Will It Vibe logoWill It Vibe?
SCA-021Low severity-4 points

npm dependency installed from a git URL

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A package.json dependency value points at a git/GitHub URL (git+https://, git+ssh://, git://, github:) rather than a registry version, so it bypasses npm registry integrity checks and can change upstream without any version bump.

Why it matters

A package.json dependency resolved from a git/GitHub URL instead of the npm registry bypasses every integrity guarantee the registry provides: no published-tarball checksum, no audit trail through npm's own systems, and the upstream repository can force-push or delete the referenced ref out from under you. It is sometimes a deliberate, reasonable choice (using an unreleased fix before it's published), but it always trades registry integrity for that convenience and deserves a second look.

How to fix it

If the git dependency is meant to be temporary (waiting on an upstream release), track that with a comment and a follow-up ticket, and pin to a specific commit SHA rather than a branch name so the reference can't move under you. If a published registry version now covers what you needed, switch back to it.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks