explaingit

kelani34/depguarder

13TypeScriptAudience · developerComplexity · 2/5LicenseSetup · easy

TLDR

A command-line tool that checks your JavaScript and TypeScript project's dependencies for signs of malicious behavior, like typosquatting, hidden code, and suspicious network calls, before they run in production.

Mindmap

mindmap
  root((depguarder))
    What it does
      Detect typosquatting
      Inspect install scripts
      Find obfuscated code
      Monitor runtime activity
    Commands
      scan
      why
      install wrapper
      run wrapper
    Tech Stack
      TypeScript
      Node.js
      GitHub Actions
    Use Cases
      Pre-install security check
      PR automated scanning
      Dependency origin tracing
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Scan a JavaScript project's lockfile for risky or suspicious packages before deploying to production.

USE CASE 2

Wrap your npm install command to automatically run a security check before any packages are written to disk.

USE CASE 3

Set up a GitHub Actions workflow that checks pull requests for newly introduced risky dependencies.

USE CASE 4

Trace how a specific package ended up in your project to understand its origin and whether it's expected.

Tech stack

TypeScriptNode.jsnpmpnpmYarnBunGitHub Actions

Getting it running

Difficulty · easy Time to first run · 5min
ISC license, use freely for any purpose, including commercial, with minimal restrictions.

In plain English

DepGuarder is a command-line security tool for JavaScript and TypeScript developers that checks the packages their projects depend on for signs of malicious or risky behavior, before those packages get installed or run in production. Most existing security scanners for open-source packages focus on known vulnerabilities that have been catalogued in public databases. DepGuarder takes a different approach by looking for behavioral warning signs: packages that appear to impersonate popular libraries through slight name misspellings (typosquatting), packages that run install scripts that could execute arbitrary code during installation, code that has been deliberately obscured to hide what it does, and packages that access environment variables or make network calls in unexpected ways. It reads from your existing lockfile so it can inspect the full tree of dependencies, including ones that were brought in indirectly by other packages. The tool has several commands. The scan command analyzes your current project. A --paranoid flag adds a deeper pass that downloads and inspects the actual package archive files. The why command traces how a specific package ended up in your project so you can understand its origin. The install command wraps your normal package manager installation with a security check before anything gets written to disk. The run command wraps a dev server or build process and watches the process tree at runtime for suspicious activity like unexpected network tools being launched. Risk is reported as a score from 0 to 100 based on factors including maintainer reputation, download trends, the presence of install hooks, and the results of static code analysis. The tool supports npm, pnpm, Yarn, and Bun. A GitHub Actions integration is included for running checks automatically on pull requests. The project is ISC licensed.

Copy-paste prompts

Prompt 1
Using DepGuarder, write a GitHub Actions workflow that scans for risky dependencies on every pull request in my Node.js project.
Prompt 2
Show me how to use DepGuarder's install command as a drop-in replacement for npm install in a TypeScript project.
Prompt 3
Help me use DepGuarder's `why` command to trace why a specific package was pulled in as an indirect dependency.
Prompt 4
What does DepGuarder's --paranoid flag check that the normal scan misses? Give me a shell script that runs it on my project.
Prompt 5
Set up DepGuarder's run command to watch my dev server process tree and alert me about unexpected network activity.
Open on GitHub → Explain another repo

← kelani34 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.