git404hub

what is depguarder fr?

kelani34/depguarder — explained in plain English

Analysis updated 2026-05-18

13TypeScriptAudience · developerComplexity · 2/5LicenseSetup · easy

tl;dr

A command-line tool that checks your JavaScript and TypeScript project's dependencies for signs of malicious behavior, like typosquatting, hidden code, and suspicious network calls, before they run in production.

vibe map

mindmap
  root((depguarder))
    What it does
      Detect typosquatting
      Inspect install scripts
      Find obfuscated code
      Monitor runtime activity
    Commands
      scan
      why
      install wrapper
      run wrapper
    Tech Stack
      TypeScript
      Node.js
      GitHub Actions
    Use Cases
      Pre-install security check
      PR automated scanning
      Dependency origin tracing

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Scan a JavaScript project's lockfile for risky or suspicious packages before deploying to production.

VIBE 2

Wrap your npm install command to automatically run a security check before any packages are written to disk.

VIBE 3

Set up a GitHub Actions workflow that checks pull requests for newly introduced risky dependencies.

VIBE 4

Trace how a specific package ended up in your project to understand its origin and whether it's expected.

what's the stack?

TypeScriptNode.jsnpmpnpmYarnBunGitHub Actions

how it stacks up fr

kelani34/depguarderandersondanieln/hexllamaantonlobanovskiy/agent-tmux-web
Stars131313
LanguageTypeScriptTypeScriptTypeScript
Setup difficultyeasyeasymoderate
Complexity2/52/53/5
Audiencedevelopervibe coderdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · easy time til it works · 5min
ISC license, use freely for any purpose, including commercial, with minimal restrictions.

in plain english

DepGuarder is a command-line security tool for JavaScript and TypeScript developers that checks the packages their projects depend on for signs of malicious or risky behavior, before those packages get installed or run in production. Most existing security scanners for open-source packages focus on known vulnerabilities that have been catalogued in public databases. DepGuarder takes a different approach by looking for behavioral warning signs: packages that appear to impersonate popular libraries through slight name misspellings (typosquatting), packages that run install scripts that could execute arbitrary code during installation, code that has been deliberately obscured to hide what it does, and packages that access environment variables or make network calls in unexpected ways. It reads from your existing lockfile so it can inspect the full tree of dependencies, including ones that were brought in indirectly by other packages. The tool has several commands. The scan command analyzes your current project. A --paranoid flag adds a deeper pass that downloads and inspects the actual package archive files. The why command traces how a specific package ended up in your project so you can understand its origin. The install command wraps your normal package manager installation with a security check before anything gets written to disk. The run command wraps a dev server or build process and watches the process tree at runtime for suspicious activity like unexpected network tools being launched. Risk is reported as a score from 0 to 100 based on factors including maintainer reputation, download trends, the presence of install hooks, and the results of static code analysis. The tool supports npm, pnpm, Yarn, and Bun. A GitHub Actions integration is included for running checks automatically on pull requests. The project is ISC licensed.

prompts (copy fr)

prompt 1
Using DepGuarder, write a GitHub Actions workflow that scans for risky dependencies on every pull request in my Node.js project.
prompt 2
Show me how to use DepGuarder's install command as a drop-in replacement for npm install in a TypeScript project.
prompt 3
Help me use DepGuarder's `why` command to trace why a specific package was pulled in as an indirect dependency.
prompt 4
What does DepGuarder's --paranoid flag check that the normal scan misses? Give me a shell script that runs it on my project.
prompt 5
Set up DepGuarder's run command to watch my dev server process tree and alert me about unexpected network activity.

Frequently asked questions

what is depguarder fr?

A command-line tool that checks your JavaScript and TypeScript project's dependencies for signs of malicious behavior, like typosquatting, hidden code, and suspicious network calls, before they run in production.

What language is depguarder written in?

Mainly TypeScript. The stack also includes TypeScript, Node.js, npm.

What license does depguarder use?

ISC license, use freely for any purpose, including commercial, with minimal restrictions.

How hard is depguarder to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is depguarder for?

Mainly developer.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.