npm dependency installed from a git URL
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A package.json dependency value points at a git/GitHub URL (git+https://, git+ssh://, git://, github:) rather than a registry version, so it bypasses npm registry integrity checks and can change upstream without any version bump.
Why it matters
A package.json dependency resolved from a git/GitHub URL instead of the npm registry bypasses every integrity guarantee the registry provides: no published-tarball checksum, no audit trail through npm's own systems, and the upstream repository can force-push or delete the referenced ref out from under you. It is sometimes a deliberate, reasonable choice (using an unreleased fix before it's published), but it always trades registry integrity for that convenience and deserves a second look.
How to fix it
If the git dependency is meant to be temporary (waiting on an upstream release), track that with a comment and a follow-up ticket, and pin to a specific commit SHA rather than a branch name so the reference can't move under you. If a published registry version now covers what you needed, switch back to it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo