Security News
Crates.io Users Targeted by Phishing Emails
The Rust Security Response WG is warning of phishing emails from rustfoundation.dev targeting crates.io users.
By Sarah Gooding - Sep 12, 2025
how-dep is a command line tool that analyzes your TypeScript1 project and tells you which libraries you are most dependent on.
Install
$ yarn global add how-dep
# or npm install -g how-dep
Usage
$ how-dep
97 react # react is imported 97 times
55 react-i18next # react-i18next is imported 55 times
47 classnames # etc...
...
By default, how-dep will try to find a tsconfig.json file within the current directory, it will then load the project and analyze each file, looking for import statements. It will count how many times each module (3rd party or a local file) is imported and will output a nice report.
Flags
--lib-name, -l
Looking for a single library? Use this flag, passing the library's name (supports regular expressions) [default: "/.*/"]
$ how-dep -l lodash
# or
$ how-dep -l /lodash.*/ # will also catch lodash.get imports (and similar)
--tsconfig-path, -t
A path to a tsconfig.json file [default: "./tsconfig.json"]
$ how-dep -t ../../tsconfig.json
--all, -a
If set to true, will includes all imports (not just 3rd party libraries) [default: false]
$ how-dep -a
97 react # node module
55 react-i18next # node module
48 /example/src/hooks/use-current-user # local app module!
...
--full-report, -f
If set to true, will first print out a report of all import occurrences [default: false]
$ how-dep -f -l classnames
/example/src/App.tsx # file path
2:import cx from 'classnames'; # import statement within that file
/example/src/components/AvatarWall/index.js # another file path
3:import cx from 'classnames'; # import statement within that file
...
--html, -h
If set to true, will generate an HTML report (example) [default: false]
$ how-dep -h
--merge-similar, -m
If set to false, will treat imports of files within a 3rd party package as a different module (i.e., lodash and lodash/fp will be counted separately) [default: true]
$ how-dep -m
Developing
Clone, run yarn to install dependencies, then yarn link to have the how-dep "binary" linked globally, then:
$ yarn start
Then, after making changes to the code, test them by running how-dep in any one of your projects.
1 - Could run on plain javascript projects as well, as long as you provide a tsconfig.json file
Keywords
FAQs
Unknown package
We found that how-dep demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 13 Jan 2020
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Product
Introducing Custom Pull Request Alert Comment Headers
Socket now lets you customize pull request alert headers, helping security teams share clear guidance right in PRs to speed reviews and reduce back-and-forth.
By André Staltz - Sep 12, 2025
Product
Rust Support Now in Beta
Socket's Rust support is moving to Beta: all users can scan Cargo projects and generate SBOMs, including Cargo.toml-only crates, with Rust-aware supply chain checks.
By Mikola Lysenko, Trevor Norris - Sep 11, 2025