ANALYZE YOUR PROJECT

Scan your package.json for known vulnerabilities. Get instant analysis of CVEs and security advisories.

PACKAGE.JSON CONTENT

EXAMPLE

{
  "name": "npmscan-example",
  "dependencies": {
    "react": "^18.2.0",
    "lodash": "^4.17.20"
  }
}

PASTE PACKAGE.JSON TO BEGIN ANALYSIS

Real-time vulnerability detection

💡PACKAGE.JSON TIPS

Use Overrides for Safety

Force specific versions of dependencies to avoid compatibility issues and security vulnerabilities:

// package.json

"overrides": {

"react": "^18.3.1",

"react-dom": "^18.3.1"

}

This ensures all packages use the same React version, preventing version conflicts.

Pin Your Package Manager

Lock your team to the same npm/yarn/pnpm version to avoid subtle resolver changes and lockfile churn.

// package.json

{

"packageManager": "npm@10.8.1"

}

Use packageManager to keep installs deterministic across machines and CI.

Declare Runtime Versions

Signal supported Node and npm versions to tooling and hosting; fail fast in CI if they mismatch.

// package.json

{

"engines": {

"node": ">=18.18 <21",

"npm": "^10"

}

Use CI checks (e.g., node -v) to enforce engines; combine with packageManager pinning.

Prevent Accidental Publish

Mark non-library apps as private to block npm publish.

// package.json

{

"private": true

}

Prevents leaking internal code; required for some monorepo setups.

Semver Ranges: Know Your Risk

For critical dependencies, prefer exact ("1.2.3") or tilde ("~1.2.3") over caret ("^1.2.3").

^1.2.3 allows any compatible minor/patch (could introduce regressions).
^0.2.3 is special: caret on 0.x can move the minor (often breaking in practice).

Enable Tree‑Shaking Carefully

Mark modules as side‑effect‑free to let bundlers drop unused code.

// package.json (libraries only)

{

"sideEffects": false

}

Only use when you’re sure modules have no global side effects; otherwise bundlers can break runtime.

Be Careful with Optional Dependencies

Failures are silently ignored, which can mask missing features or security updates.

Prefer peerDependencies with peerDependenciesMeta for optional peer requirements.
Avoid shipping critical functionality under optionalDependencies.

Control Public API with Exports

For libraries, define exports to prevent deep imports and lock your public surface.

// package.json (libraries)

{

"exports": {

".": "./dist/index.js",

"./package.json": "./package.json"

}

Stops consumers from importing private internals like lib/utils.js.