror.com  # Custom registry

# Supply chain security analysis
lockpick-cli --cli supply-chain

# CI threshold gate
lockpick-cli --cli --fail-on critical         # Fail on critical vulns only
lockpick-cli --cli --fail-on any              # Fail on any issue

Supported Lockfiles

| Lockfile | Status | |----------|--------| | pnpm-lock.yaml (v9) | ✅ Supported | | package-lock.json (v1/v2/v3) | ✅ Supported | | yarn.lock (v1 + Berry v2/v3/v4) | ✅ Supported | | bun.lock | ✅ Supported |

Configuration (.lockpickrc)

Create a .lockpickrc.json or .lockpickrc.yaml in your project root:

{
  "ignore": ["husky", "lint-staged"],
  "skip_dev": false,
  "lang": "zh",
  "extra_configs": ["jest.config.ts"],
  "license": {
    "allow": ["MIT", "ISC", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause"],
    "deny": ["GPL-3.0"]
  },
  "cache_ttl": 7200,
  "registry": "https://registry.npmjs.org",
  "thresholds": {
    "max_critical": 0,
    "max_high": 5,
    "max_unused": 10,
    "max_duplicates": -1,
    "fail_on_license": true,
    "max_supply_chain_high": 0
  }
}

CLI arguments override config file settings.

How It Works

  1. Load .lockpickrc config (if present) and merge with CLI args
  2. Auto-detect and parse lockfile (pnpm-lock.yaml / package-lock.json / yarn.lock / bun.lock)
  3. Detect monorepo workspaces (pnpm/npm/yarn) — analyze each package independently
  4. Scan JS/TS source files using oxc_parser to extract imports (import, require(), import())
  5. Scan config files (ESLint, Vite, Babel, PostCSS, etc.) for plugin references
  6. Scan package.json scripts for CLI tool usage
  7. Compare declared dependencies vs actual usage to find unused packages
  8. Detect duplicate packages with multiple versions in the lockfile
  9. Measure dependency sizes in node_modules
  10. Extract license info and check against allow/deny policy
  11. Query OSV.dev batch API for known vulnerabilities (with local file cache)
  12. Check npm registry for outdated dependencies and compute upgrade priority
  13. Run supply chain security checks (typosquatting, scope confusion, version anomaly)
  14. Output results as colored terminal tables, JSON, or Markdown

Environment Variables

| Variable | Description | |----------|-------------| | LOCKPICK_LANG | Set default language (en or zh) | | LANG / LC_ALL | System locale fallback for language detection |

License

MIT