depguarder

DepGuarder is a command-line security tool for JavaScript and TypeScript developers that checks the packages their projects depend on for signs of malicious or risky behavior, before those packages get installed or run in production.

Most existing security scanners for open-source packages focus on known vulnerabilities that have been catalogued in public databases. DepGuarder takes a different approach by looking for behavioral warning signs: packages that appear to impersonate popular libraries through slight name misspellings (typosquatting), packages that run install scripts that could execute arbitrary code during installation, code that has been deliberately obscured to hide what it does, and packages that access environment variables or make network calls in unexpected ways. It reads from your existing lockfile so it can inspect the full tree of dependencies, including ones that were brought in indirectly by other packages.

The tool has several commands. The scan command analyzes your current project. A --paranoid flag adds a deeper pass that downloads and inspects the actual package archive files. The why command traces how a specific package ended up in your project so you can understand its origin. The install command wraps your normal package manager installation with a security check before anything gets written to disk. The run command wraps a dev server or build process and watches the process tree at runtime for suspicious activity like unexpected network tools being launched.

Risk is reported as a score from 0 to 100 based on factors including maintainer reputation, download trends, the presence of install hooks, and the results of static code analysis. The tool supports npm, pnpm, Yarn, and Bun. A GitHub Actions integration is included for running checks automatically on pull requests. The project is ISC licensed.