Use the Dependency Risk Scanner in Vibgrate CLI
Understand the Dependency Risk Scanner's three classifications and run a scan, exporting JSON to inventory deprecated, native, and platform-specific packages and track risk over time.
The Dependency Risk Scanner is one of Vibgrate's extended scanners. It classifies risk across your dependencies: deprecated packages, native modules, and platform-specific dependencies. This tutorial explains those classes and shows how to run and read the scan.
Prerequisites
- Node.js installed
- A project with dependencies
Steps
1. Install the CLI
npm i -g @vibgrate/cli
2. Run the scan
The Dependency Risk Scanner runs as part of a normal scan:
vg
Bare vg scans the current directory and includes the dependency risk classification in its results.
3. Export findings as JSON
For structured output you can process or store:
vg scan --format json
JSON makes it easy to filter and compare findings programmatically.
4. Interpret the risk classes
The scanner distinguishes three classes. Deprecated packages are no longer maintained and should be replaced. Native modules require compilation and complicate cross-platform builds and upgrades. Platform-specific dependencies tie you to a particular OS or architecture. Each class points at a different kind of upgrade or portability risk.
5. Track risk over time
Run the scan regularly and compare the JSON output across runs. A growing count of deprecated or native dependencies signals rising supply-chain risk and a climbing DriftScore.
Verification
vg and vg scan --format json exit 0. The JSON output contains dependency risk findings classified into the categories above.
Next Steps
Review the findings in a readable report, and export a CycloneDX SBOM so the classified packages sit alongside a complete component inventory.
Prerequisites
- Node.js installed
- A project with dependencies
Steps
- 1Install the CLI
- 2Run the scan
- 3Export findings as JSON
- 4Interpret the risk classes
- 5Track risk over time