146 lines
3.0 KiB
Markdown
146 lines
3.0 KiB
Markdown
# Dependency Freshness Checker CLI
|
|
|
|
A CLI tool that monitors outdated dependencies across multiple package managers (npm, pip, go, cargo) with security vulnerability context.
|
|
|
|
## Features
|
|
|
|
- **Multi-package manager support**: Parse and analyze dependency files for npm, pip, go, and cargo
|
|
- **Security CVE scanning**: Bundled CVE knowledge base with severity levels
|
|
- **Interactive terminal UI**: Color-coded output using Rich
|
|
- **CI/CD integration**: JSON output and proper exit codes
|
|
- **Configuration system**: YAML-based configuration
|
|
- **Upgrade recommendations**: Suggest minimal safe upgrades
|
|
|
|
## Installation
|
|
|
|
```bash
|
|
pip install depcheck
|
|
```
|
|
|
|
Or from source:
|
|
|
|
```bash
|
|
pip install -e .
|
|
```
|
|
|
|
## Usage
|
|
|
|
### Basic Usage
|
|
|
|
Scan the current directory for outdated dependencies:
|
|
|
|
```bash
|
|
depcheck scan
|
|
```
|
|
|
|
Scan a specific file:
|
|
|
|
```bash
|
|
depcheck scan package.json
|
|
depcheck scan requirements.txt
|
|
```
|
|
|
|
### Options
|
|
|
|
- `--json`: Output in JSON format
|
|
- `--ci`: CI/CD mode with proper exit codes
|
|
- `--fail-level`: Set severity threshold for failures (critical, high, medium, low)
|
|
- `--exclude-dev`: Exclude dev dependencies
|
|
- `--verbose`: Enable verbose output
|
|
- `--quiet`: Suppress non-essential output
|
|
|
|
### Exit Codes
|
|
|
|
- `0`: All dependencies are fresh
|
|
- `1`: Outdated or vulnerable dependencies found
|
|
- `2`: Error occurred during scan
|
|
|
|
## Configuration
|
|
|
|
Create a `.depcheck.yaml` file in your project root:
|
|
|
|
```yaml
|
|
ignore_patterns:
|
|
- "test/"
|
|
- "example/"
|
|
|
|
ignore_packages:
|
|
- "@types/*"
|
|
|
|
fail_level: medium
|
|
|
|
output:
|
|
format: terminal
|
|
verbose: false
|
|
|
|
include_dev: true
|
|
|
|
package_managers:
|
|
- npm
|
|
- pip
|
|
```
|
|
|
|
Configuration is also read from `~/.config/depcheck/.depcheck.yaml`.
|
|
|
|
## CI/CD Integration
|
|
|
|
### GitHub Actions Example
|
|
|
|
```yaml
|
|
- name: Check dependencies
|
|
run: depcheck scan --ci --fail-level high
|
|
```
|
|
|
|
### GitLab CI Example
|
|
|
|
```yaml
|
|
dependency_check:
|
|
script:
|
|
- depcheck scan --ci --json > dependency-report.json
|
|
artifacts:
|
|
paths:
|
|
- dependency-report.json
|
|
```
|
|
|
|
## Supported Package Managers
|
|
|
|
| Package Manager | Files |
|
|
|----------------|-------|
|
|
| npm | package.json |
|
|
| pip | requirements.txt, pyproject.toml |
|
|
| go | go.mod |
|
|
| cargo | Cargo.toml |
|
|
|
|
## Security
|
|
|
|
The tool includes a bundled CVE database with known vulnerabilities for common packages. It checks your dependencies against this database and reports any matches with severity levels.
|
|
|
|
## Development
|
|
|
|
### Running Tests
|
|
|
|
```bash
|
|
pytest -q --cov=src --cov-report=term
|
|
pytest -q tests/integration/
|
|
```
|
|
|
|
### Project Structure
|
|
|
|
```
|
|
depcheck/
|
|
├── src/depcheck/
|
|
│ ├── parsers/ # Package manager parsers
|
|
│ ├── analyzers/ # CVE and version analyzers
|
|
│ ├── reporters/ # Output formatters
|
|
│ ├── config.py # Configuration handling
|
|
│ └── cli.py # CLI entry point
|
|
├── tests/
|
|
│ ├── unit/ # Unit tests
|
|
│ └── integration/ # Integration tests
|
|
└── data/ # Bundled CVE database
|
|
```
|
|
|
|
## License
|
|
|
|
MIT License
|