Skip to main content
The Dependents Table audits all of your project’s third-party packages in a single panel, checking each one for outdated versions and known security vulnerabilities sourced from the GitHub Advisory Database. Instead of running separate audit tools for each package ecosystem, you get a unified view covering npm, Go modules, and Python packages side by side.
The Dependents Table requires Iris Pro.

How to open it

Run Iris: Open Dependents Table from the command palette.

Supported package sources

  • npmpackage.json
  • Go modulesgo.mod
  • Pythonrequirements.txt and pyproject.toml

What the table shows

For each package, the table displays the installed version, the latest available version, and any known CVEs from the GitHub Advisory Database:
PackageInstalled → LatestAdvisories
next14.1.0 → 15.3.2
express4.18.2 → 4.21.2CVE-2024-29041
jsonwebtoken8.5.1 → 9.0.2CVE-2022-23529, CVE-2022-23540

Caching

Results are cached locally for 24 hours at .iris-cache/dependents.json. Re-opening the panel is instant without a new network round-trip. Iris automatically adds .iris-cache/ to your .gitignore on the first write.

GitHub PAT (optional)

The unauthenticated GitHub Advisory API rate limit is 60 requests per hour. Store a personal access token via the in-panel token button to raise that limit to 5,000 requests per hour. The token is stored in VS Code’s SecretStorage and never leaves your machine. To generate a token:
1

Open GitHub Settings

Go to GitHub SettingsDeveloper settingsPersonal access tokens → Tokens (classic).
2

Generate a new token

Click Generate new token (classic). No scopes are required — leave all permission boxes unchecked.
3

Store the token in Iris

Click the token button in the Dependents Table panel and paste in your new token.
Advisory API errors return empty CVE lists silently — the table still loads with version data even when the advisory API is unavailable or rate-limited.