Skip to main content
Dependency Radar
Log in

Security review

There’s more to dependency security than CVEs

npm audit is useful, but it does not show the full dependency review surface: install scripts, native bindings, executable bins, unusual sources, local execution signals, and package context.

npx dependency-radar
View example report

What it helps with

Review the dependency evidence, not just the lockfile

Dependency Radar runs against your installed JavaScript or TypeScript project and produces a self-contained report. Registry backed audit, outdated, signature, or enrichment checks need registry access unless you run with --offline.

Audit context

Use package-manager audit results, but review them alongside usage, depth, package source, and execution surface.

Install-time surface

Surface lifecycle scripts, executable bins, native bindings, .node binaries, and binding.gyp files.

Unusual sources

Flag git, file, tarball, missing-integrity, and unexpected-registry dependency sources.

Package signals

Review bundled dependencies, embedded npm-shrinkwrap.json files, and package metadata that deserves attention.

SARIF export

Emit SARIF for security tooling and CI workflows without needing a hosted scanner.

Offline first look

Run with --offline when you want a scan that avoids package registry calls.

Baseline

What npm audit does well

npm audit is useful for known vulnerability advisories. It gives you a baseline for CVE-style risk and should stay part of the review process.

  • Collect package-manager-backed advisory data
  • Show known vulnerability severity where available
  • Keep vulnerability review tied to the dependency graph

Coverage

What npm audit does not cover

Dependency security review also needs to look at how packages install, where they came from, and what local package signals deserve human attention.

  • Lifecycle scripts, executable bins, native bindings, .node binaries, and binding.gyp
  • Git, file, tarball, missing-integrity, and unexpected-registry sources
  • Bundled dependencies and embedded npm-shrinkwrap.json files
  • Package context such as depth, origin, and workspace usage

Signals

Supply-chain signals are not malware verdicts

Dependency Radar does not prove a package is safe and does not claim to detect malware. It highlights review signals that normal vulnerability checks can miss.

  • Child-process references
  • Network access references
  • Environment reads and home directory access
  • SSH references and obfuscation-like patterns
  • Targeted registry heuristics for already suspicious packages

Workflow

Use it alongside existing security tooling

Dependency Radar is a dependency review tool, not a replacement for security scanners, code review, or incident response tooling.

  • Generate HTML for investigation and stakeholder review
  • Export SARIF for security and CI workflows
  • Run offline for a no-registry-call first look
  • Re-run with registry-backed checks when you need audit, outdated, signature, or enrichment data

Explore other use cases

Licence Audit

Audit license exposure, validate SPDX compliance, and detect declared-vs-inferred mismatches.

CI Guardrails

Enforce dependency gates, compare against JSON baselines, and protect your builds.

Try it

Generate a report locally

Start with the standard scan when registry-backed advisories are useful, or use --offline when you want a no-registry-call first look.

npx dependency-radar
View example reportBack to homepage →GitHub →