← Home

depcheck

npm Repository Homepage

Check dependencies in your node module

27
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

rumpllijunle

Keywords

checkunusedpackagepackagesdepcheckdependencydependenciesdevDependencies

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff large-new-source-files AI (source-diff): 33 new source files reflect legitimate major version refactor adding framework/file-type support; no bundled/injected code. ai
phantom-deps phantom-dep:should AI (phantom-deps): depcheck is a dependency analyzer tool; phantom deps in config/test contexts are expected and legitimate. ai
dependencies unvetted-dep:esprima AI (dependencies): Old, pinned dependency for a mature build utility; stable pattern for this package. ai
dependencies unvetted-dep:optimist AI (dependencies): optimist is a lightweight CLI parser with pinned constraint; acceptable for depcheck's use case. ai
phantom-deps phantom-dep:esprima AI (phantom-deps): esprima is a well-known JS parser; phantom-dep finding is consistent with depcheck's design of analyzing dependencies without directly importing all of them. ai
phantom-deps phantom-dep:optimist AI (phantom-deps): False positive for a dependency checker; optimist referenced in config but not directly imported is expected. ai
source-diff source-size-tripled AI (source-diff): 7.9x size increase is consistent with adding parsing/AST analysis capabilities; no obfuscation or suspicious patterns. ai
maintainer-change maintainer-added AI (maintainer-change): lijunle is listed as contributor in package.json; maintainer transition occurred 8 years ago and is stable. ai
dependencies unvetted-dep:babel-runtime AI (dependencies): babel-runtime is a standard Babel dependency for ES6 transpilation; appropriate for this package's build tooling. ai
dependencies unvetted-dep:request AI (dependencies): request is an established HTTP library; appropriate for a tool that checks dependencies. No malware indicators. ai
publish-pattern new-deps-added AI (publish-pattern): All four new dependencies (callsite, findup-sync, is-core-module, resolve-from) are established packages aligned with depcheck's dependency analysis functionality. ai
provenance publisher-changed AI (provenance): Legitimate maintainer transition from lijunle (prior contributor) to rumpl; repository URL consistent with prior versions; public GitHub org confirms handoff. ai
dependencies unvetted-dep:babel-traverse AI (dependencies): babel-traverse is a core Babel library used for AST traversal; appropriate for depcheck's dependency analysis functionality. ai
semgrep semgrep:dynamic-require AI (semgrep): Finding is in test fixture code (fake_modules/missing/index.js) intentionally testing require() edge cases; not production code. ai
dependencies unvetted-dep:findup-sync AI (dependencies): findup-sync is a well-known, widely-used utility package with no security concerns; its use in depcheck for file discovery is appropriate. ai
dependencies unvetted-dep:@vue/compiler-sfc AI (dependencies): @vue/compiler-sfc is the official Vue 3 SFC compiler package; depcheck uses it to parse Vue single-file components, replacing the older vue-template-compiler. ai
dependencies unvetted-dep:cosmiconfig AI (dependencies): cosmiconfig is a standard configuration loading library; expected for depcheck's config file support. ai
dependencies unvetted-dep:multimatch AI (dependencies): multimatch is a standard glob matching utility; expected for depcheck's file filtering. ai
dependencies unvetted-dep:sass AI (dependencies): sass is a legitimate, widely-used CSS preprocessor; appropriate for depcheck's SCSS parsing support. ai
dependencies unvetted-dep:scss-parser AI (dependencies): scss-parser is used for parsing SCSS files; expected for depcheck's SCSS dependency detection. ai
provenance no-provenance AI (provenance): Package predates Sigstore adoption; no security risk indicated by absence of provenance. ai
dependencies unvetted-dep:@babel/traverse AI (dependencies): @babel/traverse is an established Babel package; depcheck's core function requires AST traversal. ai
dependencies unvetted-dep:query-ast AI (dependencies): query-ast is used for AST querying; expected for depcheck's code analysis functionality. ai
dependencies unvetted-dep:resolve AI (dependencies): resolve is a standard module resolution library; expected for depcheck's dependency resolution functionality. ai
dependencies unvetted-dep:debug AI (dependencies): debug is a ubiquitous logging utility used across the npm ecosystem; no security concern. ai
dependencies unvetted-dep:@babel/parser AI (dependencies): @babel/parser is an established Babel package; depcheck's core function requires parsing JavaScript ASTs. ai
dependencies unvetted-dep:please-upgrade-node AI (dependencies): please-upgrade-node is a legitimate utility for version checking; stable for depcheck's use case. ai
dependencies unvetted-dep:vue-template-compiler AI (dependencies): vue-template-compiler is a standard Vue parsing tool; depcheck needs it to analyze Vue templates. ai
dependencies unvetted-dep:yargs AI (dependencies): yargs is a standard, widely-used CLI argument parser; unvetted status is expected for packages of this age. ai

Versions (showing 27 of 27)

Version Deps Published
1.1.0 19 / 27
0.8.4 15 / 24
0.8.0 14 / 26
0.6.11 11 / 26
0.6.10 11 / 26
0.6.9 11 / 25
0.6.8 11 / 25
0.6.7 11 / 26
0.6.6 11 / 25
0.6.5 11 / 22
0.6.4 11 / 20
0.6.3 11 / 17
0.6.2 11 / 17
0.6.1 9 / 15
0.6.0 8 / 15
0.5.11 7 / 14
0.5.10 7 / 14
0.4.7 6 / 2
0.4.6 6 / 2
0.4.5 6 / 2
0.4.3 6 / 2
0.4.2 6 / 2
0.4.1 7 / 2
0.4.0 6 / 3
0.3.1 4 / 2
0.3.0 4 / 2
0.2.0 5 / 1