@lacow/vibe-check
Advanced tools
Automated codebase health scanner that detects pathologies common in AI-generated code.
npm install -g @lacow/vibe-check
# Scan current directory
vibe-check .
# JSON output
vibe-check . --json
# CI mode — exit code 1 if score < threshold
vibe-check . --ci --threshold 7
# Run specific rules only
vibe-check . --rules hallucinated-imports,dead-code-paths
# List all available rules
vibe-check --list-rules
# Use a custom config file
vibe-check . --config ./custom-config.json
# Suppress info-level findings
vibe-check . --quiet
# Exclude files ad-hoc
vibe-check . --ignore-pattern "generated/**"
# Generate a .vibecheck config file
vibe-check --init
| Rule | Category | Severity | Description |
|---|---|---|---|
hallucinated-imports | phantom-deps | critical | Detect imports of packages not listed in package.json |
phantom-peer-deps | phantom-deps | warning | Detect imports that rely on peer dependencies instead of declared ones |
dependency-bloat | dependencies | warning | Detects large utility libraries that could be replaced with lighter alternatives |
cross-file-duplication | duplication | warning | Detects copy-pasted logic across different files |
inconsistent-error-handling | consistency | warning | Detects async functions without error handling |
inconsistent-naming | consistency | info | Detects mixed naming conventions within the same file |
orphaned-exports | dead-code | warning | Finds exported symbols that are never imported anywhere in the project |
dead-code-paths | dead-code | warning | Detects unreachable code after return, throw, or process.exit() |
unused-dependencies | dead-code | warning | Finds packages declared in dependencies but never imported in source files |
over-abstraction | architecture | info | Detects single-use abstractions common in AI-generated code |
type-assertion-overuse | type-safety | warning | Detects excessive use of type assertions that bypass type checking |
hardcoded-secrets | security | critical | Detect hardcoded secrets and sensitive credentials in source code |
todo-accumulation | maintenance | info | Detects accumulated TODO/FIXME/HACK comments |
console-remnants | maintenance | info | Detects leftover console.log statements in production code |
commented-out-code | dead-code | warning | Detects blocks of commented-out code |
import { scan } from '@lacow/vibe-check';
const result = await scan({ path: './my-project' });
console.log(result.score); // 0-10
console.log(result.findings); // Finding[]
console.log(result.summary); // { total, critical, warning, info }
MIT
FAQs
Automated codebase health scanner for AI-generated code pathologies
We found that @lacow/vibe-check demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
The worm-enabled campaign hit @emilgroup and @teale.io, then used an ICP canister to deliver follow-on payloads.
Research
/Security News
Attackers compromised Trivy GitHub Actions by force-updating tags to deliver malware, exposing CI/CD secrets across affected pipelines.
Security News
ENISA’s new package manager advisory outlines the dependency security practices companies will need to demonstrate as the EU’s Cyber Resilience Act begins enforcing software supply chain requirements.