Cross-language dependency age analyzer — scan lock files for staleness, CVEs, and update urgency

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Bhayanak from gravatar.com Bhayanak

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: dep-age contributors
  • Tags audit , cve , dependencies , lockfile , outdated , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

dep-age logo

dep-age

Cross-language dependency age analyzer — scan lock files & manifests for staleness, CVEs, and update urgency.

CI Coverage 95% PyPI Python License: MIT Release

One command to answer: "How old and risky are my dependencies?"

Features

  • 6 ecosystems: npm · pip · gem · go · cargo · composer
  • Lock files + manifests: scans both resolved lock files and project manifests (package.json, pyproject.toml, Cargo.toml, go.mod, composer.json)
  • Async parallel registry lookups with local caching
  • CVE checking via OSV.dev API
  • Age classification: Fresh / Aging / Stale
  • Urgency scoring: None → Critical
  • Health score: 0–100
  • Multiple outputs: Rich terminal, JSON, Markdown, CSV, SVG badge
  • CI gating: --max-age and --max-cves flags exit non-zero on violations

Installation

pip install dep-age

Quick Start

# Auto-detect lock files in current directory
dep-age scan

# Scan specific file
dep-age scan package-lock.json

# JSON output
dep-age scan --format json --output deps.json

# CI gating: fail if any dep > 2 years or has CVEs
dep-age scan --max-age "2 years" --max-cves 0

# Generate freshness badge
dep-age badge --output dep-badge.svg

CLI Reference

dep-age scan [PATH...] [OPTIONS]

Arguments:
  PATH    Lock file(s) or directory to scan (default: current directory)

Options:
  -f, --format TEXT     Output: terminal, json, markdown, csv
  -o, --output TEXT     Write output to file
  --outdated            Show only outdated dependencies
  --cves-only           Show only dependencies with CVEs
  --older-than TEXT     Filter by age (e.g. "1 year", "6 months")
  --max-age TEXT        CI gate: exit 1 if any dep exceeds this age
  --max-cves INT        CI gate: exit 1 if total CVEs exceed this
  --ignore TEXT         Comma-separated packages to skip
  --offline             Use cached data only, no network requests
  -V, --version         Show version

Supported Files

Ecosystem Lock Files Manifest / Config
npm package-lock.json, yarn.lock, pnpm-lock.yaml package.json
Python requirements.txt, Pipfile.lock, poetry.lock pyproject.toml
Ruby Gemfile.lock
Go go.sum go.mod
Rust Cargo.lock Cargo.toml
PHP composer.lock composer.json

CI Integration

# GitHub Actions
- name: Dependency audit
  run: |
    pip install dep-age
    dep-age scan --max-age "2 years" --max-cves 0

Development

git clone https://github.com/dep-age/dep-age.git
cd dep-age
pip install -e ".[dev]"
ruff check src/ tests/
pytest --cov=dep_age --cov-fail-under=95

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for Bhayanak from gravatar.com Bhayanak

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: dep-age contributors
  • Tags audit , cve , dependencies , lockfile , outdated , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.0.2

1.0.1

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dep_age-1.0.0.tar.gz (31.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dep_age-1.0.0-py3-none-any.whl (28.0 kB view details)

Uploaded Python 3

File details

Details for the file dep_age-1.0.0.tar.gz.

File metadata

  • Download URL: dep_age-1.0.0.tar.gz
  • Upload date:
  • Size: 31.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dep_age-1.0.0.tar.gz
Algorithm Hash digest
SHA256 c922d838f0e0da2e063c189097671335e08e1f8e41151592134216a5b0c659bd
MD5 fb21f177b649aa062db10058482ea191
BLAKE2b-256 22fd819e98ceb8261413dde216e7e57172356dfb189f7c7a718ff4a346755c00

See more details on using hashes here.

Provenance

The following attestation bundles were made for dep_age-1.0.0.tar.gz:

Publisher: release.yml on bhayanak/dep-age

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dep_age-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: dep_age-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 28.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dep_age-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 dc6aaa4c03f3a3569938eafbd5f58af14816549baccd150a7320ba823900c646
MD5 e93971fbc41f1bb39477b5a9ba6eb9e2
BLAKE2b-256 f236552b31df1754671ca9f555a0af9c86618886d6810b22736cfbe9a62c0e92

See more details on using hashes here.

Provenance

The following attestation bundles were made for dep_age-1.0.0-py3-none-any.whl:

Publisher: release.yml on bhayanak/dep-age

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page