TypeScript & JavaScript Scanner

Static analysis for TS & JS — locally, in 60 seconds.

Scan your TypeScript or JavaScript project for complexity outliers, vulnerable npm packages, dead exports, empty catch blocks, and semantically-duplicate utility functions — with the ik CLI. Pairs with whatever ESLint / Prettier setup you already have; inkode contributes the cross-file structural and security signal those tools don't.

Install the CLI Wire up GitHub Action

What it looks like

Running on a Next.js app

$ ik run inkode · shop-storefront Running 20 checks... ⚠ Complexity 6 findings 240ms (chamele, in-process) ⚠ Dependency Audit 12 findings 8.2s (npm audit) ⚠ Dead Code 14 findings 2.6s (knip) ⚠ Error Handling 3 findings 110ms (empty-catch regex) ⚠ Duplication 9 findings 4.1s (jscpd) ⚠ Magic Numbers 11 findings 340ms (regex) ✓ Test Presence no issues 18ms (vitest detected) Score 62 / 100 grade D Report .ik/brief.html Share https://api.inkode.co/r/Tb5N3wFkLp2X

TypeScript / JavaScript coverage

What we check, and how.

Check	Tool	What it catches in TypeScript / JavaScript
Complexity	`chamele` (in-process)	Functions, methods, and arrow functions exceeding the cyclomatic-complexity threshold (default 10), via the in-process chamele library. No ESLint config or `$PATH` binary required — and never skipped.
Dependency Audit	`npm audit`	CVEs from the npm advisory database. Supports both `npm audit` v1 (npm < 7) and v2 (npm ≥ 7) JSON formats. `critical` / `high` → Error; lower → Warning.
Dead Code	`knip`	Unused files, exports, types, and dependencies. `knip --reporter compact` output mapped to file : line findings.
Error Handling	regex	Empty `catch (e) {}` blocks — the JS/TS counterpart to bare Python excepts. Catches the most common "silence the error and move on" pattern AI tools default to.
Magic Numbers	regex	Inline numeric literals (excluding 0, 1, -1, 2 and version-string-shaped values like 1.2.3). Walks `.js`, `.jsx`, `.ts`, `.tsx` with JS-aware skip rules.
Duplication	`jscpd`	Copy-pasted token blocks. jscpd is excellent at JS/TS — it's literally written in TypeScript.
Semantic Duplication	embedded LLM	Function declarations, arrow functions, and class methods extracted via regex (handles `function` / `=> {}` / `const x =` shapes), embedded via Qwen2.5-Coder-0.5B, paired by cosine similarity. Catches utility helpers regenerated in different files.
Test Presence	fs walk	`.test.ts`, `.spec.ts`, `.test.tsx`, `.spec.tsx`, and the `.js` equivalents. Jest, Mocha, and Vitest detected via `package.json`.
Import Graph	built-in regex parser	Cycles between modules, fan-in / fan-out outliers, god modules. Picks up both `import` statements and dynamic `import()` calls.
AI Stack	manifest scan	OpenAI SDK, `@anthropic-ai/sdk`, LangChain, LlamaIndex, Ollama, Vercel AI SDK, CopilotKit detected in `package.json` dependencies / devDependencies.
Secrets, Hotspots, Coupling, Line Count, Infra, Scripts, TODO Density	language-agnostic	Same as every other language — gitleaks for secrets, git-log analysis for hotspots / coupling, etc.

AI anti-patterns in TS / JS we catch

The smells nobody refactors out.

Empty catch (e) {} blocks

A perfectly-runnable try/catch that swallows every error silently. AI tools emit these to "make the type-checker happy" and they live forever.

Dead exports from regenerated helpers

AI rewrites a utility module and leaves three older versions exported "just in case." knip walks your dependency graph and reports the ones no caller actually uses.

Vulnerable npm dependencies

Outdated axios, lodash, marked, node-fetch, etc. with known CVEs. npm audit pulls from the GitHub Advisory Database in one pass.

Magic constants buried in components

Page sizes, polling intervals, retry caps hardcoded inline in React or Next.js components. Named constants make the diff intent obvious; the regex scan surfaces every literal worth promoting.

Run it on your TypeScript / JavaScript project.

Install in one line, scan in under a minute. No account required.

$ curl -fsSL https://inkode.co/install.sh | sh $ npm install -g knip jscpd # one-time (complexity needs no install) $ cd your-ts-project && ik init && ik run

Book an Expert Review

More scanners

Scan another language

C# Go Java Python Rust All scanners

Cross-cutting checks: secret scanning · dependency vulnerability scanning · AI code review