JSPM

  • Created
  • Published
  • Downloads 2807
  • Score
    100M100P100Q113948F
  • License SEE LICENSE IN LICENSE

CLI for measuring upgrade drift across Node & .NET projects

Package Exports

  • @vibgrate/cli

Readme

@vibgrate/cli
Continuous Upgrade Drift Intelligence for Node & .NET

npm version npm downloads website node version


Modern codebases don't break all at once — they decay silently. Node runtimes fall behind LTS. .NET frameworks approach end-of-life. Core dependencies lag multiple major versions. Upgrade cost compounds until it becomes a project in itself.

Vibgrate turns that invisible decay into a measurable signal. One CLI command gives you an Upgrade Drift Score (0–100), actionable findings, and a clear picture of where your upgrade debt lives.


Quick Start

Run instantly with npx — no install required:

npx @vibgrate/cli scan .

Or install as a dev dependency:

npm install -D @vibgrate/cli

Then scan your project:

npx vibgrate scan .

Why npx? Installing with -D places the binary in node_modules/.bin/, which isn't on your system PATH. Use npx to run it, or add a script to your package.json:

"scripts": {
  "drift": "vibgrate scan ."
}

Then run npm run drift. Alternatively, install globally with npm install -g @vibgrate/cli to use vibgrate directly.

That's it. You'll see a full drift report in seconds.


What You Get

╔══════════════════════════════════════════╗
║        Vibgrate Drift Report             ║
╚══════════════════════════════════════════╝

  Drift Score:  72/100
  Risk Level:   Low
  Projects:     3

  Score Breakdown
    Runtime:      ████████████████████ 100
    Frameworks:   ████████████████░░░░  78
    Dependencies: ██████████████░░░░░░  64
    EOL Risk:     ████████████████████ 100

  ── my-api (node) src/api
     Runtime: 20.11.0 (current)
     Frameworks:
       NestJS: 10.3.0 → 11.0.0 (1 behind)
     Dependencies:
       42 current  8 1-behind  3 2+ behind

  Findings
    ⚠ Framework "NestJS" is 1 major version(s) behind
    ⚠ 12% of dependencies are 2+ major versions behind

Key Features

Upgrade Drift Score

A single 0–100 number that tells you how upgrade-ready your codebase is. Computed from runtime lag, framework versions, dependency age distribution, and EOL proximity. Deterministic and comparable across repos.

Multi-Platform Scanning

Works across Node.js/TypeScript and .NET projects in the same scan. Detects package.json, .sln, and .csproj files recursively.

CI-Native

Designed to live in your build pipeline. Returns meaningful exit codes, produces SARIF output for GitHub Code Scanning and Azure DevOps, and requires zero configuration to get started.

Ten Extended Scanners

Beyond the core drift score, Vibgrate runs a suite of extended scanners — all optional, all privacy-safe:

Scanner What It Finds
Platform Matrix Native modules, OS assumptions, Docker base images, architecture risks
Dependency Risk Deprecated packages, native module flags, platform-specific dependencies
Dependency Graph Duplicated packages, phantom dependencies, lockfile analysis
Tooling Inventory Full tech stack map — frameworks, bundlers, ORMs, testing tools
Build & Deploy CI systems, Docker, IaC, release tooling, monorepo tools
TypeScript Modernity Strict mode, module system, ESM readiness
Breaking Change Exposure Packages known to cause upgrade pain, legacy polyfills
File Hotspots Codebase shape — file counts, sizes, depth, shared packages
Security Posture Lockfile hygiene, .gitignore coverage, audit severity counts
Service Dependencies External SDK detection — payment, auth, cloud, databases, messaging

Baseline & Delta Tracking

Take a baseline snapshot, then measure drift over time:

npx vibgrate baseline .
npx vibgrate scan . --baseline .vibgrate/baseline.json

Multiple Output Formats

Format Use Case
text Terminal output, local development
json Programmatic consumption, artifact storage
sarif GitHub Code Scanning, Azure DevOps integration
md PR comments, documentation, wikis

Dashboard Upload (Optional)

Push scan results to the Vibgrate Dashboard for trend analysis, cross-repo comparison, and team-wide visibility. Upload is always opt-in — the CLI provides full value offline.

VIBGRATE_DSN="..." vibgrate push

CI Integration

GitHub Actions

- name: Vibgrate Scan
  run: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: vibgrate.sarif

Azure DevOps

- script: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
  displayName: Vibgrate Scan

Works in any CI environment. No login required. No configuration needed.


Configuration

Optionally create a vibgrate.config.ts to customise thresholds and scanner toggles:

vibgrate init
import type { VibgrateConfig } from '@vibgrate/cli';

const config: VibgrateConfig = {
  exclude: ['legacy/**'],
  thresholds: {
    failOnError: {
      eolDays: 180,
      frameworkMajorLag: 3,
      dependencyTwoPlusPercent: 50,
    },
  },
};

export default config;

Privacy First

Vibgrate is designed to be safe to run on any codebase:

  • No source code is read — only package.json, tsconfig.json, lockfiles, and project manifests
  • No secrets are scanned — ever
  • No git history, authors, or commit messages — only HEAD SHA and branch name for traceability
  • No data leaves your machine unless you explicitly run vibgrate push
  • No login required — works fully offline

Commands

Command Description
vibgrate scan [path] Scan for upgrade drift
vibgrate baseline [path] Create a drift baseline
vibgrate report Generate a report from a scan artifact
vibgrate init [path] Initialise config and .vibgrate/ directory
vibgrate push Upload scan results to dashboard
vibgrate dsn create Generate a DSN token
vibgrate update Check for and install updates

Requirements

  • Node.js >= 20.0.0
  • Works on macOS, Linux, and Windows

Full Documentation

See DOCS.md for the complete reference — all commands, all flags, configuration options, extended scanner details, CI examples, and more.



Copyright © 2026 Vibgrate. All rights reserved. See LICENSE for terms.