DEV.co
MCP Servers · kucherenko

jscpd

jscpd is a copy-paste detector that scans source code across 223+ programming formats to identify duplicated code blocks using the Rabin-Karp algorithm. It offers both a TypeScript (v4) and production-ready Rust engine (v5) that is 24-37x faster, with built-in support for AI workflows via token-efficient reporting and MCP server integration.

Source: GitHub — github.com/kucherenko/jscpd
5.9k
GitHub stars
244
Forks
TypeScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorykucherenko/jscpd
Ownerkucherenko
Primary languageTypeScript
LicenseMIT — OSI-approved
Stars5.9k
Forks244
Open issues48
Latest releasev5.0.11 (2026-06-20)
Last updated2026-07-06
Sourcehttps://github.com/kucherenko/jscpd

What jscpd is

jscpd implements token-based duplicate detection across multi-format codebases, with v5 rewritten in Rust as a self-contained binary requiring no Node.js runtime. It supports 13 reporters (console, JSON, HTML, SARIF, AI), git blame attribution, parallel worker control, and integrates with CI/CD pipelines and AI agent workflows via MCP protocol.

Quickstart

Get the jscpd source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/kucherenko/jscpd.gitcd jscpd# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Pre-commit and CI/CD quality gates

Enforce DRY principles in automated workflows. v5's 24-37x speed improvement makes it practical for large codebases in CI pipelines; supports GitHub Actions, pre-commit hooks, and threshold-based failure modes.

AI-assisted refactoring workflows

Integrate with coding assistants via AI reporter (79% fewer tokens) and MCP server. The tool provides structured clone data that LLM pipelines can consume for automated duplication elimination.

Multi-language monorepo analysis

Detect cross-format duplicates (Vue SFC, Svelte, Astro, Markdown) in polyglot projects. Unified CLI and config reduce tooling complexity for organizations with mixed tech stacks.

Implementation considerations

  • Choose engine version carefully: v5 (Rust, 24-37x faster, no Node.js) is production-ready but lacks v4's LevelDB/Redis stores and Node.js API; v4 recommended only if distributed caching is mandatory.
  • Configure worker parallelism (`--workers`) based on CPU cores for large codebases; defaults to auto-detect but may need tuning in containerized/CI environments with CPU quotas.
  • Use AI reporter (`--reporters ai`) for LLM pipelines to reduce token overhead; console reporter useful for human review but verbose for ML consumption.
  • Test blame feature (`--blame`) on large repos first; git history scanning adds overhead though parallelization mitigates it.
  • Set clone threshold (`--minTokens`) to avoid false positives on boilerplate code (e.g., imports, getters); default is 50 tokens.

When to avoid it — and what to weigh

  • Distributed cache requirements (v5) — v5 Rust engine removed LevelDB and Redis store support. If your pipeline requires persistent distributed caching across runs, v4 TypeScript engine with Redis store is needed.
  • Custom language/tokenizer requirements — Supports 223 formats out-of-box but no user-facing tokenizer plugin API. Custom language support requires source code contribution, not viable for internal DSLs or proprietary language extensions.
  • Semantic/intent-based clone detection — jscpd detects syntactic duplicates via token matching, not semantic equivalence. Refactored logic with different structure but identical behavior will not be flagged.
  • Real-time inline editor integration — No built-in LSP implementation or editor plugins bundled. Integration requires custom wrapper development for IDE real-time feedback.

License & commercial use

jscpd is licensed under the MIT License, an OSI-approved permissive open-source license.

MIT license permits unrestricted commercial use, modification, and distribution provided original license and copyright notice are retained. No commercial restrictions identified in license terms; however, review your legal/compliance policies for internal use vs. redistribution scenarios.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

jscpd parses untrusted source code (common for linters). No exploit details provided in data. Standard considerations: run in isolated environment for untrusted input, validate binary provenance via package manager checksums, keep dependencies updated. v5 Rust binary reduces attack surface vs. v4 Node.js runtime. No security audit or vulnerability disclosure policy mentioned in data.

Alternatives to consider

PMD/CPD (Java-based)

Language-agnostic, mature ecosystem, but slower, requires Java runtime, and less active than jscpd for multi-format support.

SonarQube (proprietary + OSS)

Full-featured code quality platform with duplication detection, but heavier deployment (server + database), commercial for advanced features, overkill if only clone detection needed.

TNPM/Levenshtein-based diff tools

Lightweight, language-agnostic, but less sophisticated token-based detection and no built-in reporters/CI integration; requires custom scripting.

Software development agency

Build on jscpd with DEV.co software developers

jscpd detects copy-paste across your entire codebase—223+ formats, 24-37x faster with Rust v5. Integrate into CI/CD, refactor with AI assistants, or embed via MCP. MIT licensed, no vendor lock-in. Start free with npm or cargo today.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

jscpd FAQ

Should I use v4 or v5?
v5 (Rust) is recommended for production unless you need LevelDB/Redis stores (v4 only) or Node.js API (v4 only). v5 is 24-37x faster, requires no runtime, and has feature parity for CLI use.
Does jscpd work offline?
Yes. v5 is fully offline (self-contained binary). v4 requires Node.js but no external services. No phone-home or license-check behavior documented.
Can I use jscpd in a Docker/Kubernetes CI pipeline?
Yes. v5 binary has no external dependencies; v4 needs Node.js container. Both integrate via CLI; set `--workers` to match pod CPU quota. SARIF output works with GitHub Actions scanning.
What's the performance impact for monorepos?
v5 shows 24-37x speedup vs. v4 on large codebases (17K files). Parallelization uses all CPU cores by default; adjust with `--workers` if running in resource-constrained environments.

Work with a software development agency

DEV.co helps companies turn open-source tools like jscpd into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your mcp servers stack.

Eliminate Code Duplication at Scale

jscpd detects copy-paste across your entire codebase—223+ formats, 24-37x faster with Rust v5. Integrate into CI/CD, refactor with AI assistants, or embed via MCP. MIT licensed, no vendor lock-in. Start free with npm or cargo today.