Issue
Sign In
StepCodex FeaturedStepCodex Reviews
Notion Docs

Analyze package.json dependencies. Free online tool, no login, no sign-up.

LocalPersonal data security

Loading Tool Engine

Usage Guide & Tech FAQ

Usage Guide

  1. Paste your `package.json` on the left (keep `dependencies/devDependencies/peerDependencies/scripts` if possible).
  2. Toggle options: include `devDependencies`, and optionally enable offline tree analysis from `package-lock.json`.
  3. Review the report: version-range risk flags, missing `peerDependencies`, and dependency distribution overview.
  4. If lockfile is enabled, select a dependency name to see an approximate dependency tree and multi-version hints.
  5. For workspaces/monorepos, paste each package manifest separately so root deps aren’t mistaken for leaf scope.
  6. Inspect `optionalDependencies` and `bundledDependencies`—they affect install size and offline bundling.
  7. With private registries, verify `publishConfig`/`repository` fields match internal docs for traceability.
  8. Before major upgrades, export the “wide range dependency” section for architecture review and breaking-change planning.
  9. Cross-check Renovate/Dependabot config—map high-risk findings to auto-PR rules or ignore lists.
  10. Copy/download the report for code review, upgrade planning, or CI checks.
  11. Read the title and description first to confirm this utility matches your task (avoid using the wrong tool and misinterpreting output).
  12. Paste or type input in the editor; if a sample/template is provided, load it first to learn the expected output shape.

Related Tech Knowledge

  • This is offline analysis: it only infers from your provided `package.json` / `package-lock.json`—no network vulnerability database checks.
  • “Risk flags” are heuristic: `*` / `latest` / `git+` / wide version ranges (`>=`) usually indicate higher upgrade uncertainty.
  • Tree results are approximate: due to npm dedupe/resolution details, depth/version attribution may differ slightly from the real install.
  • npm v7+ auto-installs peers differently than v6—cite npm version when explaining missing peer warnings.
  • `overrides`/`resolutions` change resolved graphs—if not ingested, reports may diverge from production installs.
  • Lockfile format versions affect readability—regenerate locks in CI (`npm install --package-lock-only`) before auditing.
  • Complements `npm audit`: audit focuses on CVEs while this view focuses on ranges/structure—reconcile disagreements manually.
  • Huge locks block the main thread—close heavy tabs or analyze trimmed lock snippets when possible.
  • Redact private registry hosts before posting reports to public tickets.
  • Best practice: integrate the report into automation (e.g., gate on non-semver deps or missing peer dependencies).
  • Core parsing and computation run in your browser; by default your raw business payload is not persisted to this site’s servers (see on-page privacy notes).
  • The pipeline is typically: read input → parse (lexical/syntactic/structured) → transform → render; failures aim to be diagnosable.