A contextual vulnerability scanner for npm projects that shows you which security vulnerabilities actually affect your code.
npm audit reports EVERY vulnerability in EVERY dependency. Most vulnerabilities are in code you never use.
DepCheck analyzes your actual source code to determine which packages and functions you import, then cross references that against known vulnerabilities from OSV (Open Source Vulnerabilites).
npm audit:
Found 47 vulnerabilities (12 critical, 20 high, 15 moderate)
DepCheck:
SUMMARY: 1 direct dependency needs review, 46 are low priority
git clone https://github.com/stev-jz/depcheck.git
cd depcheck
go build -o depcheck main.go
./depcheck scan# Run in your npm project directory
cd your-project
depcheck scan
# Show detailed vulnerability information
depcheck scan --verbose- Parses dependencies - Reads your package.json and package-lock.json
- Queries vulnerabilities - Checks OSV database for known CVEs
- Analyzes your code - Uses AST parsing to find what you actually import
- Contextual assessment - Determines if vulnerabilities affect your code
next@15.3.4
⚠️ NEEDS REVIEW
You use: [Link NextRequest NextResponse]
9 vulnerabilities - run with --verbose for details
tar@7.4.3
✓ Low priority (indirect dependency)
3 vulnerabilities - run with --verbose for details
- npm (JavaScript/TypeScript)
- Go (CLI with Cobra)
- OSV API (vulnerability database)
- AST parsing (tdewolff/parse)