Skip to main content
Scanners

Dependency Risk Scanner

Risk classification for deprecated packages, native modules, and platform-specific dependencies.

The Dependency Risk scanner extends core dependency analysis with risk classification signals. It identifies packages that may cause upgrade friction, require special build environments, or pose maintenance concerns.


Risk Classifications

Each dependency receives a risk classification based on multiple factors:

Risk LevelIndicatorCriteria
🔴 CriticalImmediate actionDeprecated with known vulnerabilities, EOL runtime dependencies
🟠 HighPlan remediationDeprecated packages, unmaintained (>2 years), major version lag
🟡 MediumMonitorNative modules, platform-specific, single maintainer
🟢 LowNormalStandard packages, actively maintained, widely used

Detection Categories

Deprecated Packages

Packages flagged via the npm registry deprecated field:

{
  "deprecated": [
    {
      "name": "request",
      "version": "2.88.2",
      "deprecatedSince": "2020-02-11",
      "message": "request has been deprecated, see https://github.com/request/request/issues/3142",
      "risk": "high"
    }
  ]
}

Native Modules

Packages requiring native compilation, which may cause CI issues:

Detection MethodExamples
node-gyp in install scriptsbcrypt, sqlite3
Known native package listsharp, canvas, libxmljs
gypfile: true in package.jsonCommunity packages

Platform-Specific

Packages with OS or architecture constraints:

PackagePlatformNotes
fseventsmacOS onlyUsed by file watchers
win-caWindows onlyCertificate store access
@esbuild/*Architecture-specificPrebuilt binaries

Use Cases

Pre-Migration Assessment

Before major upgrades, identify packages that will need attention:

vg scan --format json | jq '.dependencyRisk | .deprecated + .nativeModules'

Security Triage

Prioritize deprecated package replacements:

  1. Critical/High risk: Replace immediately
  2. Medium risk: Add to next sprint backlog
  3. Low risk: Monitor for changes

CI Environment Planning

For packages in nativeModules:

  • Ensure build tools are installed (build-essential, python3)
  • Consider using prebuilt Docker images
  • Cache native compilation results

Example Output

{
  "dependencyRisk": {
    "summary": {
      "critical": 0,
      "high": 2,
      "medium": 4,
      "low": 156
    },
    "deprecated": [
      {
        "name": "request",
        "version": "2.88.2",
        "risk": "high",
        "deprecatedSince": "2020-02-11",
        "alternatives": ["node-fetch", "undici", "got"]
      },
      {
        "name": "node-sass",
        "version": "7.0.3",
        "risk": "high",
        "deprecatedSince": "2020-03-26",
        "alternatives": ["sass"]
      }
    ],
    "nativeModules": [
      {
        "name": "sharp",
        "version": "0.33.2",
        "risk": "medium",
        "buildRequirements": ["libvips"]
      },
      {
        "name": "bcrypt",
        "version": "5.1.1",
        "risk": "medium",
        "buildRequirements": ["node-gyp", "python3"]
      }
    ],
    "platformSpecific": [
      {
        "name": "fsevents",
        "version": "2.3.3",
        "risk": "low",
        "platform": "darwin",
        "notes": "Optional dependency, ignored on non-macOS"
      }
    ]
  }
}

Configuration

// vibgrate.config.ts
const config: VibgrateConfig = {
  scanners: {
    dependencyRisk: {
      enabled: true,
      // Suppress warnings for known acceptable packages
      ignore: ['fsevents'], // macOS-only, expected
    },
  },
};

Related Documentation