sandworm

Beautiful Visualizations For Your App's Dependencies 🪱

• Outputs SVGs
• Powered by D3
• Overlays security vulnerabilities
• Overlays package license info
• Works with npm, yarn, and pnpm
• Made by the team behind Sandworm - Easy auditing & sandboxing for your JavaScript dependencies

Warning Sandworm does NOT currently support workspaces.

Get Involved

• Have a support question? Post it here.
• Have a feature request? Post it here.
• Did you find a security issue? See SECURITY.md.
• Did you find a bug? Post an issue.
• Want to write some code? See CONTRIBUTING.md.

Install

yarn global add sandworm # or npm install -g sandworm

Options

Options:
      --version          Show version number                           [boolean]
      --help             Show help                                     [boolean]
  -o, --output           The name of the output directory, relative to the
                         application path        [string] [default: ".sandworm"]
  -d, --include-dev      Include dev dependencies     [boolean] [default: false]
  -v, --show-versions    Show package versions        [boolean] [default: false]
  -t, --type             Visualization type[string] [choices: "tree", "treemap"]
  -p, --path             The application path    [string] [default: current dir]
      --md, --max-depth  Max depth to represent                         [number]

Chart Types

Treemap

• Node colors represent the dependency depth;
• Node surface represents the size of the corresponding directory under node_modules;
• A dotted pattern in a node background means the package is a shared dependency, required by multiple packages, and present multiple times in the chart;
• Shared dependency sizes are added to every dependent package, to represent the independent size structure properly; hence, the displayed size might be larger than the actual size on disk;
• A red package background means the package has direct vulnerabilities;
• A purple package background means the package depends on other vulnerable packages;
• Click on a node to make the tooltip persist; click outside to close it;
• When representing deep dependencies, the surface area of certain packages might reach zero, making them invisible.

Tree

• Nodes are grouped by color based on the root dependency that they belong to;
• Red text in a package name means the package has direct vulnerabilities;
• Purple text in a package name means the package depends on other vulnerable packages;
• Click on a node to make the tooltip persist; click outside to close it;
• By default, the tree chart has a maximum depth of 7, meaning only seven levels of dependencies will be represented, to keep the output readable; you can override this using the --md option.

Samples

• Apollo Client 3.7.1

  • Tree
  • Treemap

• AWS SDK 2.1218.0

  • Tree
  • Treemap

• Express 4.18.1

  • Tree
  • Treemap

• Mocha 10.1.0

  • Tree
  • Treemap

• Mongoose 6.7.0

  • Tree
  • Treemap

• Nest.js 9.1.2

  • Tree
  • Treemap

• Redis 4.3.1

  • Tree
  • Treemap

• NPM CLI 9.0.0

  • Tree
  • Treemap

• PM2 5.2.2

  • Tree
  • Treemap

• React Router 6.4.2

  • Tree
  • Treemap

• Webpack Dev Server 4.11.1

  • Tree
  • Treemap

• Webpack 5.74.0

  • Tree
  • Treemap

• Winston 3.8.2

  • Tree
  • Treemap