Summary

• Free & open source command-line tool

• Works with any modern JavaScript package manager

• Scans your project & dependencies for vulnerabilities, license, and misc issues

• Supports workspaces

• Supports marking issues as resolved

• Supports custom license policies

• Configurable fail conditions for CI / GIT hook workflows

• Can connect to private/custom registries

• Outputs:

  • JSON issue & license usage reports

  • Easy to grok SVG dependency tree & treemap visualizations

    • Powered by D3

    • Overlays security vulnerabilities

    • Overlays package license info

  • csv of all dependencies & license info

Generate a report

Navigate charts

csv output

JSON output

{
  "createdAt": "...",
  "packageManager": "...",
  "name": "...",
  "version": "...",
  "rootVulnerabilities": [...],
  "dependencyVulnerabilities": [...],
  "licenseUsage": {...},
  "licenseIssues": [...],
  "metaIssues": [...],
  "errors": [...],
}

Marking issues as resolved

Get involved

• Have a support question? Post it here.

• Have a feature request? Post it here.

• Did you find a security issue? See SECURITY.md.

• Did you find a bug? Post an issue.

• Want to write some code? See CONTRIBUTING.md.

Beta: visualizations on sandworm.dev

Simple HTML visualizations on top of Sandworm data for all existing npm packages are available in beta on sandworm.dev. Here are a few links to get you exploring:

• Apollo Client

• AWS SDK

• Express

• Mocha

• Mongoose

• Nest.js

• Redis