And it went from 107 → 240 weekly downloads in a day.!!!!
I've been building full-stack apps for a while now — Next.js, TypeScript, PostgreSQL, MongoDB, and much more. But I'd never shipped something to the npm registry before. *dep-inspector-cli * changed that.
Here's the honest story of what it does, why I built it, and what's coming next.
The Problem:
Every Node.js project eventually runs into this moment:
npm audit
You get a wall of text. Severity levels, CVE IDs, a list of packages - but zero context about which of your actual dependencies pulled the vulnerable one in, or what you should realistically do about it.
I wanted something that actually connected the dots.
The Solution:
What dep-inspector-cli Does
npm install -g dep-inspector-cli
dep-inspector
Run it from your project root and you get:
🌳 Visual Dependency Tree — shows your full dep graph with outdated versions flagged inline, not as a separate report.
🛡️ Vulnerability Scan — wraps npm audit but surfaces results with severity, version delta, and a breaking-change warning if the fix is a major bump.
🔗 Dependency Chains — this is the part I care most about. It traces exactly which package in your tree pulled in the vulnerable dep. No more guessing.
📦 Package Context — homepage, author, repo link for flagged packages. Because knowing what a package is matters when you're deciding whether to update or swap it out.
🤖 AI Insights (optional) — add --ai and it uses Groq (llama-3.3-70b) to give you a plain-English breakdown: what the vuln is, what it affects in your specific project, and a recommended fix.
📄 JSON Output — --json flag for CI/CD pipelines. Fail the build if vulnerabilities are found, upload reports as artifacts, the works.
Example Output:
⚠️ Vulnerability Analysis
📦 axios
Severity : HIGH
Version : 0.21.1 → 1.7.2
⚠️ Breaking change possible!
Repo : https://github.com/axios/axios
🔗 Chain: root → axios
💡 Fix Suggestions
→ axios: npm install axios@latest
CI/CD Integration
- name: Check dependencies
run: dep-inspector --json > dep-report.json
- name: Upload report
uses: actions/upload-artifact@v3
with:
name: dependency-report
path: dep-report.json
Tech Stack
I used following tech stack to develop the initial version of this npm package:
- TypeScript (fully typed)
- Commander.js for CLI parsing
- Chalk + Ora for terminal UX
- LangChain + Groq for the --ai flag
- Semver for version comparison
What's Coming Next (v1.2+):
The current version handles vulnerability scanning well, but I want dep-inspector to be genuinely useful for production-grade projects too. Here's what I'm actively working on:
🏥 Dependency Health Scoring - an overall health score for your project's dependency tree. Factors: vulnerability count, how outdated your deps are, and whether maintainers are active. One number that tells you roughly how much debt you're carrying.
📊 Production Package Support - first-class analysis for packages like winston, pino, morgan (logging), helmet, cors, express-rate-limit (security middleware), dotenv, zod (config/validation). Currently, these show up in the tree, but there's no opinionated analysis. Coming soon: known best-practice checks and upgrade guidance specific to each ecosystem.
🔍 License Audit - flag packages with restrictive licenses (GPL, AGPL) that might be a problem in commercial projects.
📈 Trend Tracking — run dep-inspector over time and see if your health score is improving or regressing. Useful for teams that do regular dependency maintenance sprints.
Try It and can raise an issue and some suggestions in the comments:
npm install -g dep-inspector-cli
cd your-project
dep-inspector
- 📦 npm: npmjs.com/package/dep-inspector-cli
- 🐙 GitHub: https://github.com/Nevin100/Dep-inspector-cli
If it's useful, a ⭐ on GitHub goes a long way. And if you run into issues or have feature requests — PRs are open.
Top comments (0)