Research
/Security News
Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
Miasma Mini Shai-Hulud hits @immobiliarelabs Backstage plugins, targeting GitLab and LDAP auth packages on npm.
By Socket Research Team - Jun 26, 2026
🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more →
ngcompass
Angular-aware static analysis for architecture, performance, SSR, security, and code quality.
Overview
ngcompass is a command-line static analysis tool built for Angular projects. It reads TypeScript, Angular templates, styles, and project configuration without running the application, then reports issues that generic TypeScript linters often miss.
It is designed for teams that want a clearer view of Angular-specific risks: component architecture, rendering performance, SSR compatibility, Signals and RxJS patterns, template safety, and modern Angular API adoption.
Highlights
| Area | What ngcompass helps find |
|---|---|
| Architecture | Circular dependencies, boundary violations, and fragile component relationships |
| Performance | Missing OnPush, expensive template expressions, missing trackBy, and inefficient bindings |
| SSR | Browser-only APIs in universal code, hydration risks, and render lifecycle pitfalls |
| Security | Unsafe template bindings and sanitizer bypasses |
| Reactivity | RxJS subscription issues, Signals misuse, and migration opportunities |
| Code quality | Deprecated patterns, focused tests, and modern Angular API improvements |
Installation
Install the beta CLI globally:
npm install -g ngcompass@beta
Or add it to a project:
npm install --save-dev ngcompass@beta
Using pnpm:
pnpm add -D ngcompass@beta
ngcompass is currently in beta. Install with
@betato opt in to the prerelease channel.
Quick Start
cd my-angular-app
ngcompass init
ngcompass analyze
Generate a self-contained visual report:
ngcompass analyze --format ui
Run through a project-local install:
npx ngcompass analyze
pnpm exec ngcompass analyze
Output Formats
| Command | Output |
|---|---|
ngcompass analyze | Default terminal report |
ngcompass analyze --format console --compact | Compact one-line issue output |
ngcompass analyze --format html --output report.html | Self-contained HTML report |
ngcompass analyze --format ui | Interactive HTML report alias |
ngcompass analyze --format json > results.json | Machine-readable JSON |
ngcompass analyze --format sarif > results.sarif | SARIF for GitHub Code Scanning |
Configuration
Create a configuration file:
ngcompass init
This generates ngcompass.config.ts:
import { defineConfig } from '@ngcompass/config';
export default defineConfig({
extends: 'ngcompass:recommended',
include: ['src/**/*.ts', 'src/**/*.html'],
exclude: [
'node_modules/**',
'dist/**',
'build/**',
'coverage/**',
'**/*.d.ts',
'**/*.spec.ts',
'**/*.test.ts',
],
profiles: {
ci: {
outputFormat: 'json',
maxWarnings: 0,
},
},
});
Presets
| Preset | Purpose |
|---|---|
ngcompass:recommended | Balanced default for most Angular projects |
ngcompass:strict | Stronger enforcement for mature codebases |
ngcompass:performance | Rendering and change-detection checks |
ngcompass:reactivity | Signals and RxJS correctness |
ngcompass:security | Security-focused Angular checks |
ngcompass:ssr | Server rendering and hydration safety |
ngcompass:all | Every built-in rule at its default severity |
Override individual rules in the same config:
export default defineConfig({
extends: ['ngcompass:recommended', 'ngcompass:performance'],
rules: {
'prefer-on-push-component-change-detection': 'error',
'no-document-access': 'warn',
},
});
Commands
| Command | Description |
|---|---|
ngcompass init | Create ngcompass.config.ts |
ngcompass analyze | Run analysis |
ngcompass rules | List available rules |
ngcompass rules <name> | Inspect one rule |
ngcompass config health | Validate configuration |
ngcompass cache info | Show cache status |
ngcompass cache clear | Clear cached analysis data |
ngcompass cache path | Print the cache directory |
Analyze Options
| Option | Description |
|---|---|
--format <fmt> | console, json, sarif, html, or ui |
--output <path> | Output path for HTML/UI reports |
--compact | Use compact issue output |
-q, --quiet | Show summary counts only |
--no-recommendation | Hide fix recommendations |
--rule <id> | Run one rule in isolation |
--force | Ignore cached results |
-p, --profile <name> | Run a named config profile |
--max-workers <n> | Limit worker threads |
--skip-type-check | Skip rules that require TypeScript type checking |
CI
ngcompass exits with code 0 when analysis passes and a non-zero code when configured violations are found.
- name: Run ngcompass
run: ngcompass analyze --format sarif > results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Caching
ngcompass caches file discovery, execution plans, AST work, rule results, and full analysis output. Warm runs can reuse unchanged work instead of parsing and analyzing the entire project again.
ngcompass cache info
ngcompass cache clear
ngcompass analyze --force
Monorepo
| Package | Responsibility |
|---|---|
ngcompass | CLI entry point |
@ngcompass/config | Config loading, validation, profiles, and health checks |
@ngcompass/scanner | File discovery and filtering |
@ngcompass/rules | Built-in rules, presets, and rule registry |
@ngcompass/planner | Incremental execution planning |
@ngcompass/engine | Rule execution and analysis orchestration |
@ngcompass/ast | TypeScript, template, and style parsing helpers |
@ngcompass/cache | Memory and disk cache services |
@ngcompass/reporters | Console, JSON, SARIF, and HTML reporters |
@ngcompass/common | Shared types and utilities |
@ngcompass/site | Documentation site |
Development
pnpm install
pnpm build
pnpm test
pnpm typecheck
Additional workspace checks:
pnpm smoke
pnpm validate:packages
pnpm prerelease:check
Requirements
- Node.js
^20.19.0or>=22.12.0 - Angular v15 or later
- pnpm for repository development
Beta Notes
- Rule names, messages, and report layout may change before
1.0. - Template analysis is best-effort for highly dynamic templates.
- Validate ngcompass against your project before making it a required CI gate.
FAQs
Command line interface for ngcompass
The npm package ngcompass receives a total of 16 weekly downloads. As such, ngcompass popularity was classified as not popular.
We found that ngcompass demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 06 Jun 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Rolldown Pulls Rust React Compiler Integration After Binary Size Increase
Rolldown paused Rust React Compiler integration after a 5MB binary size increase raised concerns about shipping React-specific code to all Vite users.
By Sarah Gooding - Jun 26, 2026
Security News
/Research
Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem
Mini Shai-Hulud expands into the Go ecosystem after hitting LeoPlatform npm packages and targeting GitHub Actions workflows.
By Socket Research Team - Jun 25, 2026