npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

tracepack

v0.1.0

Published

Investigate npm dependency graphs with reverse tracing, duplicate surfacing, and CI-friendly output.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

moritzmyrzmoritzmyrz

Keywords

dependency-graphnpmnodetypescriptreverse-dependenciesduplicate-dependenciesworkspacesgraphvizclidependency-analysis

Readme

Tracepack

Tracepack is a dependency investigator for modern npm projects.

It helps answer the questions that come up in real repos:

  • What is in this dependency graph?
  • Why is this package present?
  • What pulled it in?
  • Where are duplicate versions hiding?

Tracepack is not trying to be a generic graph generator or a browser UI. The goal for v0.1.0 is a fast, maintainable, npm-first tool that produces practical output for terminals, scripts, and CI.

Why Tracepack Exists

The JavaScript tooling ecosystem already has graphing tools, and npm itself can explain parts of the installed tree. Tracepack exists because day-to-day dependency debugging often needs a tighter loop:

  • deterministic lockfile inspection when possible
  • a clean fallback to the installed tree or declared dependencies
  • reverse tracing that is easy to read
  • duplicate-version surfacing that is useful in CI
  • output that stays stable enough to script against

In short: Tracepack is built for investigation, not just visualization.

What Makes It Different

Tracepack deliberately focuses on a narrower, more opinionated slice of the problem:

  • npm-first, with lockfile-first source selection
  • reverse path tracing as a first-class capability
  • duplicate-version reporting as a practical investigation and CI feature
  • one normalized graph model shared by the library API, CLI, and renderers
  • plain output that degrades gracefully in large repos

It does not try to support every package manager, every policy engine, or every visualization mode in v0.1.0.

Install

npm install --save-dev tracepack

Or run it directly:

npx tracepack

CLI Usage

tracepack [options]

Core options:

  • --json output stable JSON
  • --dot output Graphviz DOT
  • --focus <pkg> show the forward subgraph starting at a package
  • --reverse <pkg> explain why a package is present
  • --max-depth <n> limit rendered depth
  • --omit <dev|peer|optional> omit dependency edge types
  • --source <auto|lockfile|installed|manifest> choose the npm data source
  • --duplicates report duplicate versions
  • --check-duplicates exit with code 2 when duplicates are found
  • --cwd <path> inspect another project directory
  • --help
  • --version

Examples:

tracepack
tracepack --json
tracepack --dot
tracepack --focus react
tracepack --reverse esbuild
tracepack --max-depth 3
tracepack --omit dev
tracepack --duplicates
tracepack --check-duplicates

Input Modes

Tracepack supports three npm-first input modes:

  • lockfile: parse package-lock.json v2/v3 for deterministic graphs
  • installed: inspect the actual installed tree through Arborist
  • manifest: inspect declared dependencies from package.json files and npm workspaces

Default source selection is:

  1. package-lock.json
  2. node_modules
  3. package.json

Output Examples

Default ASCII output:

Tracepack graph (lockfile)

[email protected] [root]
├─ [email protected]
│  └─ [email protected]
│     └─ [email protected]
└─ [email protected]

Duplicate versions
- postcss: 8.4.31, 8.4.35

Reverse tracing:

Tracepack reverse view for "esbuild" (lockfile)

[email protected] [root]
└─ [email protected]
   └─ [email protected]

DOT output is designed to work cleanly with Graphviz and other tooling:

tracepack --dot > graph.dot
dot -Tsvg graph.dot -o graph.svg

Library API

import {
  buildGraph,
  findDuplicates,
  findReversePaths,
  toAscii,
  toDot,
  toJson
} from "tracepack";

const graph = await buildGraph({
  cwd: process.cwd(),
  source: "auto"
});

console.log(toAscii(graph, { reverse: "esbuild" }));
console.log(findDuplicates(graph));
console.log(findReversePaths(graph, "react"));
console.log(toJson(graph));
console.log(toDot(graph));

Public API:

  • buildGraph(options)
  • findDuplicates(graph)
  • findReversePaths(graph, packageName, options?)
  • toAscii(graph, options?)
  • toJson(graph, options?)
  • toDot(graph, options?)

CI and Scripting

Tracepack is designed to be useful outside interactive terminals.

  • JSON output is stable and deterministic
  • --check-duplicates returns exit code 2 when duplicate versions are found
  • plain text output avoids terminal-only formatting assumptions

Example:

tracepack --check-duplicates
tracepack --json > tracepack-report.json

Architecture

Tracepack keeps a clear separation between:

  • resolvers that discover npm data
  • core graph and investigation logic
  • renderers that format a filtered view
  • a thin CLI adapter over the library

See docs/architecture.md for the short architectural notes.

Roadmap

Planned follow-up work includes:

  • per-workspace filtering in aggregated workspace repos
  • a dedicated explain-style CLI mode
  • optional CI failure for cycle detection
  • lockfile diffing between revisions
  • richer duplicate reports with hoist and location context
  • package include and exclude filters
  • pnpm backend after npm behavior is solid
  • Yarn backend after npm behavior is solid

Non-Goals for v0.1.0

  • browser UI
  • interactive web visualization
  • support for every package manager
  • vulnerability database integration
  • license compliance auditing
  • a large configuration surface

Development

npm install
npm run lint
npm run typecheck
npm test
npm run build

The release checklist for the initial version lives in docs/release-plan-v0.1.0.md.

Contributing

Contributions are welcome, especially around npm graph correctness, reverse tracing, duplicate detection, and documentation quality.

Please read: