jscpd is an open-source copy/paste detector for 223+ languages, with a Rust-powered v5 engine that is 24-37x faster and AI-ready out of the box.
What it does
jscpd is a copy/paste detector for source code that finds duplicated blocks across 223+ languages and file formats. Version 5 is a Rust rewrite that runs 24-37x faster than the Node.js v4 engine, ships as a self-contained binary, and integrates with AI workflows via MCP server and an LLM-optimized r
Duplicated code is where the same bug lives twice. jscpd surfaces copy/paste debt across an entire codebase in one command, giving teams a concrete, measurable signal to act on before technical debt compounds.
jscpd has been detecting code duplication since 2013. Version 5, released in 2026, is a ground-up Rust rewrite that ships as a self-contained binary with no Node.js runtime required. The same .jscpd.json config and CLI flags from v4 work unchanged, making it a drop-in upgrade.
jscpd implements the Rabin-Karp algorithm to find matching token sequences across files. It tokenizes source code per language (and per block for Vue SFC, Svelte, Astro, and Markdown), then compares blocks against configurable minimums: 50 tokens and 5 lines by default. A <script> block in a .vue file can match a plain .ts file, catching cross-format duplication that simpler tools miss.
Per the README benchmarks on Apple Silicon, v5 scans 548 files in 0.03s (v4: 1.03s, 34x speedup), 9K Svelte files in 0.43s (v4: 15.8s, 37x speedup), and the 17K-file CopilotKit repo in 3.44s (v4: 82.89s, 24x speedup). The npm package pulls 1.2M weekly downloads and lists 84 dependents. GitHub Super Linter, Codacy, and MegaLinter all bundle jscpd as their copy/paste detection engine, per the README.
Three AI-facing features make jscpd usable inside agentic workflows. The --reporters ai flag emits compact output that uses roughly 79% fewer tokens than the default console reporter, suitable for piping directly into an LLM. An MCP server lets Claude and similar assistants call jscpd directly via the Model Context Protocol. Two installable agent skills teach a coding assistant how to invoke jscpd and execute a guided DRY refactoring workflow.
v5 trades some v4 features for speed. LevelDB and Redis persistent stores are v4-only, as is the Node.js programmatic API (jscpd(), detectClones()). Teams that need those should stay on v4, which still receives updates (v4.2.x added 70+ new formats and cross-format detection).
If you need fast, language-agnostic duplicate detection that plugs into CI, feeds an LLM, or runs inside an AI agent, jscpd v5 is the most capable single tool for the job. Run jscpd . --threshold 10 in CI and let the build fail before duplicated bugs multiply.
Features
Field notes
Reviewed Jun 26, 2026
Best for
Builder outcomes
Watch out
Tested with
Go deeper
First-person account by the jscpd v5 Rust rewrite author explaining the architectural decisions, performance benchmarks (24-37x faster), and motivation for rebuilding jscpd in Rust.
Practitioner tutorial benchmarking jscpd-rs (v5 Rust rewrite) at 50x+ speed vs original jscpd in a real GitHub Actions CI gate, with concrete setup steps.
jscpd is an open-source copy/paste detector that finds duplicated code blocks across source files in 223+ languages. It implements the Rabin-Karp algorithm to compare tokenized code segments, reporting the exact file locations, line ranges, and token counts for every clone it finds. The tool exists because duplicated code means the same bug can appear in multiple places, and jscpd gives teams a measurable, automatable way to track and reduce that risk.
The fastest install is `npm install -g jscpd` (installs both `jscpd` and `cpd` commands) or `cargo install jscpd` for the Rust-native install. You can also use the universal installer: `curl -fsSL https://jscpd.dev/install.sh | bash`. Once installed, run `jscpd ./src` to scan a directory; add `--reporters html,json` for report files, or `--threshold 10` to fail CI when duplication exceeds 10%. The v5 binary is self-contained and requires no Node.js runtime.
Yes, jscpd is released under the MIT license and is fully free to use. The source is on GitHub at kucherenko/jscpd. The project accepts optional sponsorship via OpenCollective, but there are no paid tiers or commercial licenses.
jscpd is best for teams that want a fast, CI-integrated gate on copy/paste debt across large or polyglot codebases. Its cross-format detection catches duplication between Vue SFC script blocks and plain TypeScript files, which most linters miss. The AI reporter and MCP server make it equally useful inside agentic coding workflows where an LLM needs structured clone data to drive refactoring.
v5 is a Rust rewrite that is 24-37x faster than v4 across all codebase sizes, ships as a self-contained binary, and adds git blame and an AI-optimized reporter. The trade-off is that v5 drops the Node.js programmatic API (`jscpd()`, `detectClones()`) and LevelDB/Redis persistent stores. If your workflow depends on programmatic Node.js usage or distributed caching, stay on v4; for everything else, v5 is the drop-in upgrade with the same CLI flags and config file.
jscpd detects duplication at the token level, not the AST or semantic level, so structurally different but logically equivalent code may not be flagged. The v5 Rust engine does not yet support LevelDB or Redis stores, which affects parallel CI runs that rely on a shared cache. Benchmarks in the README were run on Apple Silicon, so performance on other platforms may vary. Finally, cross-format detection (Vue, Svelte, Astro, Markdown) requires that the file types are in the supported formats list, which you can verify with `jscpd --list`.
Cory House@housecor
“Problem: Your code base probably contains a lot of copy/pasted code, but it's hard to find. Solution: jscpd jscpd is a command line tool that finds copy/pasted code and reports specific duplicated lines. Works for over 150 languages. Exampl…”
Cory House@housecor
“Problem: You want to find copy/pasted code. Solution: jscpd. It finds copy/pasted code in over 150 languages. I just ran this command on a JS project: npx jscpd --ignore "**/node_modules/**" It found over 6,000+ lines of duplicated code.”
Cory House@housecor
“One of my favorite tools during a code audit is jscpd. It detects copy/pasted code. In a codebase I’m currently reviewing, nearly half of the JS is duplicated! jscpd lists the specific duplicated spots so we can consider a cleanup.”
Open-source AI code reviewer with bring-your-own-model, custom rule enforcement, and zero LLM markup for engineering teams.
Best for Teams with custom coding standards, domain rules, or naming conventions that generic AI reviewers missAnatomia, CLI harness that gives AI coding agents a verifiable pipeline and proof chain, not just prompts. MIT-licensed, works with Claude Code, Codex, and more.
NVIDIA's open-source security scanner for AI agent skills, detects prompt injection, supply chain attacks, and 66 other vulnerability patterns before you install.
Best for Teams auditing AI agent skills before installation in Claude Code, Codex CLI, or Gemini CLI environmentsType-check TypeScript and JavaScript code fences in Markdown and MDX docs against your real project API, in editor, CLI, and CI.
Best for Teams using AI agents to write or update docs, where hallucinated API names and option keys are a real riskOpen-source toolkit for Spec-Driven Development with AI coding agents, structured specs, plans, and tasks instead of vibe coding.
Best for Teams using AI coding agents on projects where correctness and reliability matter more than speed of first outputFree repo scanner that checks GitHub and Bitbucket projects for malware, credential stealers, and crypto scams before you run their code.
Best for Developers vetting unfamiliar GitHub or Bitbucket repos before cloning or running them locally