Security Tool

Dependency Scanner

Scan your package.json for deprecated packages, supply chain attacks, and risky version ranges. Know your risk before you deploy.

Install

Get the CLI Tool

Run the dependency scanner locally as an MCP server, or try it online below.

npx @clinetools/dep-scanner
Requires Node.js 18+
  • 25+ known deprecated & sabotaged packages in database
  • Supply chain attack detection (event-stream, colors, faker, etc.)
  • Risky version range detection (wildcards, loose ranges)
  • Risk-ranked output: critical, high, medium, low
  • Zero config — just run with npx
Tutorial

How to Use It

Three ways to scan your dependencies — pick the one that fits your workflow.

1

Try Online

Paste your package.json below to scan for issues — no install needed.

↓ Jump to interactive demo
2

Use via CLI

Run as a local MCP server and connect any MCP-compatible client.

npx @clinetools/dep-scanner
3

Add to Cline / Claude Code

Add to your MCP settings for instant dependency scanning from your AI assistant.

"dep-scanner": { "command": "npx", "args": ["@clinetools/dep-scanner"] }

MCP Client Configuration

{
  "mcpServers": {
    "dep-scanner": {
      "command": "npx",
      "args": ["@clinetools/dep-scanner"]
    }
  }
}

Example: Scan for Supply Chain Risks

// Prompt to your AI agent:
"Scan my package.json and flag any packages
with known security issues or supply chain attacks"

// The agent calls:
scan_dependencies({ path: "package.json" })

// Output includes risk-ranked dependencies
// with flags like KNOWN_ISSUE and REPLACEMENT
Live Demo

Try It Online

Paste your package.json or try a demo scenario to scan for risky dependencies.

Paste package.json

We check against a database of 25+ known problematic packages

Try a demo:

Paste a package.json and click Scan Dependencies to see results.

Flagged Dependencies

Learn

Why Dependency Scanning Matters

Your code is only as secure as your weakest dependency. Most projects have hundreds.

Supply Chain Attacks

event-stream, colors, faker, node-ipc — real packages sabotaged by their own maintainers. A single compromised dependency can steal credentials, mine crypto, or wipe data.

Abandoned Packages

Deprecated packages stop getting security patches. Using "request" (deprecated 2020) means any CVE discovered in it will never be fixed. Migration cost only grows over time.

Version Pinning

Wildcard versions ("*") or loose ranges (">=1.0.0") can pull in breaking changes or malicious updates silently. Pin your versions and use lockfiles to control what ships.

Bundle Bloat

Packages like moment.js, lodash, and core-js are huge. Modern alternatives (date-fns, lodash-es, native APIs) are fraction of the size. Scanning helps identify lightweight replacements.

Compliance

SOC 2, ISO 27001, and PCI DSS all require tracking third-party dependencies. Automated scanning gives you an auditable record of what's in your supply chain and what risks you've accepted.

Need Continuous Dependency Monitoring?

Our Pro plan includes automated scans on every commit with Slack alerts for new vulnerabilities.

View Plans