Skip to main content
Dependency Radar
Log in

One command.
Total clarity.

Dependency Radar is a free, open-source CLI tool that inspects your JavaScript and TypeScript dependencies and generates a single self-contained report.

Run it in the root of your project:

npx dependency-radar

No accounts. No uploads. Nothing leaves your machine.

Registry-backed checks contact your configured registry unless you run with --offline.

View example report →

Optional premium service

Go beyond the free standalone report with curated dependency intelligence and deeper analysis.

Find out moreGet started →
Dependency Radar robot mascot holding a generated report

Why it exists

Built for reviewable dependency evidence

My company needed a licence audit as part of an acquisition process. Existing tools were awkward on modern JavaScript repos and did not give the kind of reviewable, explainable output I wanted. Dependency Radar started as the tool I wished I had then.

One of the useful findings was declared-vs-inferred licence mismatch: package metadata can say one thing while shipped licence files suggest something else. Dependency Radar brings that evidence into the report so a human can review it.

Capabilities

Everything you need to know about your dependencies

Dependency Radar maps, validates, and reports on the security, legal compliance, and maintainer risk profile of all installed packages in your node_modules directory.

Dependency Graph Context

Map direct, transitive, dev, runtime, and workspace relationships to understand your project structure.

Licence Reviews

Spot declared-vs-inferred mismatches, invalid SPDX metadata, and licensing compliance issues.

Learn more →

Security Reviews

Combine package-manager audits with script execution, native bindings, and supply-chain cues.

Learn more →

CI Change Gates

Block pull requests and builds when new risky dependency traits or policy violations appear.

Learn more →

Interactive HTML Reports

Search, filter, and drill into dependency details using a self-contained, shareable HTML report.

SBOM & Integrations

Generate JSON, SARIF, CycloneDX, and SPDX outputs for compliance and security automation.

Interactive reports

Visualise the results

The generated report is the main artifact. It is a self-contained HTML file you can open locally, attach to a ticket, email to stakeholders, or share with your team.

Open the interactive example report →

CLI trust

Cautious about running a new npx command?

That is the right instinct. Dependency Radar is designed so the free CLI can be evaluated locally before you choose to upload anything.

npx dependency-radar --offline
  • The CLI has no runtime npm dependencies.
  • Scans run entirely on your machine, against local project files.
  • It does not modify package.json, lockfiles, or installed packages.
  • No code or generated reports are uploaded during normal CLI usage.
  • Audit and outdated checks query your configured registry by default.
  • Use --offline for air-gapped, registry-free inspection.

Security work is public: OpenSSF Best Practices passing, OpenSSF Scorecard 7.4/10, CI tested, CodeQL scanned, and a SECURITY.md with private vulnerability reporting.

Premium analysis

When you need help deciding what to do next

The CLI report is designed for engineers exploring their dependency graph. Sometimes you need help turning that information into decisions. Premium analysis is optional and starts only when you choose to upload a Dependency Radar-generated report for additional analysis based on curated package data and ecosystem signals.

Maintenance signals

Identify packages that are archived, deprecated, abandoned, losing maintainer activity, or need supply-chain review.

Prioritised actions

Understand which dependencies are worth fixing first based on risk, impact, and review evidence.

Upgrade guidance

Spot packages likely to cause friction when upgrading Node, major dependencies, or CI guardrails.

Compare-mode guardrails

Use before-and-after reports to see whether dependency changes improve or worsen your risk posture.

How premium analysis works

Step 1

Run the CLI locally

Execute npx dependency-radar in the root of your project.

Step 2

Generate a report

A single HTML file is created containing everything about your dependencies.

Step 3

Deconstruct findings

Premium analysis starts only when you choose to upload the generated report.

No repository access required.

The premium service builds on the same report generated by the CLI. The free CLI remains open source, requires no account, and does not upload source code or reports during normal use.

Get started

Run Dependency Radar in your project, view the example report first, or start with an offline scan if you want no registry calls.

npx dependency-radar
View example report
Join premium beta →