Dependency placement
Finds packages duplicated between runtime and development sections.
Supply-chain review
Review package.json for duplicate dependencies, floating sources, install scripts, destructive commands, React pairing and runtime contracts.
Analysis runs in this browser. No public result URL is generated, and exported reports omit the analyzed source.
Coverage
Finds packages duplicated between runtime and development sections.
Flags wildcard, dist-tag, URL, GitHub and file sources that need stronger pinning and review.
Surfaces lifecycle scripts and obvious destructive or remote-execution patterns.
Reviews React pairing, engines and packageManager fields without guessing resolved versions.
FAQ
No. It analyzes the supplied package.json in the browser and makes no registry or network request.
No. Full resolution needs the package manager, lockfile, peer dependency graph, operating system and target runtime.
preinstall, install, postinstall and prepare can execute during package installation. They require focused review even when legitimate.
Not always. The right policy depends on whether you publish a library or deploy an application. Use intentional semver ranges plus a committed lockfile and controlled updates.