Skip to content
| Marketplace
Sign in
Visual Studio Code>Visualization>LichenNew to Visual Studio Code? Get it now.
Lichen

Lichen

Corvalon

|
1 install
| (0) | Free
Dependency intelligence for Go, npm, Cargo, Python (uv/poetry), Ruby, Maven/Gradle, and NuGet projects: pinned version, parent constraint, license, CVE/OSV advisories, and a security-aware recommended upgrade per node, with one-click applies (Go/npm), a full HTML report, and configurable scan warnin
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Lichen

Dependency intelligence for Go, npm, Cargo, Python, Ruby, Maven/Gradle, and NuGet projects, in your editor sidebar.

Lichen adds its own Activity Bar view showing the full dependency tree of the open workspace, auto-detected from the build files present:

Ecosystem Detected via Toolchain needed
Go go.mod go on PATH
npm package-lock.json none
Cargo (Rust) Cargo.lock none
Python uv.lock / poetry.lock none
Ruby Gemfile.lock none
Gradle gradle.lockfile none
Maven pom.xml mvn on PATH
NuGet packages.lock.json none

For every node it reports the four things that matter when you audit a dependency: the pinned version the build actually selected, the parent constraint that put it there, the license, and the available newer versions.

Features

  • Full dependency tree of the open workspace, rooted at your module
  • Pinned version and parent-declared constraint on every node
  • SPDX license per package, sourced from the public deps.dev API
  • Known advisories (CVE/OSV) surfaced with severity, and separated by reachability: advisories on not-imported dependencies (not compiled into your binary) are shown as informational rather than counted as advisories, so the ones you actually need to investigate stand out
  • A security-aware recommended upgrade per node (security first, then license stability, then highest version)
  • The Go language/toolchain version as a first-class node, checked against the latest stable release
  • Scope labels: (test-only) and (not-imported) dependencies marked in text, not color alone
  • Offline mode: pinned and parent-required versions only, zero network
  • Background prefetch: the scan starts while your project loads, so the tree is ready when you open the panel
  • Auto-rescan when any ecosystem's manifest or lockfile changes (go get, npm install, cargo update, bundle update, or manual edits)
  • Configurable scan warnings on the report's filter dimensions (critical, advisory, outdated, license-change, recommended), with an advisory-count badge on the Lichen icon. not-imported deps (in the module graph but imported by neither your build nor its tests) are informational everywhere: they stay visible with a (not-imported) label but carry no upgrade indicator in the tree, the HTML report, or the badge counts, matching what Apply All can actually act on
  • One-click upgrades for Go and npm: apply a node's recommended version from its context menu, or every pending recommendation at once (runs go get + go mod tidy or npm install locally, with confirmation). For the other ecosystems the exact upgrade commands are surfaced with one-click copy instead of executed
  • Full HTML report: open the interactive Corvalon dependency report in your browser, rendered by the same engine as lichen report

Commands

Command Effect
Lichen: Refresh Re-scan the workspace and rebuild the tree
Lichen: Open HTML Report Render the interactive dependency report and open it in your browser
Lichen: Apply Recommended Upgrade Upgrade one dependency to its recommended version (node context menu)
Lichen: Apply All Recommended Upgrades Apply every pending recommendation, with a confirmation listing the plan
Lichen: Toggle Offline (skip deps.dev) Flip lichen.offline
Lichen: Toggle Upgrade Details (per-version license + CVEs) Flip lichen.fetchUpgrades

Settings

Setting Default Effect
lichen.offline false Skip deps.dev calls; show pinned and parent-required versions only
lichen.fetchUpgrades false Also fetch each newer version's license and advisories to show the per-version upgrade path and recommendation (extra deps.dev calls)
lichen.prefetch true Scan in the background when a supported workspace opens (any detected ecosystem), so the tree is ready when you open the panel
lichen.warnOn all five Which scan findings raise a notification, on the report's filter dimensions: critical, advisory, outdated, license-change, recommended (all on by default; remove the ones you don't want)
lichen.critical 7 CVSS score above which an advisory counts as critical (red icon, CRITICAL label, the critical warning dimension)
lichen.minReleaseAgeDays 14 Soak window in days: never recommend a version younger than this (a too-fresh-only fix is still recommended, flagged with its age). 0 disables. A workspace lichen.config.json that sets minReleaseAgeDays takes precedence (the extension announces the override)

Requirements

  • Most ecosystems need nothing installed -- the committed lockfile is parsed directly (see the table above). Only Go and Maven run their build tool locally (go mod graph / mvn dependency:tree); nothing is uploaded.
  • Network access to api.deps.dev for license, version, and advisory enrichment (optional: offline mode works without it).

How it works

The extension is a thin view over the same engine as the lichen CLI (npm package @corvalon/lichen). The stack is 100% free: local build-tool commands plus the public deps.dev API. No account, no backend, no telemetry.

Source, issues, and the CLI live at github.com/Corvalon/lichen.

Brought to you by Corvalon.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft