Name: Seerpack
Author: Seerror

Every npm install pulls code you did not write. Dependencies nest inside dependencies. A single typo in a popular name, a postinstall script, or a dormant package can compromise your machine — long before CVE databases catch up.

Seerpack lives in VS Code and reads your workspace the way a security reviewer would: package identity, dependency depth, scripts, maintainer signals, and known-bad patterns. You get a 0–100 trust score per package so you can decide what stays in your tree.

The npm Supply Chain Is a Soft Target

Registries move fast. Attackers register lookalike names, hijack maintainers, or slip malware into install scripts. npm audit is essential — but it is not a substitute for understanding who you are trusting and how deep the graph goes.

🎭

Typosquatting

Names one character off from lodash or axios get thousands of installs before anyone notices.

1 typo

🪝

Install Scripts

preinstall / postinstall run with your user privileges during CI and local dev.

RCE

🧱

Depth & Drift

Transitive deps change silently on lockfile churn. Risk compounds every level down the tree.

∞

Analysis dimensions

0–100

Trust score / pkg

∞

Deps in a tree

Bad pkg is enough

Six analysis dimensions

How Seerpack Scores a Package

Seerpack combines static signals from your manifest and lockfile with heuristics tuned for npm — not a generic “vuln count,” but a weighted view of trust you can act on in the editor.

Dim 01 · 🏷️

Identity & typosquatting

Levenshtein-style distance to top packages, scoped vs unscoped naming, and suspicious publisher patterns.

Dim 02 · 🌳

Graph depth & reach

How far a package sits from your app root; shallow widely-used deps vs deep one-off leaves.

Dim 03 · ⚡

Install & lifecycle scripts

Flags preinstall, postinstall, and other high-risk hooks.

Dim 04 · 👤

Maintainer signals

Publish cadence, account age proxies, and anomalies that correlate with takeover risk.

Dim 05 · 🛡️

CVE & advisory overlap

Where advisories exist, they feed the score — without replacing npm audit or your lockfile tooling.

Dim 06 · 📦

Registry & ecosystem fit

Signals that separate widely-vetted packages from one-off experiments in your graph.

Interactive demo

See a workspace scan

Use the interactive demo below to watch Seerpack detect package.json, open the trust dashboard, and review scores. The real extension runs against your lockfile in the active workspace.

Seerpack Demo — npm Trust Scanner for VS Code

Trust score bands

What the 0–100 score means

Score	Band	Meaning
80–100	Healthy	Strong signals; typical for well-known, well-maintained packages.
60–79	Review	One or more caution flags — verify before adding to production.
40–59	Elevated	Serious concerns: scripts, similarity, or depth issues warrant action.
0–39	Critical	Treat as untrusted until proven otherwise; remove or replace.

Comparison

How Seerpack fits your workflow

Capability	npm audit	Manual review	Seerpack
Editor-native trust view	—	—	✓
Typosquat / identity heuristics	—	✓	✓
Install-script risk surfacing	—	✓	✓
0–100 score per package	—	—	✓
Known CVE / advisory signals	✓	✓	✓

Product

What you get in VS Code

📂

Workspace scan

Point at a folder with package.json / lockfile; see the full dependency picture.

📊

Trust score column

Sort and filter packages by score to focus review time where it matters.

🔗

Drill-down

Open rationale for each dimension that moved the needle.

🔒

Local-first

Designed so your source tree is not uploaded for scoring.

🧩

Suite fit

Same Seerror design language as Seerguard, Seertrap, and Seerraze.

⚙️

CI-friendly mindset

Catch risky deps before they merge — complement lockfile and audit gates.

Example: what Seerpack reads

A minimal manifest is enough to start resolving the tree — Seerpack layers signals on top of what npm installs.

{
  "name": "my-app",
  "private": true,
  "dependencies": {
    "lodash": "^4.17.21",
    "axios": "^1.6.0"
  }
}

FAQ

Questions

Does Seerpack replace npm audit?

No. It complements audit and lockfile discipline with trust-oriented signals — typosquats, scripts, depth — that audit alone does not cover.

Does my code leave my machine?

Seerpack is built local-first. See the Seerpack privacy policy and the extension details on the Marketplace for the exact posture and any optional telemetry.

Which lockfiles are supported?

npm, pnpm, and Yarn-style trees are the target; the extension page lists current lockfile support per release.

Is this only for open source apps?

Any JavaScript or TypeScript workspace that uses npm dependencies can benefit — internal monorepos included.

Install from the VS Code Marketplace

Get Seerpack

Marketplace → Install → Open a workspace with package.json → Run Seerpack