Dependency risk scanner

Are your npm dependencies a liability?

Vibe-coded apps npm install dozens of packages blind — any one could be vulnerable, abandoned, typosquatted, or copyleft-licensed in a way that puts your project at risk. Paste your package.json below and find out before you ship.

Runs in your browser. We only look up package names + versions against public registries — your code stays with you.

What we check

Six ways a dependency bites you

Every package in your manifest is checked against public registries for the risks that sink indie apps — no installs, no build, just names and versions.

  • Known vulnerabilities

    Versions with published advisories, via the OSV database.

  • Typosquatted names

    Packages a character away from a popular one — a classic malware vector.

  • Abandoned / unmaintained

    No releases in years, deprecated, or signs of an orphaned project.

  • Risky licenses

    Copyleft (GPL/AGPL) or unknown licenses that can infect or expose your code.

  • Loose version ranges

    Wide ^ / * ranges and latest that pull in unreviewed updates.

  • Dependency bloat

    Heavy or redundant packages that balloon your install and attack surface.

How it works

Three steps, no install

  1. Paste

    Drop in the package.json you're about to ship — dependencies and devDependencies.

  2. Names + versions looked up

    Only package names and versions are checked against public registries like OSV and npm. Your code never leaves your machine.

  3. Risks ranked, with fixes

    Each finding is shown by severity with what's wrong and the upgrade or replacement to make.

The ship-safety suite

DepCheck is one of four checks before you ship

Free, browser-based safety checks for vibe-coded and indie apps, from Copper Bay Labs.

  • ShipSafe →

    Will you get sued? Checks your site for ADA accessibility and privacy-law exposure.

  • LeakCheck →

    Did you leak a secret in your code? Finds exposed API keys and tokens before you commit.

  • ExposureCheck →

    Is your live site leaking? Scans a running URL for exposed files and headers.

  • DepCheck

    Are your dependencies risky? You're here — paste a package.json above.

FAQ

Questions, answered

Do you upload my code?

No. DepCheck reads your package.json in your browser and the source code of your app never leaves this tab. The only thing that goes out is the list of package names and versions, which are looked up against public registries (OSV for vulnerabilities, npm for metadata) — exactly the same public data anyone can query. There's no signup and no database of your project.

Is a clean scan a guarantee?

No. A clean result means we found no known issues for the versions you pasted — it can't catch a vulnerability that hasn't been disclosed yet, a malicious package that isn't flagged, or risk introduced by your lockfile's transitive dependencies. Treat DepCheck as a fast first line of defense, and pair it with npm audit, a lockfile review, and good update hygiene.

What's a typosquat?

A typosquat is a malicious package published under a name that's a character or two away from a popular one — cross-env vs crossenv, or lodash vs lodahs. The goal is that a tired developer fat-fingers the install and pulls in code that steals secrets or runs a payload. DepCheck flags dependency names that look suspiciously close to well-known packages so you can double-check before you trust them.

Found a vuln — now what?

Upgrade to the fixed version. Most advisories list a patched release — bump the dependency to it (or run npm audit fix) and re-test. If the package is abandoned, unmaintained, or has no fix available, replace it with a maintained alternative, or remove it if you're not really using it. For a transitive dependency you don't control directly, upgrade the parent package or use an overrides entry to force the safe version.

Catch risky dependencies before they ship

DepCheck Pro will re-scan your dependencies on a schedule and block vulnerable or typosquatted packages in CI — be first to know when it lands.

Join the Pro waitlist Or have Copper Bay fix it for you