Lichen
Dependency intelligence for Go, npm, Cargo, Python, Ruby, Maven/Gradle, and
NuGet projects, in your editor sidebar.
Lichen adds its own Activity Bar view showing the full dependency tree of the
open workspace, auto-detected from the build files present:
| Ecosystem |
Detected via |
Toolchain needed |
| Go |
go.mod |
go on PATH |
| npm |
package-lock.json |
none |
| Cargo (Rust) |
Cargo.lock |
none |
| Python |
uv.lock / poetry.lock |
none |
| Ruby |
Gemfile.lock |
none |
| Gradle |
gradle.lockfile |
none |
| Maven |
pom.xml |
mvn on PATH |
| NuGet |
packages.lock.json |
none |
For every node it reports the four things that matter when you audit a
dependency: the pinned version the build actually selected, the parent
constraint that put it there, the license, and the available newer
versions.
Features
- Full dependency tree of the open workspace, rooted at your module
- Pinned version and parent-declared constraint on every node
- SPDX license per package, sourced from the public deps.dev API
- Known advisories (CVE/OSV) surfaced with severity, and separated by
reachability: advisories on
not-imported dependencies (not compiled into
your binary) are shown as informational rather than counted as advisories, so
the ones you actually need to investigate stand out
- A security-aware recommended upgrade per node (security first, then
license stability, then highest version)
- The Go language/toolchain version as a first-class node, checked against
the latest stable release
- Scope labels:
(test-only) and (not-imported) dependencies marked in
text, not color alone
- Offline mode: pinned and parent-required versions only, zero network
- Background prefetch: the scan starts while your project loads, so the
tree is ready when you open the panel
- Auto-rescan when any ecosystem's manifest or lockfile changes (
go get,
npm install, cargo update, bundle update, or manual edits)
- Configurable scan warnings on the report's filter dimensions (critical,
advisory, outdated, license-change, recommended), with an advisory-count
badge on the Lichen icon.
not-imported deps (in the module graph but
imported by neither your build nor its tests) are informational everywhere:
they stay visible with a (not-imported) label but carry no upgrade
indicator in the tree, the HTML report, or the badge counts, matching what
Apply All can actually act on
- One-click upgrades for Go and npm: apply a node's recommended version from
its context menu, or every pending recommendation at once (runs
go get +
go mod tidy or npm install locally, with confirmation). For the other
ecosystems the exact upgrade commands are surfaced with one-click copy
instead of executed
- Full HTML report: open the interactive Corvalon dependency report in
your browser, rendered by the same engine as
lichen report
Commands
| Command |
Effect |
Lichen: Refresh |
Re-scan the workspace and rebuild the tree |
Lichen: Open HTML Report |
Render the interactive dependency report and open it in your browser |
Lichen: Apply Recommended Upgrade |
Upgrade one dependency to its recommended version (node context menu) |
Lichen: Apply All Recommended Upgrades |
Apply every pending recommendation, with a confirmation listing the plan |
Lichen: Toggle Offline (skip deps.dev) |
Flip lichen.offline |
Lichen: Toggle Upgrade Details (per-version license + CVEs) |
Flip lichen.fetchUpgrades |
Settings
| Setting |
Default |
Effect |
lichen.offline |
false |
Skip deps.dev calls; show pinned and parent-required versions only |
lichen.fetchUpgrades |
false |
Also fetch each newer version's license and advisories to show the per-version upgrade path and recommendation (extra deps.dev calls) |
lichen.prefetch |
true |
Scan in the background when a supported workspace opens (any detected ecosystem), so the tree is ready when you open the panel |
lichen.warnOn |
all five |
Which scan findings raise a notification, on the report's filter dimensions: critical, advisory, outdated, license-change, recommended (all on by default; remove the ones you don't want) |
lichen.critical |
7 |
CVSS score above which an advisory counts as critical (red icon, CRITICAL label, the critical warning dimension) |
lichen.minReleaseAgeDays |
14 |
Soak window in days: never recommend a version younger than this (a too-fresh-only fix is still recommended, flagged with its age). 0 disables. A workspace lichen.config.json that sets minReleaseAgeDays takes precedence (the extension announces the override) |
Requirements
- Most ecosystems need nothing installed -- the committed lockfile is
parsed directly (see the table above). Only Go and Maven run their build
tool locally (
go mod graph / mvn dependency:tree); nothing is uploaded.
- Network access to
api.deps.dev for license, version, and advisory
enrichment (optional: offline mode works without it).
How it works
The extension is a thin view over the same engine as the lichen CLI
(npm package @corvalon/lichen).
The stack is 100% free: local build-tool commands plus the public
deps.dev API. No account, no backend, no telemetry.
Source, issues, and the CLI live at
github.com/Corvalon/lichen.
Brought to you by Corvalon.
| |