README
ΒΆ
Vibe Validator
[oo] Vibe check your dependencies.
vibe-validator is a cross-platform CLI tool that scans your project for suspicious or shady dependencies across Python (PyPI), JavaScript (npm), and Go modules.
It flags packages that:
[x]Don't exist in public registries[~]Are recently changed (less than 30 days old)[β]Pass the vibe check
π§ͺ Supported Ecosystems
- Python:
requirements.txt,Pipfile.lock(lockfile support via--include-lockfiles) - Node.js:
package.json(includesdependencies&devDependencies),package-lock.json,yarn.lock,pnpm-lock.yaml(lockfile support via--include-lockfiles) - Go:
go.mod
More to come: Dockerfiles, source import scanning.
π¦ Installation
Build from source (requires Go 1.24+):
git clone https://github.com/Kelcode-Dev/vibe-validator.git
cd vibe-validator
go build -o vibe-validator
Or install globally (once released):
go install github.com/Kelcode-Dev/vibe-validator@0.2.0
π Usage
vibe-validator <path-to-project> [--include-lockfiles]
Examples:
vibe-validator .
vibe-validator ./tests/npm --include-lockfiles # includes package lock files
vibe-validator ~/code/my-cool-app --include-vendor # includes vendor specific package files
vibe-validator ./tests -vv # max verbosity
β Output Format
Terminal-friendly output:
[oo] Scanning: ./my-app
[vibe-validator] Dependency Vibe Report
pypi:
[β] requests - tests/pypi/requirements.txt
[β] shady-lib Not found on PyPI tests/pypi/Pipfile.lock
npm:
[β] express - tests/npm/package-lock.json, tests/npm/package.json
[β] weird-package Not found on npm tests/npm/package-lock.json
go:
[~] github.com/sus/module Recently added (3 days ago) tests/go/go.mod
Verbosity Levels
- By default (no verbosity flags), only packages needing attention are shown: [β] (not found) and [~] (investigate)
-vadds all [β] (safe) packages to the output-vvincludes a count and detailed scanning logs of all dependencies found (including duplicates)
π οΈ Roadmap
- GitHub repo validation (e.g. missing README, license, stars)
- Source file import scanning (
import,require) - Output options:
--json,--yaml,--markdown - CI-friendly exit codes (
--strict) - Package risk scores / badges
- New validators for PHP Composer, Ruby Gemfiles, extensions to existing validators for things like poetry etc.
π License
MIT β but if you use this to vibe-check your production stack, please consider buying your devs coffee β
π Changelog
0.2.0 - 2025-06-30
- Refactored scanner architecture to driver-based pattern for easier extensibility
- Added PHP, Ruby, and Rust dependency scanners and validators
- Improved CLI with verbosity flags for progressive output
0.1.1 - 2025-06-30
- Support for vendor folders and lockfile scanning (
--include-vendor,--include-lockfiles)
0.1.0 - 2025-06-30
- Initial release supporting Python, JavaScript, and Go dependencies
- Basic validation of package existence and recent publish dates
- Terminal-friendly dependency vibe report output
Documentation
ΒΆ
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.