Analysis updated 2026-05-18
Check a project's dependencies for known CVEs before installing them.
Spot npm packages that run suspicious scripts automatically during install.
Add a dependency risk gate to a CI pipeline that fails builds on high severity findings.
Detect typosquatted package names before they get installed by mistake.
| zigamedved/chain | anomalroil/1key | danterolle/loqi | |
|---|---|---|---|
| Stars | 2 | 2 | 2 |
| Language | Go | Go | Go |
| Last pushed | — | 2019-05-17 | — |
| Maintenance | — | Dormant | — |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 2/5 | 3/5 | 2/5 |
| Audience | ops devops | ops devops | developer |
Figures from each repo's GitHub metadata at analysis time.
Install via Homebrew or go install, then chain init walks through picking which project folders to scan.
chain is a command line tool that checks how risky your project's dependencies are before and after you install them. It looks across all your projects at once and gives a quick dashboard showing how many packages each one uses, whether a lockfile exists, and whether anything looks suspicious. It focuses on four kinds of risk. First, lifecycle scripts, which are pieces of code that packages can run automatically during install, something that could be used to run malicious code on your machine without you noticing. Second, known security vulnerabilities, checked against the public OSV.dev database, covering npm, Go modules, and Python's PyPI. Third, missing lockfiles, since without one an install can quietly pull in different package versions than the ones that were actually tested. Fourth, typosquatting, where a package name is suspiciously close to a popular one, a common trick attackers use to trick people into installing the wrong package. The tool works through a few simple commands. Running chain alone shows the dashboard across every project it knows about. Chain preview looks closely at one project, listing lifecycle scripts and vulnerabilities before you even run npm install. Chain audit is meant for continuous integration pipelines, exiting with an error code if it finds anything above a chosen severity level, so a bad dependency can block a build automatically. Chain init walks a user through picking which project folders to scan the first time they set it up. For each type of problem it finds, the readme also explains what to actually do about it, like upgrading a package, pinning a safe version with an override, committing a lockfile, or removing a package that turns out to be a typosquat. It installs through Homebrew or by building from source with Go, requires no account or API key for its vulnerability checks, and can run fully offline if needed. It is released under the MIT license.
A command line tool that scans your project's dependencies for known vulnerabilities, risky install scripts, missing lockfiles, and typosquatted package names before you run them.
Mainly Go. The stack also includes Go, CLI, OSV.dev.
MIT licensed, free to use, modify, and include in commercial projects as long as the copyright notice stays intact.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.