depx 0.2.0

Intelligent dependency analyzer for JavaScript/TypeScript projects
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

# depx

[![Crates.io](https://img.shields.io/crates/v/depx.svg)](https://crates.io/crates/depx)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

**Understand what's in your node_modules.**

<p align="center">
  <img src="demo.gif" alt="depx demo" width="600">
</p>

A fast, intelligent dependency analyzer for JavaScript/TypeScript projects. Built in Rust for performance.

## Why depx?

Your `node_modules` has hundreds of packages. Do you know:
- Which ones are actually imported in your code?
- Why `is-odd` is even installed?
- If that vulnerability alert affects code you actually use?

Existing tools (`npm ls`, `npm audit`, `depcheck`) give fragmented information without real context. depx connects the dots.

## Installation

```bash
cargo install depx
```

## Commands

### `depx analyze` - Find unused dependencies

```bash
$ depx analyze

Dependency Analysis Report

Summary
  227 packages used
  6 dev/build tools (expected, not imported)

Dev/Build Tools (not imported, expected):
  ~ @types/node@20.19.24
  ~ @typescript-eslint/eslint-plugin@7.18.0
  ~ ts-node@10.9.2
```

Smart detection separates truly unused packages from dev/build tools that aren't meant to be imported (`@types/*`, `typescript`, `eslint`, `vitest`, etc).

### `depx why <package>` - Explain why a package is installed

```bash
$ depx why esbuild

Package: esbuild@0.21.5

Dependency chains:
  -> vite -> esbuild

  Note: This package is only required for development
```

Shows the full dependency chain from your `package.json` to any transitive dependency.

### `depx audit` - Check for real vulnerabilities

```bash
$ depx audit

2 vulnerabilities found

CRITICAL
  GHSA-xvch-5gv4-984h minimist@1.2.5 - Prototype Pollution [USED]
       Fix: 1.2.5 -> 1.2.6

MEDIUM
  GHSA-9c47-m6qq-7p4h json5@2.2.1 - Prototype Pollution in JSON5 [USED]
       Fix: 2.2.1 -> 2.2.2
```

Unlike `npm audit`, depx queries the OSV database **with your exact installed versions**, eliminating false positives from old CVEs that don't affect you.

### `depx deprecated` - Find deprecated packages

```bash
$ depx deprecated

4 deprecated packages found

  - eslint@8.57.1 [unused]
    This version is no longer supported.
  - inflight@1.0.6 [unused]
    This module is not supported, and leaks memory.
```

## Features

- **Fast** - Written in Rust, parses JS/TS with [oxc](https://oxc.rs)
- **Smart** - Distinguishes real unused deps from expected dev tools
- **Accurate** - Version-aware vulnerability scanning (no false positives)
- **Complete** - Handles ES modules, CommonJS, dynamic imports, re-exports

## Supported lockfiles

- [x] `package-lock.json` (npm)
- [ ] `pnpm-lock.yaml` (coming soon)
- [ ] `yarn.lock` (coming soon)

## License

MIT