JavaScript Scanner

AI-BOM's Code Scanner detects AI components in JavaScript and TypeScript projects by analyzing dependency files and source code.

What it scans

Dependency files

package.json
package-lock.json
yarn.lock
pnpm-lock.yaml
bun.lockb (via package.json)

Source files

All .js, .ts, .jsx, .tsx, and .mjs files are scanned for AI SDK usage.

Detected AI packages

Package	Provider
`openai`	OpenAI
`@anthropic-ai/sdk`	Anthropic
`@google/generative-ai`	Google AI
`@mistralai/mistralai`	Mistral
`cohere-ai`	Cohere
`ollama`	Ollama
`langchain`	LangChain
`@langchain/core`	LangChain
`@langchain/openai`	LangChain + OpenAI
`llamaindex`	LlamaIndex
`@huggingface/inference`	Hugging Face
`@aws-sdk/client-bedrock-runtime`	AWS Bedrock
`@azure/openai`	Azure OpenAI
`ai`	Vercel AI SDK
`@ai-sdk/openai`	Vercel AI SDK

Detection examples

Import detection

// ESM imports
import OpenAI from 'openai';
import Anthropic from '@anthropic-ai/sdk';
import { ChatOpenAI } from '@langchain/openai';

// CommonJS requires
const { OpenAI } = require('openai');
const Anthropic = require('@anthropic-ai/sdk');

Model reference detection

const completion = await openai.chat.completions.create({
  model: "gpt-4o",
  messages: [{ role: "user", content: "Hello" }],
});

API key detection

// Hardcoded API keys detected as critical severity
const openai = new OpenAI({ apiKey: "sk-proj-abc123..." });
const anthropic = new Anthropic({ apiKey: "sk-ant-api03-..." });

Environment variable references

// These are detected but at lower severity since they use env vars
const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });

Framework-specific detection

Vercel AI SDK

import { generateText } from 'ai';
import { openai } from '@ai-sdk/openai';

const result = await generateText({
  model: openai('gpt-4o'),
  prompt: 'What is AI security?',
});

LangChain.js

import { ChatOpenAI } from '@langchain/openai';
import { HumanMessage } from '@langchain/core/messages';

const model = new ChatOpenAI({ modelName: "gpt-4o" });

Shadow AI detection

When an AI SDK is imported in source code but not listed in package.json dependencies, AI-BOM flags it as shadow AI. This commonly happens with:

Prototype code that was committed without updating dependencies
Copy-pasted snippets from tutorials
Transitive dependencies used directly

Risk scoring

JavaScript/TypeScript components follow the same risk scoring as Python:

Hardcoded API keys - critical severity
Declared dependencies - lower risk than shadow AI
Deprecated or unpinned models - medium severity warnings

What it scans​

Dependency files​

Source files​

Detected AI packages​

Detection examples​

Import detection​

Model reference detection​

API key detection​

Environment variable references​

Framework-specific detection​

Vercel AI SDK​

LangChain.js​

Shadow AI detection​

Risk scoring​