sandworm
v1.18.0
Published
Beautiful Visualizations For Your App's Dependencies 🪱
Downloads
10,598
Maintainers
Readme
Beautiful Visualizations For Your App's Dependencies 🪱
- Outputs SVGs
- Powered by D3
- Overlays security vulnerabilities
- Overlays package license info
- Works with npm, yarn, and pnpm
- Made by the team behind Sandworm - Easy auditing & sandboxing for your JavaScript dependencies
Warning Sandworm does NOT currently support workspaces.
Get Involved
- Have a support question? Post it here.
- Have a feature request? Post it here.
- Did you find a security issue? See SECURITY.md.
- Did you find a bug? Post an issue.
- Want to write some code? See CONTRIBUTING.md.
Install
yarn global add sandworm # or npm install -g sandworm
Options
Options:
--version Show version number [boolean]
--help Show help [boolean]
-o, --output The name of the output directory, relative to the
application path [string] [default: ".sandworm"]
-d, --include-dev Include dev dependencies [boolean] [default: false]
-v, --show-versions Show package versions [boolean] [default: false]
-t, --type Visualization type[string] [choices: "tree", "treemap"]
-p, --path The application path [string] [default: current dir]
--md, --max-depth Max depth to represent [number]
Chart Types
Treemap
- Node colors represent the dependency depth;
- Node surface represents the size of the corresponding directory under
node_modules
; - A dotted pattern in a node background means the package is a shared dependency, required by multiple packages, and present multiple times in the chart;
- Shared dependency sizes are added to every dependent package, to represent the independent size structure properly; hence, the displayed size might be larger than the actual size on disk;
- A red package background means the package has direct vulnerabilities;
- A purple package background means the package depends on other vulnerable packages;
- Click on a node to make the tooltip persist; click outside to close it;
- When representing deep dependencies, the surface area of certain packages might reach zero, making them invisible.
Tree
- Nodes are grouped by color based on the root dependency that they belong to;
- Red text in a package name means the package has direct vulnerabilities;
- Purple text in a package name means the package depends on other vulnerable packages;
- Click on a node to make the tooltip persist; click outside to close it;
- By default, the tree chart has a maximum depth of 7, meaning only seven levels of dependencies will be represented, to keep the output readable; you can override this using the
--md
option.
Samples
Apollo Client 3.7.1
AWS SDK 2.1218.0
Express 4.18.1
Mocha 10.1.0
Mongoose 6.7.0
Nest.js 9.1.2
Redis 4.3.1
NPM CLI 9.0.0
PM2 5.2.2
React Router 6.4.2
Webpack Dev Server 4.11.1
Webpack 5.74.0
Winston 3.8.2