Skip to content
| Marketplace
Sign in
Visual Studio Code>Visualization>Dependency ExplorerNew to Visual Studio Code? Get it now.
Dependency Explorer

Dependency Explorer

Ruan du Plessis

|
2 installs
| (0) | Free
Full dependency tree (including transitive dependencies) for npm and NuGet projects, with vulnerability flags and one-click update or transitive override.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Dependency Explorer

A VS Code extension that shows the full dependency tree — including transitive dependencies — for npm and NuGet projects, flags packages with known vulnerabilities, and lets you fix them by updating a direct dependency or overriding/pinning a transitive one.

Features

  • Dependencies view in the activity bar: every npm and NuGet project in the workspace is listed as its own top-level node (monorepos and multi-project solutions are fully supported), with direct dependencies underneath and transitive dependencies collapsed one level deeper, expandable as far as you like.
  • Vulnerability flags via the free OSV.dev API:
    • red warning icon = this package version has known vulnerabilities (IDs are linked in the tooltip),
    • yellow warning icon = something deeper in this package's subtree is vulnerable, so you can trace which direct dependency pulls it in.
  • Update Version… (↑ icon on direct dependencies): pick a version from the registry and the manifest is edited in place, preserving your range style (^ / ~ / exact).
  • Override / Pin Version… (📌 icon on transitive dependencies):
    • npm: adds the package to the "overrides" field of package.json,
    • NuGet: adds a direct <PackageReference> pin to the .csproj (NuGet's direct-wins rule), with Central Package Management (Directory.Packages.props) handled automatically.
  • Preview before you apply. Choosing a version opens a diff panel showing how that version's own dependency requirements differ from your current version — which transitive dependencies get added, removed, changed, or stay the same — pulled live from the registry. Nothing is written until you click Apply. (For NuGet, the diff is read for your project's target framework.)
  • Bump a duplicate package across every project that uses it. When a package (often a vulnerable transitive one like qs) is shared by several projects, you can fix it once:
    • click Update / Override on any occurrence and choose Apply to all N projects, or
    • use the Update Package Across All Projects… button in the view title bar to pick from a list of shared packages.
    • Each project is fixed the right way: it's a direct dependency there → the version is updated; it's transitive there → an override/pin is added.
  • After an edit, the extension offers to run npm install / dotnet restore (one terminal per affected project); the tree refreshes automatically when the lock/assets files change.

How it reads the tree

Ecosystem Source of truth Requirement
npm package-lock.json (v2/v3 packages map, with real node_modules-style resolution) run npm install once (npm 7+)
NuGet obj/project.assets.json run dotnet restore once

These are the resolved graphs, so versions match exactly what your build uses.

Central Package Management (NuGet)

Central Package Management (CPM) — where package versions live in a Directory.Packages.props file instead of on each <PackageReference> — is fully supported. The extension discovers the nearest Directory.Packages.props by walking up from the project folder and edits the right file automatically:

Action Classic project CPM project
Update a direct dependency edits Version="…" on the <PackageReference> in the .csproj edits the <PackageVersion> in Directory.Packages.props (or a VersionOverride on the reference if one exists)
Override a transitive dependency adds a versioned <PackageReference> pin to the .csproj adds a <PackageVersion> to Directory.Packages.props; if transitive pinning is off, it also adds a versionless <PackageReference> to force the pin

Because a CPM version is shared, updating it fixes every project under that props file at once — which pairs naturally with the "bump across all projects" feature.

Development

npm install
npm run compile   # or: npm run watch

Press F5 in VS Code to launch an Extension Development Host, then open any folder containing an npm or .NET project.

To package a .vsix for installation:

npx @vscode/vsce package

then install it via Extensions: Install from VSIX….

Project layout

  • src/extension.ts — activation, tree view registration, file watchers
  • src/tree/dependencyTree.ts — TreeDataProvider (lazy expansion, icons, tooltips)
  • src/providers/npmProvider.ts — lockfile parsing + node_modules-style resolution
  • src/providers/nugetProvider.ts — project.assets.json parsing
  • src/services/vulnClosure.ts — cycle-safe "subtree contains a vulnerability" reachability
  • src/services/osvService.ts — batched OSV.dev vulnerability queries (cached per session)
  • src/services/registryService.ts — version lists from registry.npmjs.org / api.nuget.org
  • src/services/manifestEditor.ts — pure text edits for package.json, .csproj, Directory.Packages.props
  • src/services/previewService.ts — fetches a version's declared dependencies and diffs current vs target
  • src/ui/previewPanel.ts — webview showing the transitive-dependency impact, with Apply / Cancel
  • src/commands.ts — update/override commands, preview + confirm, cross-project "apply to all", version quick-pick, install prompt

Known limitations

  • npm workspaces: packages inside a monorepo without their own package-lock.json show a "run npm install" hint; open the workspace root (where the lock lives) to see the full graph. npm overrides are only honoured by npm from the root package.json.
  • NuGet multi-targeted projects show the first target framework's graph.
  • Vulnerability severity levels are not fetched (only IDs, linked to osv.dev); circular references are shown once and marked circular.
  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft