Gathering detailed insights and metrics for deps
Gathering detailed insights and metrics for deps
Installations
npm install depsScore
73.1
Supply Chain
86.6
Quality
72.1
Maintenance
100
Vulnerability
97.6
License
Developer
privatenumber
Developer Guide
BETA
Module System
Unable to determine the module system for this package.
Min. Node Version
Typescript Support
No
Node Version
12.18.0
NPM Version
6.14.4
Statistics
34 Stars
59 Commits
1 Forks
3 Watching
2 Branches
1 Contributors
Updated on 04 Jan 2024
Languages
TypeScript (95.36%)
Shell (3.63%)
JavaScript (1.01%)
Total Downloads
Cumulative downloads
Total Downloads
1,417,750
Last day
-29.9%
1,628
Compared to previous day
Last week
-22.1%
9,545
Compared to previous week
Last month
-9.6%
51,611
Compared to previous month
Last year
32.7%
603,518
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
📦🔍 deps 
Analyze which package.json dependencies are in-use with V8 Coverage 🔥
🙋 Why?
- 🧹 Tidy
package.jsonFind out which dependencies are used/unused - 🔥 V8 Coverage Uses Node's Coverage feature to accurately identify which modules are loaded
- 💅 Pretty output View the results in a readable table. Save the output in JSON to view later
- 🚀 Ready-to-go Designed to be easy to use with
npx—No installation required!
👉 Try it out!
1$ npx deps [...Node command]
eg. npx deps npm run build
:rocket: Install
Install globally if you don't want to use it via npx.
1npm i -g deps
Usage
🔬 Quick analysis
Prefix your Node command with deps and it will analyze and output the dependencies it used
1$ deps ...
eg. deps npm run build
👩🔬 Analyzing dependency usage across commands
Prerequisite: install deps globally
- Start recording dependecy usage (note the dot-space at the beginning)
1$ . deps-start
- Run a series of Node scripts eg.
npm run devnpm run buildnpm run lint- etc.
- Analyze used dependencies
1$ deps analyze
- Save data to file:
1deps analyze -o output.json - Read later with:
1deps -f output.json
- When you're done, stop recording
1$ . deps-stop
💁♂️ FAQ
How does deps work?
deps detects which modules are loaded by using V8's code coverage feature, so it's very accurate. However, it doesn't detect file-system reads, as they are simply read as text rather than actually being parsed and executed. That means it can't detect what files are statically analyzed by bundlers (eg. Webpack, Rollup, etc.). I am considering supporting FS reads in the future.
How does deps compare to depcheck?
depcheck statically analyzes your project to see which dependencies are imported, avoiding the need to execute code. In contrast, deps executes code to analyze which dependencies were loaded during run-time. They work in completely different ways, but a major drawback for me is that depcheck requires a "special" for supporting whether a module was loaded via dev-tools.
💼 License
MIT
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/create-github-release.yml:1
- Info: no jobLevel write permissions found
Reason
Found 0/30 approved changesets -- score normalized to 0
Reason
no SAST tool detected
Details
- Warn: no pull requests merged into dev branch
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-github-release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/privatenumber/deps/create-github-release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-github-release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/privatenumber/deps/create-github-release.yml/master?enable=pin
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
42 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw
- Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm
- Warn: Project is vulnerable to: GHSA-vh7m-p724-62c2
- Warn: Project is vulnerable to: GHSA-r9p9-mrjm-926w
- Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
- Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
- Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
- Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-ww39-953v-wcq6
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-765h-qjxv-5f44
- Warn: Project is vulnerable to: GHSA-f2jv-r9rf-7988
- Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
- Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
- Warn: Project is vulnerable to: GHSA-px4h-xg32-q955
- Warn: Project is vulnerable to: GHSA-hj48-42vr-x3v9
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-44c6-4v22-4mhx
- Warn: Project is vulnerable to: GHSA-4x5v-gmq8-25ch
- Warn: Project is vulnerable to: GHSA-4rq4-32rv-6wp6
- Warn: Project is vulnerable to: GHSA-64g7-mvw6-v9qj
- Warn: Project is vulnerable to: GHSA-7xcx-6wjh-7xp2
- Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
- Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
- Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp
Score
2.5
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More