{"id":13465036,"url":"https://github.com/sverweij/dependency-cruiser","last_synced_at":"2026-05-23T22:02:12.468Z","repository":{"id":37245916,"uuid":"74299372","full_name":"sverweij/dependency-cruiser","owner":"sverweij","description":"Validate and visualize dependencies. Your rules. JavaScript, TypeScript, CoffeeScript. ES6, CommonJS, AMD.","archived":false,"fork":false,"pushed_at":"2026-05-14T09:23:53.000Z","size":66062,"stargazers_count":6646,"open_issues_count":35,"forks_count":282,"subscribers_count":22,"default_branch":"main","last_synced_at":"2026-05-14T11:34:16.282Z","etag":null,"topics":["architecture-diagram","circular-dependencies","dependencies","dependency-analysis","dependency-cruiser","dependency-graph","javascript","jsx","static-analysis","tsx","typescript","vue"],"latest_commit_sha":null,"homepage":"https://npmjs.com/dependency-cruiser","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sverweij.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-11-20T20:05:37.000Z","updated_at":"2026-05-14T09:33:49.000Z","dependencies_parsed_at":"2023-09-23T20:18:49.979Z","dependency_job_id":"6f961fa4-9793-4452-a379-9e742ff79add","html_url":"https://github.com/sverweij/dependency-cruiser","commit_stats":{"total_commits":2143,"total_committers":47,"mean_commits":45.59574468085106,"dds":"0.030797946803546417","last_synced_commit":"1ca77ec057b11e63a5ba25550b14cdfe9bea5c95"},"previous_names":[],"tags_count":589,"template":false,"template_full_name":null,"purl":"pkg:github/sverweij/dependency-cruiser","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sverweij%2Fdependency-cruiser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sverweij%2Fdependency-cruiser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sverweij%2Fdependency-cruiser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sverweij%2Fdependency-cruiser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sverweij","download_url":"https://codeload.github.com/sverweij/dependency-cruiser/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sverweij%2Fdependency-cruiser/sbom","scorecard":{"id":861164,"data":{"date":"2025-08-11","repo":{"name":"github.com/sverweij/dependency-cruiser","commit":"8a52b07a2e868fc72c6019b7b2a08df5df34d576"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":7.2,"checks":[{"name":"Maintained","score":10,"reason":"23 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Code-Review","score":0,"reason":"Found 2/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":8,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-schedule.yml:27","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-schedule.yml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/prerelease.yml:11","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:3","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/ci.yml:4","Info: topLevel 'actions' permission set to 'read': .github/workflows/ci.yml:5","Warn: no topLevel permission defined: .github/workflows/codeql-schedule.yml:1","Warn: no topLevel permission defined: .github/workflows/prerelease.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/semantic-pr-title.yml:10","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/prerelease.yml:7"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-schedule.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/codeql-schedule.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-schedule.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/codeql-schedule.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-schedule.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/codeql-schedule.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/prerelease.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/prerelease.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/prerelease.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/prerelease.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/sverweij/dependency-cruiser/stale.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:59","Info:   0 out of  15 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (10) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-g3ch-rx76-35fx"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-24T01:18:00.328Z","repository_id":37245916,"created_at":"2025-08-24T01:18:00.328Z","updated_at":"2025-08-24T01:18:00.328Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33413623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T18:09:33.147Z","status":"ssl_error","status_checked_at":"2026-05-23T18:09:31.380Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["architecture-diagram","circular-dependencies","dependencies","dependency-analysis","dependency-cruiser","dependency-graph","javascript","jsx","static-analysis","tsx","typescript","vue"],"created_at":"2024-07-31T14:00:55.639Z","updated_at":"2026-05-23T22:02:12.451Z","avatar_url":"https://github.com/sverweij.png","language":"JavaScript","funding_links":[],"categories":["Documentation as Code","JavaScript","Packages","javascript","前端开发框架及项目"],"sub_categories":["Design Patterns","多工具库支持或纯JS"],"readme":"# Dependency cruiser ![Dependency cruiser](https://raw.githubusercontent.com/sverweij/dependency-cruiser/main/doc/assets/ZKH-Dependency-recolored-160.png)\n\n_Validate and visualise dependencies. With your rules._ JavaScript. TypeScript. CoffeeScript. ES6, CommonJS, AMD.\n\n## What's this do?\n\n![Snazzy dot output to whet your appetite](https://raw.githubusercontent.com/sverweij/dependency-cruiser/main/doc/assets/sample-dot-output.png)\n\nThis runs through the dependencies in any JavaScript, TypeScript, LiveScript or CoffeeScript project and ...\n\n- ... **validates** them against (your own) [rules](./doc/rules-reference.md)\n- ... **reports** violated rules\n  - in text (for your builds)\n  - in graphics (for your eyeballs)\n\nAs a side effect it can generate dependency graphs in various output formats including [**cool visualizations**](./doc/real-world-samples.md)\nyou can stick on the wall to impress your grandma.\n\n## How do I use it?\n\n### Install it ...\n\n```shell\nnpm install --save-dev dependency-cruiser\n# or\nyarn add -D dependency-cruiser\npnpm add -D dependency-cruiser\n```\n\n### ... and generate a config\n\n```shell\nnpx depcruise --init\n```\n\nThis will look around in your environment a bit, ask you some questions and create\na `.dependency-cruiser.js` configuration file attuned to your project[^1][^2].\n\n[^1]:\n    We're using `npx` in the example scripts for convenience. When you use the\n    commands in a script in `package.json` it's not necessary to prefix them with\n    `npx`.\n\n[^2]:\n    If you don't want to use `npx`, but instead `pnpx` (from the `pnpm`\n    package manager) or `yarn` - please refer to that tool's documentation.\n    Particularly `pnpx` has semantics that differ from `npx` quite significantly\n    and that you want to be aware of before using it. In the mean time: `npx`\n    _should_ work even when you installed the dependency with a package manager\n    different from `npm`.\n\n### Show stuff to your grandma\n\nTo create a graph of the dependencies in your src folder, you'd run dependency\ncruiser with output type `dot` and run _GraphViz dot_[^3] on the result. In\na one liner:\n\n```shell\nnpx depcruise src --include-only \"^src\" --output-type dot | dot -T svg \u003e dependency-graph.svg\n```\n\n\u003e \u003cdetails\u003e\n\u003e \u003csummary\u003edependency-cruiser v12 and older: add --config option\u003c/summary\u003e\n\u003e\n\u003e While not necessary from dependency-cruiser v13 and later, in v12 and older\n\u003e you'll have to pass the --config option to make it find the .dependency-cruiser.js\n\u003e configuration file:\n\u003e\n\u003e ```shell\n\u003e npx depcruise src --include-only \"^src\" --config --output-type dot | dot -T svg \u003e dependency-graph.svg\n\u003e ```\n\n\u003c/details\u003e\n\n- You can read more about what you can do with `--include-only` and other command line\n  options in the [command line interface](./doc/cli.md) documentation.\n- _[Real world samples](./doc/real-world-samples.md)_\n  contains dependency cruises of some of the most used projects on npm.\n- If your grandma is more into formats like `mermaid`, `json`, `csv`, `html` or plain text\n  we've [got her covered](./doc/cli.md#--output-type-specify-the-output-format)\n  as well.\n\n[^3]:\n    This assumes the GraphViz `dot` command is available - on most linux and\n    comparable systems this will be. In case it's not, see\n    [GraphViz' download page](https://www.graphviz.org/download/) for instructions\n    on how to get it on your machine.\n\n### Validate things\n\n#### Declare some rules\n\nWhen you ran `depcruise --init` above, the command also added some rules\nto `.dependency-cruiser.js` that make sense in most projects, like detecting\n**circular dependencies**, dependencies **missing** in package.json, **orphans**,\nand production code relying on dev- or optionalDependencies.\n\nStart adding your own rules by tweaking that file.\n\nSample rule:\n\n```json\n{\n  \"forbidden\": [\n    {\n      \"name\": \"not-to-test\",\n      \"comment\": \"don't allow dependencies from outside the test folder to test\",\n      \"severity\": \"error\",\n      \"from\": { \"pathNot\": \"^test\" },\n      \"to\": { \"path\": \"^test\" }\n    }\n  ]\n}\n```\n\n- To read more about writing rules check the\n  [writing rules](./doc/rules-tutorial.md) tutorial\n  or the [rules reference](./doc/rules-reference.md)\n\n#### Report them\n\n```sh\nnpx depcruise src\n```\n\n\u003e \u003cdetails\u003e\n\u003e \u003csummary\u003edependency-cruiser v12 and older: add --config option\u003c/summary\u003e\n\u003e\n\u003e While not necessary from dependency-cruiser v13, in v12 and older you'll have\n\u003e to pass the --config option to make it find the .dependency-cruiser.js\n\u003e configuration file:\n\u003e\n\u003e ```shell\n\u003e npx depcruise --config .dependency-cruiser.js src\n\u003e ```\n\n\u003c/details\u003e\n\nThis will validate against your rules and shows any violations in an eslint-like format:\n\n![sample err output](https://raw.githubusercontent.com/sverweij/dependency-cruiser/main/doc/assets/sample-err-output.png)\n\nThere's more ways to report validations; in a graph (like the one on top of this\nreadme) or in an self-containing `html` file.\n\n- Read more about the err, dot, csv and html reporters in the\n  [command line interface](./doc/cli.md)\n  documentation.\n- dependency-cruiser uses itself to check on itself in its own build process;\n  see the `depcruise` script in the\n  [package.json](https://github.com/sverweij/dependency-cruiser/blob/main/package.json#L76)\n\n## I want to know more!\n\nYou've come to the right place :-) :\n\n- Usage\n  - [Command line reference](./doc/cli.md)\n  - [Writing rules](./doc/rules-tutorial.md)\n  - [Rules reference](./doc/rules-reference.md)\n  - [Options reference](./doc/options-reference.md)\n  - [FAQ](./doc/faq.md)\n- Hacking on dependency-cruiser\n  - [API](./doc/api.md)\n  - [Output format](./doc/output-format.md)\n  - [Adding other output formats](./doc/faq.md#q-how-do-i-add-a-new-output-format)\n  - [Adding support for other alt-js languages](./doc/faq.md#q-how-do-i-add-support-for-my-favorite-alt-js-language)\n- Other things\n  - [Road map](https://github.com/sverweij/dependency-cruiser/projects/1)\n  - [Contact](./doc/faq.md#contact)\n  - [Real world show cases](./doc/real-world-samples.md)\n  - [TypeScript, CoffeeScript and LiveScript support](./doc/faq.md#features)\n  - [Support for .jsx, .tsx, .csx/ .cjsx, .vue and .svelte](./doc/faq.md#q-im-developing-in-react-and-use-jsx-tsx-csx-cjsx-how-do-i-get-that-to-work)\n  - [Webpack alias/ modules support](./doc/faq.md#q-does-this-work-with-webpack-configs-eg-alias-and-modules)\n\n## License\n\n[MIT](LICENSE)\n\n## Thanks\n\n- [Marijn Haverbeke](http://marijnhaverbeke.nl) and other people who\n  collaborated on [acorn](https://github.com/ternjs/acorn) -\n  the excellent JavaScript parser dependency-cruiser uses to infer\n  dependencies.\n- [Katerina Limpitsouni](https://twitter.com/ninaLimpi) of [unDraw](https://undraw.co/)\n  for the ollie in dependency-cruiser's\n  [social media image](https://repository-images.githubusercontent.com/74299372/239ed080-370b-11ea-8fe7-140cf7b90a33).\n- All members of the open source community who have been kind enough to raise issues,\n  ask questions and make pull requests to get dependency-cruiser to be a better\n  tool.\n\n## Build status\n\n[![GitHub Workflow Status](https://github.com/sverweij/dependency-cruiser/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/sverweij/dependency-cruiser/actions/workflows/ci.yml)\n[![coverage](https://gitlab.com/sverweij/dependency-cruiser/badges/master/coverage.svg)](https://gitlab.com/sverweij/dependency-cruiser/builds)\n[![total downloads on npm](https://img.shields.io/npm/dt/dependency-cruiser.svg?maxAge=2591999)](https://npmjs.com/package/dependency-cruiser)\n\nMade with :metal: in Holland.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsverweij%2Fdependency-cruiser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsverweij%2Fdependency-cruiser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsverweij%2Fdependency-cruiser/lists"}