The Dependency Graph Scanner analyzes your lockfile and workspace structure to find structural problems in how packages resolve. It runs during a normal scan and feeds your DriftScore. This article is for developers debugging resolution surprises and for teams managing monorepos.
What it detects
- Duplicate packages — the same package resolved at multiple versions in one tree, which inflates bundle size and creates subtle behavioral differences.
- Phantom dependencies — packages your code imports but never declares in its manifest, relying on a transitive install that can vanish on the next lockfile change.
- Workspace graphs — how packages in a monorepo depend on one another, so you can see internal coupling and resolution order.
Findings name the package, the versions involved, and where the problem lives in the graph.
Why it matters
Duplicates are a classic source of "two copies of the same library" bugs, where instance checks fail and state is split across versions. They also quietly grow your install and your attack surface. Phantom dependencies are a time bomb: the build works today because something else pulls the package in, but a routine upgrade can remove that path and break you with no manifest change to point at. In monorepos, an unhealthy workspace graph turns a single internal bump into a cascade of rebuilds.
Making these visible means an upgrade plan accounts for them instead of being derailed by them.
How to act
Scan the repository:
vg
For duplicates, decide on a single version and use your package manager's resolution or dedupe tooling to consolidate. For phantom dependencies, add them explicitly to the correct manifest so resolution no longer depends on luck. For workspace findings, look for unexpected cross-package edges and tighten boundaries.
Gate regressions in CI by comparing against a baseline:
vg scan --baseline .vibgrate/baseline.json
Triage tips
- Fix phantom dependencies first — they are the most likely to break silently.
- Consolidate duplicates of stateful or singleton libraries before cosmetic ones.
- Use the workspace view to confirm your monorepo's dependency direction matches your intended architecture.
Related
Pair this scanner with the Dependency Risk Scanner and the Tooling Inventory Scanner for a complete picture of your supply chain. For exportable inventory, see the SBOM workflow and the Supply Chain Inventory guide.