Skip to main content

Use the Dependency Risk Scanner in Vibgrate CLI

Understand the Dependency Risk Scanner's three classifications and run a scan, exporting JSON to inventory deprecated, native, and platform-specific packages and track risk over time.

Difficulty
Beginner
Duration
14 minutes
Steps
5

The Dependency Risk Scanner is one of Vibgrate's extended scanners. It classifies risk across your dependencies: deprecated packages, native modules, and platform-specific dependencies. This tutorial explains those classes and shows how to run and read the scan.

Prerequisites

  • Node.js installed
  • A project with dependencies

Steps

1. Install the CLI

npm i -g @vibgrate/cli

2. Run the scan

The Dependency Risk Scanner runs as part of a normal scan:

vg

Bare vg scans the current directory and includes the dependency risk classification in its results.

3. Export findings as JSON

For structured output you can process or store:

vg scan --format json

JSON makes it easy to filter and compare findings programmatically.

4. Interpret the risk classes

The scanner distinguishes three classes. Deprecated packages are no longer maintained and should be replaced. Native modules require compilation and complicate cross-platform builds and upgrades. Platform-specific dependencies tie you to a particular OS or architecture. Each class points at a different kind of upgrade or portability risk.

5. Track risk over time

Run the scan regularly and compare the JSON output across runs. A growing count of deprecated or native dependencies signals rising supply-chain risk and a climbing DriftScore.

Verification

vg and vg scan --format json exit 0. The JSON output contains dependency risk findings classified into the categories above.

Next Steps

Review the findings in a readable report, and export a CycloneDX SBOM so the classified packages sit alongside a complete component inventory.

Prerequisites

  • Node.js installed
  • A project with dependencies

Steps

  • 1
    Install the CLI
  • 2
    Run the scan
  • 3
    Export findings as JSON
  • 4
    Interpret the risk classes
  • 5
    Track risk over time

Category

Vibgrate