Ecosystemnpm
npm / Node.js Scanner
Deptic's npm scanner resolves the complete dependency tree from package.json files found anywhere in the repository. Unlike running npm install, Deptic uses the npm registry API directly — no code execution, no containers, no environment setup required.
Manifest files detected:
| File | Purpose | Notes |
|---|---|---|
package.json | Direct dependencies | Required |
package-lock.json | Locked versions | Used when available for exact versions |
Excluded paths:
node_modules/
.yarn/
dist/
build/
.next/
out/
coverage/Transitive resolution:
Deptic fetches each direct dependency's own package.json from the npm registry and recursively resolves to depth 3. A typical Next.js application has 40–60 direct dependencies and 800–1,200 transitive dependencies.
Example scan output:
json
{
"ecosystem": "npm",
"stats": {
"inventory_size": 1247,
"direct_library": 43,
"transitive": 1204,
"license_spread": 18
},
"top_licenses": ["MIT", "ISC", "Apache-2.0", "BSD-3-Clause"]
}PURL format for npm:
pkg:npm/lodash@4.17.21
pkg:npm/%40types%2Fnode@20.0.0Note: Scoped packages (@org/name) are percent-encoded in PURLs.
Known limitations:
- Packages using
git:orfile:specifiers inpackage.jsonare resolved as "version unknown" - Workspace packages in pnpm/yarn workspaces are detected but resolved individually
- Private registry packages (not on npmjs.com) return metadata as "unavailable"