REACHABLE
The vulnerable symbol is on a path from your entry points. This is the one you fail CI on first.
Dependency triage with source awareness
Find the vulnerable code paths that matter, not just the packages that happen to be installed.
REACHABLE
UNKNOWN
UNREACHABLE
reachable parses JavaScript and TypeScript, builds a project call graph, looks up advisories, and tells you whether the vulnerable symbol is actually reachable from your application entry points.
Verdicts
Cut false positives without pretending static analysis is magic.
reachable makes the uncertainty visible. When the tool can prove a path, it says REACHABLE. When it cannot find one, it says UNREACHABLE. When resolution or dynamic behavior leaves a gap, it says UNKNOWN instead of bluffing.
UNKNOWN
Resolution hit a boundary or dynamic pattern that needs a closer look. It is a triage queue, not a hidden error.
UNREACHABLE
The package may be installed, but the flagged symbol does not show up on a path from your code.
Why reachable
Package-level alerts are cheap. Source-aware triage is the part teams actually need.
`npm audit` and hosted scanners are useful for visibility, but they do not know whether your app imports or calls the vulnerable code. reachable fills that gap with a local-first CLI you can run on demand or in CI.
reachable
call graph + advisory mapping
Ranks advisories by whether the symbol is actually reached from your entry points.
package-only scanners
dependency list only
Good at inventory. Bad at telling you whether the risky code path touches your app.
Install
Run it locally first. Wire it into CI when the verdicts feel trustworthy.
reachable is designed to slot into a normal JavaScript or TypeScript workflow with a short install path and a direct CLI surface.
npm install -g @merupatel/reachable
reachable scan --format table
reachable trace lodash
reachable graph src/index.tsUse it for:
- reachable-only CI gates
- lockfile triage
- advisory investigation
- local audit workflows