A lightweight, local-first CLI tool for monitoring the health of your project dependencies. Detect outdated packages, identify vulnerabilities, and get actionable upgrade suggestions without relying on cloud services or CI pipelines.
- Multi-Ecosystem Support: Works with npm (package.json) and Python (requirements.txt)
- Vulnerability Detection: Identifies known CVEs and security issues in dependencies
- Smart Upgrade Paths: Suggests safe version upgrades based on semantic versioning
- Multiple Output Formats: Human-readable text, JSON, and CI-friendly outputs
- Zero Configuration: Works out of the box with sensible defaults
- Privacy-First: All checks run locally, no data sent to external services
- CI/CD Ready: Integrate seamlessly into your build pipeline
npm install -g @prawals/dependency-health-checkerOr run directly with npx:
npx @prawals/dependency-health-checker# Scan current directory
depcheck
# Output as JSON
depcheck --json
# Auto-fix safe updates
depcheck --fix
# Fail CI on high vulnerabilities
depcheck --fail-on-highDependency Health Check Report
==============================
📦 Scanned: 42 dependencies
⚠️ Outdated: 8 packages
🔒 Vulnerabilities: 2 high, 3 moderate
Outdated Packages:
express: 4.17.1 → 4.18.2 (minor update available)
lodash: 4.17.19 → 4.17.21 (patch update - security fix)
High Vulnerabilities:
[email protected]: Prototype Pollution (CVE-2021-44906)
→ Upgrade to 1.2.6 or higher
Run 'depcheck --fix' to safely update compatible versions
| Option | Description |
|---|---|
--json |
Output results as JSON |
--fix |
Automatically update safe dependencies |
--fail-on-high |
Exit with code 1 if high vulnerabilities found |
--ignore <packages> |
Comma-separated list of packages to ignore |
--depth <level> |
Check dependency tree depth (default: all) |
--output <file> |
Save report to file |
--quiet |
Suppress non-critical output |
--verbose |
Show detailed information |
- User Guide - Detailed usage instructions and examples
- Testing Guide - How to test the tool and contribute tests
- API Documentation - Programmatic usage and extension
- Deployment Guide - CI/CD integration and deployment
- Contributing - How to contribute to the project
- Node.js >= 14.0.0
- npm or yarn
- Internet connection (for checking latest versions and vulnerabilities)
- Scanning: Detects and parses dependency files in your project
- Analysis: Compares installed versions with latest available versions
- Security Check: Cross-references dependencies with vulnerability databases
- Reporting: Generates actionable reports with upgrade recommendations
- ✅ Node.js - package.json, package-lock.json
- ✅ Python - requirements.txt, Pipfile
- 🚧 Ruby - Gemfile (coming soon)
- 🚧 Java - pom.xml (coming soon)
- 🚧 Go - go.mod (coming soon)
We welcome contributions! Please see our Contributing Guide for details on:
- Setting up the development environment
- Running tests
- Submitting pull requests
- Reporting issues
This project is licensed under the MIT License - see the LICENSE file for details.
| Feature | Dependency Health Checker | Dependabot | Snyk | npm audit |
|---|---|---|---|---|
| Local-first | ✅ | ❌ | ❌ | ✅ |
| No account required | ✅ | ❌ | ❌ | ✅ |
| Multi-ecosystem | ✅ | ✅ | ✅ | ❌ |
| Automatic fixes | ✅ | ✅ | ✅ | ✅ |
| CI/CD integration | ✅ | ✅ | ✅ | ✅ |
| Open source | ✅ | ❌ | ❌ | ✅ |
- Support for more package managers (Ruby, Java, Go)
- Dependency license checking
- Performance impact analysis
- Custom security policies
- IDE integrations
- Web dashboard (optional, local)
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: Report security vulnerabilities via GitHub Security
Built with ❤️ for developers who care about dependency health and security.