Package Exports
- @vibgrate/cli
Readme
@vibgrate/cli
Continuous Upgrade Drift Intelligence for Node & .NET
Modern codebases don't break all at once — they decay silently. Node runtimes fall behind LTS. .NET frameworks approach end-of-life. Core dependencies lag multiple major versions. Upgrade cost compounds until it becomes a project in itself.
Vibgrate turns that invisible decay into a measurable signal. One CLI command gives you an Upgrade Drift Score (0–100), actionable findings, and a clear picture of where your upgrade debt lives.
Quick Start
Run instantly with npx — no install required:
npx @vibgrate/cli scan .Or install as a dev dependency:
npm install -D @vibgrate/cliThen scan your project:
npx vibgrate scan .Why
npx? Installing with-Dplaces the binary innode_modules/.bin/, which isn't on your system PATH. Usenpxto run it, or add a script to yourpackage.json:"scripts": { "drift": "vibgrate scan ." }Then run
npm run drift. Alternatively, install globally withnpm install -g @vibgrate/clito usevibgratedirectly.
That's it. You'll see a full drift report in seconds.
What You Get
╔══════════════════════════════════════════╗
║ Vibgrate Drift Report ║
╚══════════════════════════════════════════╝
Drift Score: 72/100
Risk Level: Low
Projects: 3
Score Breakdown
Runtime: ████████████████████ 100
Frameworks: ████████████████░░░░ 78
Dependencies: ██████████████░░░░░░ 64
EOL Risk: ████████████████████ 100
── my-api (node) src/api
Runtime: 20.11.0 (current)
Frameworks:
NestJS: 10.3.0 → 11.0.0 (1 behind)
Dependencies:
42 current 8 1-behind 3 2+ behind
Findings
⚠ Framework "NestJS" is 1 major version(s) behind
⚠ 12% of dependencies are 2+ major versions behindKey Features
Upgrade Drift Score
A single 0–100 number that tells you how upgrade-ready your codebase is. Computed from runtime lag, framework versions, dependency age distribution, and EOL proximity. Deterministic and comparable across repos.
Multi-Platform Scanning
Works across Node.js/TypeScript and .NET projects in the same scan. Detects package.json, .sln, and .csproj files recursively.
CI-Native
Designed to live in your build pipeline. Returns meaningful exit codes, produces SARIF output for GitHub Code Scanning and Azure DevOps, and requires zero configuration to get started.
Ten Extended Scanners
Beyond the core drift score, Vibgrate runs a suite of extended scanners — all optional, all privacy-safe:
| Scanner | What It Finds |
|---|---|
| Platform Matrix | Native modules, OS assumptions, Docker base images, architecture risks |
| Dependency Risk | Deprecated packages, native module flags, platform-specific dependencies |
| Dependency Graph | Duplicated packages, phantom dependencies, lockfile analysis |
| Tooling Inventory | Full tech stack map — frameworks, bundlers, ORMs, testing tools |
| Build & Deploy | CI systems, Docker, IaC, release tooling, monorepo tools |
| TypeScript Modernity | Strict mode, module system, ESM readiness |
| Breaking Change Exposure | Packages known to cause upgrade pain, legacy polyfills |
| File Hotspots | Codebase shape — file counts, sizes, depth, shared packages |
| Security Posture | Lockfile hygiene, .gitignore coverage, audit severity counts |
| Service Dependencies | External SDK detection — payment, auth, cloud, databases, messaging |
Baseline & Delta Tracking
Take a baseline snapshot, then measure drift over time:
npx vibgrate baseline .
npx vibgrate scan . --baseline .vibgrate/baseline.jsonMultiple Output Formats
| Format | Use Case |
|---|---|
text |
Terminal output, local development |
json |
Programmatic consumption, artifact storage |
sarif |
GitHub Code Scanning, Azure DevOps integration |
md |
PR comments, documentation, wikis |
Dashboard Upload (Optional)
Push scan results to the Vibgrate Dashboard for trend analysis, cross-repo comparison, and team-wide visibility. Upload is always opt-in — the CLI provides full value offline.
VIBGRATE_DSN="..." vibgrate pushCI Integration
GitHub Actions
- name: Vibgrate Scan
run: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: vibgrate.sarifAzure DevOps
- script: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
displayName: Vibgrate ScanWorks in any CI environment. No login required. No configuration needed.
Configuration
Optionally create a vibgrate.config.ts to customise thresholds and scanner toggles:
vibgrate initimport type { VibgrateConfig } from '@vibgrate/cli';
const config: VibgrateConfig = {
exclude: ['legacy/**'],
thresholds: {
failOnError: {
eolDays: 180,
frameworkMajorLag: 3,
dependencyTwoPlusPercent: 50,
},
},
};
export default config;Privacy First
Vibgrate is designed to be safe to run on any codebase:
- No source code is read — only
package.json,tsconfig.json, lockfiles, and project manifests - No secrets are scanned — ever
- No git history, authors, or commit messages — only HEAD SHA and branch name for traceability
- No data leaves your machine unless you explicitly run
vibgrate push - No login required — works fully offline
Commands
| Command | Description |
|---|---|
vibgrate scan [path] |
Scan for upgrade drift |
vibgrate baseline [path] |
Create a drift baseline |
vibgrate report |
Generate a report from a scan artifact |
vibgrate init [path] |
Initialise config and .vibgrate/ directory |
vibgrate push |
Upload scan results to dashboard |
vibgrate dsn create |
Generate a DSN token |
vibgrate update |
Check for and install updates |
Requirements
- Node.js >= 20.0.0
- Works on macOS, Linux, and Windows
Full Documentation
See DOCS.md for the complete reference — all commands, all flags, configuration options, extended scanner details, CI examples, and more.
Links
Copyright © 2026 Vibgrate. All rights reserved. See LICENSE for terms.