npm dependency with wildcard/unbounded version
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A package.json dependency is declared as "*", "latest", "x", or an empty string, so npm install always fetches whatever is newest at install time with no review window.
Why it matters
A package.json dependency declared as "*", "latest", "x", or an empty string has no version boundary at all: every npm install can pull a brand-new major release, including one with breaking changes or, in a worst case, a compromised publish, with zero review window between the release going out and your build picking it up. This is different from (and more dangerous than) a wide caret range, which still stays within one major version.
How to fix it
Replace the wildcard with a real range anchored to the version you have actually tested against -- a caret range (^1.2.3) for most cases, or an exact pin for anything you want to control deliberately. Re-run install afterward and confirm the resolved version matches what you expect.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo