Skip to main content
Overview

How It Works

Understand how Vibgrate scans your codebase for upgrade drift across ~19 ecosystems — including Node.js, .NET, Python, Java, Go, Rust, PHP, and Ruby.

Overview

Vibgrate is a multi-ecosystem code scanner that detects upgrade drift across your entire codebase. It recursively analyzes project manifests to identify outdated dependencies, deprecated runtimes, and technical debt indicators.

What is Upgrade Drift? The gap between your current dependency versions and the latest stable releases. High drift correlates with security vulnerabilities, missing features, and increasing upgrade complexity over time.


Supported Ecosystems

Vibgrate analyzes upgrade drift in depth across four major ecosystems:

EcosystemFiles DetectedWhat's Analyzed
🟢 Node.js / TypeScriptpackage.json, pnpm-lock.yaml, package-lock.json, yarn.lockDependencies, Node.js version, TypeScript config
🔵 .NET.sln, .csproj, global.jsonTarget framework, NuGet packages, SDK version
🟡 Pythonrequirements.txt, pyproject.toml, Pipfile, setup.pyPython version, pip/poetry dependencies
🔴 Javapom.xml, build.gradle, build.gradle.ktsJDK version, Maven/Gradle dependencies

Known-vulnerability detection (vg scan --vulns) and dependency attribution (vg why) read each project's lockfile, so they additionally cover npm/pnpm/yarn, pip/poetry/pipenv, cargo, composer, bundler, go, pub, hex, NuGet, and Maven/Gradle.


The Scan Process

For each project discovered, Vibgrate executes a five-stage analysis pipeline:

Stage 1: Discovery

📁 Repository Root
├── 🔍 Recursive manifest detection
├── 📊 Ecosystem classification
└── 🏗️ Project structure mapping

Stage 2: Detection

  • Runtime version identification (Node.js, .NET, Python, Java, Go, Rust, PHP, Ruby, and more)
  • Target framework analysis
  • Complete dependency inventory

Stage 3: Registry Query

  • Parallel queries to npm/NuGet/PyPI/Maven registries
  • Built-in caching to minimize API calls
  • Rate limiting and retry logic

Stage 4: Drift Computation

MetricDescription
Major Version LagHow many major versions behind current?
EOL ProximityDistance to end-of-life for runtimes
Dependency AgeAverage age distribution across dependencies
Security DebtKnown vulnerabilities in dependency tree

Stage 5: Output Generation

  • DriftScore: Deterministic 0–100 rating
  • Findings: Actionable list of upgrade priorities
  • Artifacts: JSON, Markdown, SARIF formats

Privacy by Design

Important: Vibgrate is designed with a privacy-first architecture. Core drift analysis never executes source code.

What Vibgrate Reads

✅ Analyzed❌ Not Accessed
Manifest files (package.json, *.csproj, etc.)Source code files
Configuration filesEnvironment variables
Lock filesGit history
Project structureSecrets or credentials

Data Transmission

  • Default: All analysis runs locally with no network transmission
  • Opt-in: Upload to Vibgrate Cloud via --upload or vg push
  • Control: DSN configuration for enterprise environments

Quick Start

# Install globally (optional)
npm install -g @vibgrate/cli@latest

# Run your first scan
npx @vibgrate/cli scan

# Initialize project with baseline
npx @vibgrate/cli@latest init --baseline

# View detailed report
npx @vibgrate/cli@latest report --format md

Tip: Start with a one-off scan to understand your current drift status before integrating into CI.


Example Output

{
  "meta": {
    "version": "1.0.0",
    "timestamp": "2025-01-15T10:30:00Z"
  },
  "driftScore": 67,
  "ecosystems": {
    "nodejs": { "projects": 3, "avgDrift": 45 },
    "dotnet": { "projects": 1, "avgDrift": 72 }
  },
  "findings": [
    {
      "severity": "high",
      "message": "Node.js 16.x is EOL since September 2023",
      "recommendation": "Upgrade to Node.js 20.x or 22.x"
    }
  ]
}

Next Steps

Related Documentation

Related Help Articles