Dependents TableNew

Open Iris: Open Dependents Table from the command palette to audit every third-party dependency for outdated versions and CVEs in one panel.

Supported package sources

npm — package.json
Go modules — go.mod
Python — requirements.txt and pyproject.toml

What the table shows

Package name
Installed version
Latest version
Known CVEs from the GitHub Advisory Database

Iris Dependents Table showing vulnerable packages with CVE advisories, version columns, and update buttons

Caching

Results are cached locally for 24 hours at .iris-cache/dependents.json. Re-opening the panel is instant without a new network round-trip. .iris-cache/ is added to .gitignore automatically on the first write.

GitHub PAT (optional)

The unauthenticated GitHub Advisory API rate limit is 60 requests per hour. Store a personal access token via the in-panel token button to raise it to 5,000 per hour. The token is stored in VS Code's SecretStorage and never leaves your machine.

To generate a token: go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic) and generate a new token. No scopes are required — leave all boxes unchecked.

GitHub Developer Settings showing the Personal access tokens (classic) page

GitHub new personal access token form showing available scopes

Tip: Advisory API errors return empty CVE lists silently — the table still loads with version data even when the advisory API is unavailable or rate-limited.