TypeScript Modernity Scanner
TypeScript's compiler options are not just code quality settings — they are migration predictors. A project using strict mode, ESM modules, and modern module resolution will have a fundamentally easier time upgrading frameworks and dependencies than one stuck on legacy settings.
The TypeScript Modernity scanner reads your tsconfig.json and assesses:
Compiler Strictness
- TypeScript version: Are you on the latest? TypeScript ships breaking changes in minor versions, and falling behind creates friction.
strictflag: Enables all strict type-checking options. Projects without strict mode frequently encounter type errors during upgrades that strict mode would have caught earlier.noImplicitAnyandstrictNullChecks: Individual strictness flags that predict how well your code handles type changes in updated dependency type definitions.
Module System
moduleandmoduleResolutionsettings: ESM vs CJS is one of the most impactful migration dimensions in the Node.js ecosystem. Many modern packages are ESM-only, and CJS projects face increasing friction.targetsetting: The JavaScript version your TypeScript compiles to. Targeting ES5 when your runtime supports ES2022 means unnecessary polyfills and larger bundles.exportsfield presence: Modern Node.js packages use theexportsfield for conditional imports. Projects that do not support this field face import resolution issues with newer packages.
What the Output Tells You
The scanner classifies your TypeScript setup as ESM or CJS and assigns a modernity assessment. This lets you anticipate whether adopting a new ESM-only dependency will be a smooth import or a multi-day migration.
Security Posture Scanner
The Security Posture scanner checks structural security hygiene indicators — the kind of things that a security reviewer looks for during an audit.
What It Checks
- Lockfile presence and consistency: Is there a lockfile? Does it match the manifest? A missing or stale lockfile means builds are non-deterministic and supply chain attacks are harder to detect.
.gitignorecoverage: Are.envfiles andnode_modulesproperly gitignored? A.envfile tracked in git is a leaked secret waiting to happen..envfile tracking: Specifically flags.envfiles that exist outside.gitignorecoverage.- npm audit severity counts: Runs
npm audit --jsonand summarises findings by severity.
What It Does NOT Do
This is not a secret scanner. It does not scan file contents for API keys or passwords. It does not execute code. It checks structural indicators — the presence and configuration of files that predict security hygiene.
Think of it as a health check for your security posture, not a security audit.
Security Scanners — the Companion
For teams that want deeper toolchain intelligence, the Security Scanners scanner (separate from Security Posture) checks the status of local security tooling:
- Scanner engine discovery: Which security scanning tools are installed (e.g., Trivy, Grype, Snyk CLI)?
- Version freshness: Are scanner engines and their signature databases up to date?
- Config discovery: Are scanner policy files (e.g.,
.trivyignore,.snyk) present? - Cache-backed heuristics: Lightweight indicators that add value even when full scanner binaries are not available.
This scanner reports toolchain readiness — it tells your security team whether CI is equipped to enforce the security policies they have defined.
Why Both Matter for Drift
TypeScript modernity and security posture are both drift multipliers. A project with strict TypeScript and solid security hygiene will upgrade more smoothly and with fewer surprises. A project with loose types and missing lockfiles will turn every upgrade into a risk.
The Vibgrate Drift Intelligence Engine includes these scanners because the drift score alone tells you how far behind — but modernity and posture tell you how hard catching up will be.
Assess your migration readiness. Sign up at dash.vibgrate.com to scan your TypeScript config and security posture alongside your drift score.