
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
Investigate npm dependency graphs with reverse tracing, duplicate surfacing, and CI-friendly output.
Tracepack is a dependency investigator for modern npm projects.
It helps answer the questions that come up in real repos:
Tracepack is not trying to be a generic graph generator or a browser UI. The goal for v0.1.0 is a fast, maintainable, npm-first tool that produces practical output for terminals, scripts, and CI.
The JavaScript tooling ecosystem already has graphing tools, and npm itself can explain parts of the installed tree. Tracepack exists because day-to-day dependency debugging often needs a tighter loop:
In short: Tracepack is built for investigation, not just visualization.
Tracepack deliberately focuses on a narrower, more opinionated slice of the problem:
It does not try to support every package manager, every policy engine, or every visualization mode in v0.1.0.
npm install --save-dev tracepack
Or run it directly:
npx tracepack
tracepack [options]
Core options:
--json output stable JSON--dot output Graphviz DOT--focus <pkg> show the forward subgraph starting at a package--reverse <pkg> explain why a package is present--max-depth <n> limit rendered depth--omit <dev|peer|optional> omit dependency edge types--source <auto|lockfile|installed|manifest> choose the npm data source--duplicates report duplicate versions--check-duplicates exit with code 2 when duplicates are found--cwd <path> inspect another project directory--help--versionExamples:
tracepack
tracepack --json
tracepack --dot
tracepack --focus react
tracepack --reverse esbuild
tracepack --max-depth 3
tracepack --omit dev
tracepack --duplicates
tracepack --check-duplicates
Tracepack supports three npm-first input modes:
lockfile: parse package-lock.json v2/v3 for deterministic graphsinstalled: inspect the actual installed tree through Arboristmanifest: inspect declared dependencies from package.json files and npm workspacesDefault source selection is:
package-lock.jsonnode_modulespackage.jsonDefault ASCII output:
Tracepack graph (lockfile)
app@1.0.0 [root]
├─ react@18.3.1
│ └─ loose-envify@1.4.0
│ └─ js-tokens@4.0.0
└─ vite@5.4.2
Duplicate versions
- postcss: 8.4.31, 8.4.35
Reverse tracing:
Tracepack reverse view for "esbuild" (lockfile)
app@1.0.0 [root]
└─ vite@5.4.2
└─ esbuild@0.21.5
DOT output is designed to work cleanly with Graphviz and other tooling:
tracepack --dot > graph.dot
dot -Tsvg graph.dot -o graph.svg
import {
buildGraph,
findDuplicates,
findReversePaths,
toAscii,
toDot,
toJson
} from "tracepack";
const graph = await buildGraph({
cwd: process.cwd(),
source: "auto"
});
console.log(toAscii(graph, { reverse: "esbuild" }));
console.log(findDuplicates(graph));
console.log(findReversePaths(graph, "react"));
console.log(toJson(graph));
console.log(toDot(graph));
Public API:
buildGraph(options)findDuplicates(graph)findReversePaths(graph, packageName, options?)toAscii(graph, options?)toJson(graph, options?)toDot(graph, options?)Tracepack is designed to be useful outside interactive terminals.
--check-duplicates returns exit code 2 when duplicate versions are foundExample:
tracepack --check-duplicates
tracepack --json > tracepack-report.json
Tracepack keeps a clear separation between:
See docs/architecture.md for the short architectural notes.
Planned follow-up work includes:
npm install
npm run lint
npm run typecheck
npm test
npm run build
The release checklist for the initial version lives in docs/release-plan-v0.1.0.md.
Contributions are welcome, especially around npm graph correctness, reverse tracing, duplicate detection, and documentation quality.
Please read:
FAQs
Investigate npm dependency graphs with reverse tracing, duplicate surfacing, and CI-friendly output.
We found that tracepack demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.