jscpd
jscpd is a copy-paste detector that scans source code across 223+ programming formats to identify duplicated code blocks using the Rabin-Karp algorithm. It offers both a TypeScript (v4) and production-ready Rust engine (v5) that is 24-37x faster, with built-in support for AI workflows via token-efficient reporting and MCP server integration.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | kucherenko/jscpd |
| Owner | kucherenko |
| Primary language | TypeScript |
| License | MIT — OSI-approved |
| Stars | 5.9k |
| Forks | 244 |
| Open issues | 48 |
| Latest release | v5.0.11 (2026-06-20) |
| Last updated | 2026-07-06 |
| Source | https://github.com/kucherenko/jscpd |
What jscpd is
jscpd implements token-based duplicate detection across multi-format codebases, with v5 rewritten in Rust as a self-contained binary requiring no Node.js runtime. It supports 13 reporters (console, JSON, HTML, SARIF, AI), git blame attribution, parallel worker control, and integrates with CI/CD pipelines and AI agent workflows via MCP protocol.
Get the jscpd source
Clone the repository and explore it locally.
git clone https://github.com/kucherenko/jscpd.gitcd jscpd# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Choose engine version carefully: v5 (Rust, 24-37x faster, no Node.js) is production-ready but lacks v4's LevelDB/Redis stores and Node.js API; v4 recommended only if distributed caching is mandatory.
- Configure worker parallelism (`--workers`) based on CPU cores for large codebases; defaults to auto-detect but may need tuning in containerized/CI environments with CPU quotas.
- Use AI reporter (`--reporters ai`) for LLM pipelines to reduce token overhead; console reporter useful for human review but verbose for ML consumption.
- Test blame feature (`--blame`) on large repos first; git history scanning adds overhead though parallelization mitigates it.
- Set clone threshold (`--minTokens`) to avoid false positives on boilerplate code (e.g., imports, getters); default is 50 tokens.
When to avoid it — and what to weigh
- Distributed cache requirements (v5) — v5 Rust engine removed LevelDB and Redis store support. If your pipeline requires persistent distributed caching across runs, v4 TypeScript engine with Redis store is needed.
- Custom language/tokenizer requirements — Supports 223 formats out-of-box but no user-facing tokenizer plugin API. Custom language support requires source code contribution, not viable for internal DSLs or proprietary language extensions.
- Semantic/intent-based clone detection — jscpd detects syntactic duplicates via token matching, not semantic equivalence. Refactored logic with different structure but identical behavior will not be flagged.
- Real-time inline editor integration — No built-in LSP implementation or editor plugins bundled. Integration requires custom wrapper development for IDE real-time feedback.
License & commercial use
jscpd is licensed under the MIT License, an OSI-approved permissive open-source license.
MIT license permits unrestricted commercial use, modification, and distribution provided original license and copyright notice are retained. No commercial restrictions identified in license terms; however, review your legal/compliance policies for internal use vs. redistribution scenarios.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
jscpd parses untrusted source code (common for linters). No exploit details provided in data. Standard considerations: run in isolated environment for untrusted input, validate binary provenance via package manager checksums, keep dependencies updated. v5 Rust binary reduces attack surface vs. v4 Node.js runtime. No security audit or vulnerability disclosure policy mentioned in data.
Alternatives to consider
PMD/CPD (Java-based)
Language-agnostic, mature ecosystem, but slower, requires Java runtime, and less active than jscpd for multi-format support.
SonarQube (proprietary + OSS)
Full-featured code quality platform with duplication detection, but heavier deployment (server + database), commercial for advanced features, overkill if only clone detection needed.
TNPM/Levenshtein-based diff tools
Lightweight, language-agnostic, but less sophisticated token-based detection and no built-in reporters/CI integration; requires custom scripting.
Build on jscpd with DEV.co software developers
jscpd detects copy-paste across your entire codebase—223+ formats, 24-37x faster with Rust v5. Integrate into CI/CD, refactor with AI assistants, or embed via MCP. MIT licensed, no vendor lock-in. Start free with npm or cargo today.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
jscpd FAQ
Should I use v4 or v5?
Does jscpd work offline?
Can I use jscpd in a Docker/Kubernetes CI pipeline?
What's the performance impact for monorepos?
Work with a software development agency
DEV.co helps companies turn open-source tools like jscpd into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your mcp servers stack.
Eliminate Code Duplication at Scale
jscpd detects copy-paste across your entire codebase—223+ formats, 24-37x faster with Rust v5. Integrate into CI/CD, refactor with AI assistants, or embed via MCP. MIT licensed, no vendor lock-in. Start free with npm or cargo today.