Will It Vibe logoWill It Vibe?
SCA-017Medium severity-8 points

npm dependency with wildcard/unbounded version

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A package.json dependency is declared as "*", "latest", "x", or an empty string, so npm install always fetches whatever is newest at install time with no review window.

Why it matters

A package.json dependency declared as "*", "latest", "x", or an empty string has no version boundary at all: every npm install can pull a brand-new major release, including one with breaking changes or, in a worst case, a compromised publish, with zero review window between the release going out and your build picking it up. This is different from (and more dangerous than) a wide caret range, which still stays within one major version.

How to fix it

Replace the wildcard with a real range anchored to the version you have actually tested against -- a caret range (^1.2.3) for most cases, or an exact pin for anything you want to control deliberately. Re-run install afterward and confirm the resolved version matches what you expect.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks