Will It Vibe?
DEP-001Medium severity-8 points

No dependency manifest

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Source code exists but there's no package manifest declaring what it depends on.

Why it matters

Without a manifest, nobody (including your deploy pipeline) knows what packages and versions the code needs, so "works on my machine" is the only environment that exists. A fresh clone fails with import errors, and hosting platforms that auto-detect a build from package.json or pyproject.toml have nothing to work with. The first person this bites is usually you, on a new laptop or a CI runner.

How to fix it

For a Node project, run npm init -y, then install each package the code imports with npm install <name> so it lands in package.json with a version, and commit the generated package-lock.json. For Python, create a pyproject.toml (uv init or poetry init both scaffold one) or at minimum a requirements.txt with pinned versions, and commit the lockfile your tool produces. Confirm a clean install works by deleting node_modules or your virtualenv and reinstalling from the manifest alone.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks