More Than a Drift Score
The core drift score answers "how far behind is this repo?" But when you are planning a migration, upgrading infrastructure, or assessing risk for a new project, you need deeper intelligence. That is what Vibgrate's extended scanners provide.
All extended scanners are:
- Read-only — they never write files or execute project code
- Parallel — failures in one scanner never affect others
- Individually toggleable — enable or disable each in
vibgrate.config.ts - Privacy-safe — they collect zero sensitive data (no source code, no secrets, no PII)
Platform Matrix Scanner
The Platform Matrix scanner collects signals that predict where builds will break when moving CI runners, containers, or CPU architectures.
What it detects:
engines.nodeandengines.npm/engines.pnpmranges inpackage.json.nvmrcand.node-versionpinning files- .NET
TargetFrameworkand SDK versions from.csprojfiles - Native module risk packages (
sharp,bcrypt,node-gyp, etc.) that depend on OS-level compilation - OS-assumption scripts in
package.json(e.g.,rm -rfin a script assumes Unix) - Dockerfile base images (FROM lines only — not the full Dockerfile)
Why it matters:
If you are migrating from x86 to ARM, from Ubuntu to Alpine, or from on-prem to cloud containers, the Platform Matrix tells you exactly which packages and configurations will need attention. Native modules, in particular, are a common source of unexpected build failures on new platforms.
Dependency Risk Scanner
The Dependency Risk scanner extends the core dependency analysis with risk classification signals that go beyond version numbers.
What it detects:
- Deprecated packages: Packages flagged as deprecated in the npm registry, including the deprecation reason.
- Native modules: Dependencies that require OS-level compilation (binary addons).
- Platform-specific flags: Packages that declare
osorcpurestrictions in their manifests.
Why it matters:
A deprecated package is not just old — it is abandoned. There will be no more security patches, no more compatibility updates. Knowing which of your dependencies are deprecated lets you plan replacements before they become urgent.
Dependency Graph & Duplication Scanner
This scanner parses lockfiles (pnpm, npm, yarn, .NET) to build a workspace-wide dependency graph and detect structural issues.
What it detects:
- Total unique vs. installed dependency counts: The gap between these numbers reveals how much duplication exists.
- Duplicated packages: Cases where multiple versions of the same package are installed, increasing bundle size and potential for conflicts.
- Phantom dependencies: Packages that your code imports but that are not declared in your
package.json— they work only because a transitive dependency happens to install them.
Why it matters:
Phantom dependencies are ticking time bombs. They work today by accident, and break tomorrow when a transitive dependency is upgraded or removed. Duplicate packages inflate your bundle and can cause subtle runtime bugs when two versions of the same library interact.
Using Extended Scanner Output
Extended scanner results appear in both the text report and the JSON artifact. In the JSON artifact, each scanner's output is a structured section you can query programmatically.
For example, to list all deprecated packages:
vibgrate scan . --format json --out scan.json
# Then parse scan.json for dependencyRisk.deprecated entries
Or use the text report for a quick overview during development.
The Vibgrate Drift Intelligence Engine treats these scanners as part of a unified analysis. The core drift score tells you how far behind you are. The extended scanners tell you what kind of behind you are — and that distinction matters when planning migrations.
Go deeper than version numbers. Sign up at dash.vibgrate.com to run extended scanners across your codebase and get the full migration intelligence picture.