DependencyDrift — Direct + Transitive Lockfile Audit

What it is

The companion to SbomScanner (CVE-focused) but for the operational mess: which packages are at different versions across the org, which are stuck on a major version behind, which are phantom installs that nobody declared.

What’s in it

• 38 packages spanning npm + pip ecosystems, direct + transitive + phantom.
• Per-package shape:
  • locked version + latest
  • semver distance (major / minor / patch / current)
  • days behind latest
  • known CVEs (GHSA / CVE references)
  • license (MIT / Apache-2.0 / BSD / ISC / HPND)
  • services using (with each service’s actual version — drift visible)
• Worst-offender findings:
  • axios — 3 versions across services (1.7.4 / 1.7.7 / 1.6.8)
  • node-fetch — drift + 1 major behind in app-monolith (v3 is ESM-only)
  • jsonwebtoken — 1 major behind + CRITICAL CVE-2022-23529 (token-verify bypass)
  • lodash 4.17.20 — CVE-2021-23337 (high-severity command-injection)
  • moment 2.29.0 — CVE-2022-31129 (ReDoS) + library is in maintenance mode
  • left-pad / underscore — PHANTOM packages (in node_modules, not in package.json)
• Per-package suggested action — pnpm up, pnpm overrides, --frozen-lockfile.

Why this shape

OWASP Top-10 A06 (Vulnerable + Outdated Components) is the failure mode this audit catches. NTIA SBOM mandate (Executive Order 14028) + CycloneDX 1.6 demand the per-package inventory. The hardest finding: drift across services — ImagineCorp had axios 1.7.4 in app-monolith, 1.7.7 in mobile-api, 1.6.8 in cli — different bug profiles. DependencyDrift surfaces all three at once.

How it ships

Single HTML file, ~19KB. Zero dependencies. 38 packages × per-service version map + suggested-action templates in 220 lines of vanilla JavaScript.

Open the tool →