Your package.json security check. No install required.
Running npm audit means installing the project first. DepScan doesn't. Paste your package.json and instantly see outdated, deprecated, abandoned, and CVE-flagged dependencies, directly in your browser.
Paste package.json
the whole file, or just your dependencies blockChoose dev deps
include devDependencies, or skip themScan
get a risk score and full report in seconds
How DepScan works
Paste your package.json into the box. DepScan parses it entirely in your browser with JSON.parse, nothing is uploaded.
By default only the "dependencies" object is scanned. Check "Include devDependencies" to also scan build tools, linters, and test frameworks.
Click Scan. For each package, your browser queries registry.npmjs.org for the latest version, deprecation status, and last publish date.
In parallel, your browser queries api.npmjs.org for weekly download counts, and api.osv.dev for any CVEs that affect the specific version range you have installed.
Each package gets a version status (Up to date, Patch, Minor, or Major available) plus flags for deprecated, stale (2+ years since last publish), and low-download packages.
An overall risk score (LOW / MEDIUM / HIGH) summarizes the scan. Use "Copy as Markdown" to paste the full report into a PR comment or audit doc.
What each result means
Up to date
Your installed version matches the latest version on npm. No action needed.
Patch available
A newer patch version exists (e.g. you have 4.18.1, latest is 4.18.3). Usually safe to update: patches are bug and security fixes within the same minor version.
Minor available
A newer minor version exists (e.g. you have 4.18.1, latest is 4.19.0). Should be backward compatible per semver, but review the changelog before updating.
Major available
A newer major version exists (e.g. you have 4.18.1, latest is 5.0.0). Expect breaking changes: read the migration guide before updating.
Deprecated
The package author marked this version as deprecated on npm, usually with a message pointing to a replacement. Example: request has been deprecated in favor of undici or native fetch.
Stale (2yr+)
The package hasn't published a new version in over two years. Not always bad (some packages are simply finished), but combined with low downloads or a CVE, it's a supply chain risk signal worth a closer look.
CVEs
The count of known vulnerabilities from OSV.dev that affect your installed version. Click the badge to expand each CVE ID, its severity, and a link to the full advisory.
package.json version range reference
DepScan reads the version range you have specified for each package and compares it against the latest published version. Here's how each range type is handled:
| Syntax | Meaning | DepScan behavior |
|---|---|---|
| ^4.18.1 | Compatible with 4.x.x, >= 4.18.1 | Compares 4.18.1 against the latest version |
| ~4.18.1 | Compatible with 4.18.x, >= 4.18.1 | Compares 4.18.1 against the latest version |
| 4.18.1 | Exact version only | Compares 4.18.1 against the latest version |
| >=5.0.0 <6.0.0 | Any 5.x.x version | Compares 5.0.0 against the latest version |
| * or latest | Any version | Shown as "Unknown" status: no fixed version to compare |
| workspace:* or file:../pkg | Monorepo / local package | Shown as "Not found on npm": not a published version |
DepScan extracts the first major.minor.patchnumber it finds in the range string and compares it directly to the latest published version. This is a simplification of full semver range resolution, useful for spotting how far behind a dependency is, but it doesn't guarantee the exact version your lockfile resolved to.
When to use DepScan
| Scenario | What to paste |
|---|---|
| Inheriting a legacy codebase | The full package.json, with devDependencies included, for a complete picture before you start work |
| Reviewing a PR that adds dependencies | Just the new entries added to dependencies or devDependencies, to check them before approving |
| Auditing a client project before quoting maintenance | The full package.json, focusing on the risk score and any deprecated or CVE-flagged packages |
| Pre-deploy production dependency check | Only the dependencies object, with devDependencies unchecked, since those don't ship to production |
| Checking for a specific CVE after a disclosure | The full package.json, then expand the CVE column for any affected package |
| Quarterly dependency hygiene check | The full package.json, then use Copy as Markdown to log the results for comparison next quarter |
Frequently Asked Questions
What is DepScan and what does it check?
DepScan is a browser-based tool that reads your package.json and reports, for every direct dependency: the installed version vs. the latest version on npm, whether the package is deprecated, how long ago it was last published, its weekly download count, and any known CVEs filed against it on OSV.dev.
Everything runs client-side. There is no install, no account, and no server in between you and the public npm registry and OSV.dev APIs.
How is DepScan different from npm audit?
| npm audit | DepScan | |
|---|---|---|
| Requires install | Yes (npm install first) | No, paste and scan |
| Checks CVEs | Yes | Yes (via OSV.dev) |
| Checks deprecated packages | No | Yes |
| Checks abandoned packages | No | Yes (last publish date) |
| Checks low-popularity packages | No | Yes (weekly downloads) |
| Account required | No | No |
DepScan is a fast first-pass for reviewing a project you've just inherited, a PR that adds new dependencies, or a client codebase before quoting work. For ongoing monitoring of a project you maintain, npm audit and tools like Dependabot or Snyk are still worth running locally and in CI.
Is my package.json sent to DevEncyclopedia's servers?
No. Parsing happens entirely in your browser. For each package, your browser makes direct requests to registry.npmjs.org, api.npmjs.org, and api.osv.dev: the same public APIs your package manager already talks to. DevEncyclopedia never receives or stores the contents of your package.json.
How do I check only my production dependencies?
By default DepScan only scans the "dependencies" object. Leave "Include devDependencies" unchecked and paste your full package.json, or paste just the dependencies section:
{
"dependencies": {
"express": "^4.18.1",
"lodash": "^4.17.21"
}
}Check the "Include devDependencies" box if you also want build tools, linters, and test frameworks included in the scan.
A package shows as 'Not found on npm'. What does that mean?
This happens with private packages, packages hosted on a custom registry, or workspace references like "workspace:*" and "file:../local-pkg" that don't resolve to a version on the public npm registry.
What do the CVE severity labels mean and what should I do?
Severity labels (CRITICAL, HIGH, MODERATE, LOW) come directly from the vulnerability database entry on OSV.dev. Click a CVE ID to read the full advisory, including which versions are affected and which version fixes it.
If a dependency shows a CRITICAL or HIGH CVE, check whether a patched version is available and update as soon as practical. If the package is also flagged as deprecated, treat that as a signal to find a replacement rather than wait for a patch.