Build a dependency blast-radius map from a real package-lock.json before a transitive dependency becomes an unfixable audit rabbit hole.
NPM Dependency Blast Map is a local web app and CLI that parses package.json and npm lockfile v2/v3 data, builds a dependency graph, traces root-to-transitive paths, highlights duplicate versions, detects install-script risk, and ranks dependency hotspots by fan-in, depth, descendants, and script execution.
npm audit and dependency dashboards can tell you that something is wrong, but maintainers still need to answer the practical question: which direct dependency brought this in, how many paths depend on it, and what should I inspect first?
This project focuses on graph-level triage from files you already have locally.
python server.pyOpen:
http://127.0.0.1:8776
CLI:
python depmap.py fixtures/sample-risky
python depmap.py fixtures/sample-risky --jsonSmoke and fixture tests:
python scripts/smoke_test.pyPoint the app or CLI at a local folder containing:
package.jsonpackage-lock.json
No npm registry key, GitHub token, or external API is required.
- parses npm lockfile v2/v3
packages - resolves direct and transitive dependency edges
- calculates root paths and graph hotspots
- detects duplicate package versions
- detects packages with install scripts
- reports manifest/lock mismatches
- emits actionable Markdown with location, severity, confidence, fix, and false-positive notes
This is graph-level dependency triage. It is not a vulnerability database and does not replace npm audit, Dependabot, OSV, Snyk, Socket, or a full software supply-chain scanner. Use it to understand dependency paths and blast radius before deciding what to upgrade or inspect.
MIT