Name: Seerpack
Author: Seerror

Every npm install pulls code you did not write. Dependencies nest inside dependencies. A single typo in a popular name, a postinstall script, or a dormant package can compromise your machine — long before CVE databases catch up.

Seerpack lives in VS Code and reads your workspace the way a security reviewer would: package identity, dependency depth, scripts, maintainer signals, and known-bad patterns. You get a 0–100 trust score per package so you can decide what stays in your tree.

The npm Supply Chain Is a Soft Target

Registries move fast. Attackers register lookalike names, hijack maintainers, or slip malware into install scripts. npm audit is essential — but it is not a substitute for understanding who you are trusting and how deep the graph goes.

🎭

Typosquatting

Names one character off from lodash or axios get thousands of installs before anyone notices.

1 typo

🪝

Install Scripts

preinstall / postinstall run with your user privileges during CI and local dev.

RCE

🧱

Depth & Drift

Transitive deps change silently on lockfile churn. Risk compounds every level down the tree.

∞

Analysis dimensions

0–100

Trust score / pkg

∞

Deps in a tree

Bad pkg is enough

Six analysis dimensions

How Seerpack Scores a Package

Seerpack combines static signals from your manifest and lockfile with heuristics tuned for npm — not a generic “vuln count,” but a weighted view of trust you can act on in the editor.

Dim 01 · 🏷️

Identity & typosquatting

Levenshtein-style distance to top packages, scoped vs unscoped naming, and suspicious publisher patterns.

Dim 02 · 🌳

Graph depth & reach

How far a package sits from your app root; shallow widely-used deps vs deep one-off leaves.

Dim 03 · ⚡

Install & lifecycle scripts

Flags preinstall, postinstall, and other high-risk hooks.

Dim 04 · 👤

Maintainer signals

Publish cadence, account age proxies, and anomalies that correlate with takeover risk.

Dim 05 · 🛡️

CVE & advisory overlap

Where advisories exist, they feed the score — without replacing npm audit or your lockfile tooling.

Dim 06 · 📦

Registry & ecosystem fit

Signals that separate widely-vetted packages from one-off experiments in your graph.

Live demo

See a workspace scan

This simulates Seerpack’s terminal output. The real extension runs against your package.json and lockfile in the active workspace.

seerpack analyze — workspace

Click “Run scan demo” to start

Trust score bands

What the 0–100 score means

Score	Band	Meaning
80–100	Healthy	Strong signals; typical for well-known, well-maintained packages.
60–79	Review	One or more caution flags — verify before adding to production.
40–59	Elevated	Serious concerns: scripts, similarity, or depth issues warrant action.
0–39	Critical	Treat as untrusted until proven otherwise; remove or replace.

Comparison

How Seerpack fits your workflow

Capability	npm audit	Manual review	Seerpack
Editor-native trust view	—	—	✓
Typosquat / identity heuristics	—	✓	✓
Install-script risk surfacing	—	✓	✓
0–100 score per package	—	—	✓
Known CVE / advisory signals	✓	✓	✓

Product

What you get in VS Code

📂

Workspace scan

Point at a folder with package.json / lockfile; see the full dependency picture.

📊

Trust score column

Sort and filter packages by score to focus review time where it matters.

🔗

Drill-down

Open rationale for each dimension that moved the needle.

🔒

Local-first

Designed so your source tree is not uploaded for scoring.

🧩

Suite fit

Same Seerror design language as Seerguard, Seertrap, and Seerraze.

⚙️

CI-friendly mindset

Catch risky deps before they merge — complement lockfile and audit gates.

Example: what Seerpack reads

A minimal manifest is enough to start resolving the tree — Seerpack layers signals on top of what npm installs.

{
  "name": "my-app",
  "private": true,
  "dependencies": {
    "lodash": "^4.17.21",
    "axios": "^1.6.0"
  }
}

FAQ

Questions

Does Seerpack replace npm audit?

No. It complements audit and lockfile discipline with trust-oriented signals — typosquats, scripts, depth — that audit alone does not cover.

Does my code leave my machine?

Seerpack is built local-first. See the Seerpack privacy policy and the extension details on the Marketplace for the exact posture and any optional telemetry.

Which lockfiles are supported?

npm, pnpm, and Yarn-style trees are the target; the extension page lists current lockfile support per release.

Is this only for open source apps?

Any JavaScript or TypeScript workspace that uses npm dependencies can benefit — internal monorepos included.

Install from the VS Code Marketplace

Get Seerpack

Marketplace → Install → Open a workspace with package.json → Run Seerpack