Dependency scanner CLI — tools.voiddo/depcheck vs npm audit
Both scan dependencies for security issues. npm audit queries the live advisory database for CVE data. depcheck works offline, also finds unused and missing imports, and supports Python requirements.txt.
tools.voiddo/depcheck
- Offline CVE database: 47 curated high-severity entries (incl. 2024 + supply-chain)
- Finds unused dependencies: packages in package.json never imported
- Finds missing dependencies: imports in code not in package.json
- Python support: requirements.txt and pyproject.toml
- Supply-chain attack signatures (event-stream pattern)
- Transitive dependency scan via package-lock.json
- Works offline, no registry connection required
- MIT licensed, Node 14+, zero deps
npm audit
- Live npm advisory database with thousands of CVEs
- Continuously updated — catches new vulnerabilities immediately
- Integrated with npm: no extra install needed
- npm audit fix can auto-update vulnerable packages
- Detailed severity levels: critical/high/moderate/low
- No unused/missing import detection; no Python support
- Requires network connection
Feature comparison
| Feature | tools.voiddo/depcheck | npm audit |
|---|---|---|
| Scan for known CVEs | ✓ offline (47 entries) | ✓ live (thousands) |
| Works offline (no network) | ✓ | ✗ requires registry |
| Find unused dependencies | ✓ static import analysis | ✗ |
| Find missing dependencies | ✓ | ✗ |
| Supply-chain attack signatures | ✓ | ✗ (may lag on new attacks) |
| Python requirements.txt support | ✓ | ✗ Node.js only |
| pyproject.toml support | ✓ | ✗ |
| package-lock.json transitive scan | ✓ | ✓ |
| Auto-fix (npm update) | — | ✓ npm audit fix |
| Severity levels (crit/high/mod/low) | ✓ | ✓ |
| CVE freshness | 47 curated (snapshot) | ✓ continuously updated |
| No extra install required | npm install -g needed | ✓ built into npm |
| CI-friendly exit codes | ✓ | ✓ |
| Open source | ✓ MIT | ✓ (npm is open source) |
Comparison based on publicly observable behavior as of 2026-05. For comprehensive CVE coverage and auto-fix, npm audit is more complete. For offline CI environments, unused import detection, and Python support, depcheck adds capabilities npm audit lacks. Running both in sequence provides the most complete coverage.
FAQ
Can depcheck find packages I installed but never use?
Yes. depcheck performs static import analysis — it reads all
require() and import statements in your source code and compares them against your package.json. Any package that appears in package.json but is never imported anywhere in the code is reported as unused. This helps keep bundles small and reduces attack surface from unused packages. npm audit does not detect unused dependencies.Can depcheck run in an air-gapped or offline CI environment?
Yes. depcheck ships its CVE database as part of the package — no network call is needed during a scan. This makes it suitable for offline CI environments, air-gapped build servers, or on-premises pipelines where npm registry access is blocked. npm audit always requires a network connection to the registry.
Does depcheck scan Python projects?
Yes. Point depcheck at a
requirements.txt or pyproject.toml and it checks the listed packages against its offline CVE database. This is useful in full-stack projects with both Node.js and Python components — you can run a single tool across both. npm audit is Node.js-only.Is 47 CVEs in the offline database enough?
For catching the most impactful vulnerabilities, yes. The database is curated for high-severity entries: critical RCEs, prototype pollution in core libraries, supply-chain attacks like the event-stream incident, and known-exploited package hijacks from 2024. For comprehensive CVE coverage across all severity levels, npm audit (thousands of entries, continuously updated) is more complete. The two tools work best together.
How do I use depcheck and npm audit together?
Run depcheck first for fast offline checks (unused deps + curated CVEs), then npm audit for full CVE coverage:
depcheck . && npm audit. In GitHub Actions, add both as separate steps. depcheck exits non-zero on any finding, so the pipeline stops before spending time on the npm audit network call if there are unused dependencies or critical offline CVEs.When is depcheck clearly better than npm audit?
depcheck is clearly better when: (1) you have no network access during CI; (2) you want to enforce no-unused-dependencies as a code quality gate; (3) you have a Python component alongside Node.js; (4) you want a fast pre-check before the slower npm audit network call; (5) you want to catch supply-chain attack patterns that may not yet have CVE assignments.
Try tools.voiddo/depcheck
Scan dependencies offline — find unused/missing imports, high-severity CVEs, supply-chain attack signatures, and Python requirements. No registry connection needed.
Competitor names and trademarks belong to their respective owners. This comparison reflects publicly observable tool behavior.